8 files changed, 325 insertions, 19 deletions

diff --git a/contrib/bind/doc/html/config.html b/contrib/bind/doc/html/config.html
index 97f3a1b03779..b139ef2c23d6 100644
--- a/contrib/bind/doc/html/config.html
+++ b/contrib/bind/doc/html/config.html
@@ -11,7 +11,7 @@
 
 <H3>Overview</H3>
 
-<P>BIND 8 is much more configurable than previous release of BIND.
+<P>BIND 8 is much more configurable than previous releases of BIND.
 There are entirely new areas of configuration, such as access control lists
 and categorized logging.  Many options that previously applied to all zones
 can now be used selectively.  These features, plus a consideration of future
@@ -91,7 +91,7 @@ the BIND 8.2.x source kits.
 
 <HR>
 <ADDRESS>
-Last Updated: $Id: config.html,v 1.10 1999/09/15 20:28:01 cyarnell Exp $
+Last Updated: $Id: config.html,v 1.11 2000/11/28 20:03:48 cyarnell Exp $
 </ADDRESS>
 </BODY>
 </HTML>
diff --git a/contrib/bind/doc/html/options.html b/contrib/bind/doc/html/options.html
index 5e96d1f37204..d5ea552a1940 100644
--- a/contrib/bind/doc/html/options.html
+++ b/contrib/bind/doc/html/options.html
@@ -27,6 +27,7 @@ options {
   [ fetch-glue <VAR><A HREF="docdef.html">yes_or_no</A></VAR>; ]
   [ has-old-clients <VAR><A HREF="docdef.html">yes_or_no</A></VAR>; ]
   [ host-statistics <VAR><A HREF="docdef.html">yes_or_no</A></VAR>; ]
+  [ host-statistics-max <VAR>number</VAR>; ]
   [ multiple-cnames <VAR><A HREF="docdef.html">yes_or_no</A></VAR>; ]
   [ notify <VAR><A HREF="docdef.html">yes_or_no</A></VAR>; ]
   [ recursion <VAR><A HREF="docdef.html">yes_or_no</A></VAR>; ]
@@ -200,6 +201,12 @@ If <CODE>yes</CODE>, statistics are kept for every host that the
 the nameserver interacts with.  The default is <CODE>no</CODE>.  <I>Note:</I>
 turning on <CODE>host-statistics</CODE> can consume huge amounts of memory.
 
+<DT><CODE>host-statistics-max</CODE>
+<DD>
+The maximum number of host records that will be kept.  When this limit is
+reached no new hosts will be added to the host statistics.  If the set
+to zero then there is no limit set.  The default value is zero.
+
 <DT><CODE>maintain-ixfr-base</CODE>
 <DD>
 If <CODE>yes</CODE>, a transaction log is kept for 
@@ -806,7 +813,7 @@ request for the root servers to be accepted.  Default 2.
 
 <HR>
 <ADDRESS>
-Last Updated: $Id: options.html,v 1.40 2000/06/01 21:37:46 cyarnell Exp $
+Last Updated: $Id: options.html,v 1.41 2000/11/29 11:49:09 marka Exp $
 </ADDRESS>
 </BODY>
 </HTML>
diff --git a/contrib/bind/doc/html/server.html b/contrib/bind/doc/html/server.html
index eba350ba3f36..cb0d7d1b669c 100644
--- a/contrib/bind/doc/html/server.html
+++ b/contrib/bind/doc/html/server.html
@@ -30,7 +30,9 @@ associated with a remote name server.</P>
 
 <P>If you discover that a server is giving out bad data, marking it as
 <CODE>bogus</CODE> will prevent further queries to it.  The default value of
-<CODE>bogus</CODE> is <CODE>no</CODE>.
+<CODE>bogus</CODE> is <CODE>no</CODE>.  Marking a server as <CODE>bogus</CODE>
+will mark all other addresses for that server as <CODE>bogus</CODE> when
+a match is made when looking up a server's address by name. 
 
 <P>The server supports two zone transfer methods.  The first,
 <CODE>one-answer</CODE>, uses one DNS message per resource record
@@ -63,7 +65,7 @@ required to be signed by this key.
 
 <HR>
 <ADDRESS>
-Last Updated: $Id: server.html,v 1.10 1999/09/15 20:28:02 cyarnell Exp $
+Last Updated: $Id: server.html,v 1.11 2000/11/08 04:15:07 marka Exp $
 </ADDRESS>
 </BODY>
 </HTML>
diff --git a/contrib/bind/doc/man/dnssigner.1 b/contrib/bind/doc/man/dnssigner.1
new file mode 100644
index 000000000000..1fb4ce4623c2
--- /dev/null
+++ b/contrib/bind/doc/man/dnssigner.1
@@ -0,0 +1,213 @@
+.\" Copyright (c) 1996 by Internet Software Consortium
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+.\" ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+.\" CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+.\" DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+.\" PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+.\" ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+.\" SOFTWARE.
+.\"
+.\" $Id: dnssigner.1,v 8.2 1997/03/14 02:29:42 vixie Exp $
+.\"
+.Dd October 25, 1996
+.Dt DNSSIGNER @CMD_EXT_U@
+.Os BSD 4
+.Sh NAME
+.Nm dnssigner 
+.Nd add signatures to DNS zone files
+.Sh SYNOPSIS
+.Nm dnssigner
+.Op Cm signer-name Ar default_signer
+.Op Cm boot-file Ar file
+.Op Cm debug-file Ar file
+.Op Cm out-dir Ar directory
+.Op Cm seq-no Ar number
+.Oo
+.Cm expiration-time 
+.Oo Po Cm + 
+.Ns \&| 
+.Ns Cm = 
+.Pc Oc
+.Ns Ar time
+.Oc
+.Op Cm hide 
+.Op Cm noaxfr 
+.Op Cm nosign 
+.Op Cm verify 
+.Op Cm update-zonekey 
+.Op Fl d Ns Ar level
+.Sh DESCRIPTION
+.Ic Dnssigner
+(Sign DNS zone database) is a tool to generate signatures
+for DNS (Domain Name System) resource records.  It also generates
+NXT records for each zone.
+.Pp
+.Bl -tag -width Fl
+.It Cm signer-name Ar default_signer
+Specifies a name of the key to use if no signer is defined using the
+.Em Li $SIGNER  
+directive in the boot files.
+.It Cm boot-file Ar file
+Specifies the control file for 
+.Ic dnssigner , 
+which is in the same format as the BIND-4 
+.Pa named.boot 
+file.
+.It Cm debug-file Ar file
+Redirect debug output to the specified 
+.Ar file ; 
+default is
+.Pa signer_out 
+in the current directory.
+.It Cm out-dir Ar directory
+Write signed files to thie specified
+.Ar directory ; 
+default is to use
+.Pa /tmp .
+.Pp
+.Sy NOTE :  
+Specify the full path to this directory; relative paths may not work.
+.It Xo Cm expiration-time 
+.Oo Po Cm + 
+.Ns \&| 
+.Ns Cm = 
+.Pc Oc
+.Ns Ar time
+.Xc
+Time when the signature records are to
+expire.  Using either
+.Dq Cm =
+or 
+.Em no 
+sign before the 
+.Ar time
+argument
+.Po i.e., 
+.Do Op Cm = 
+.Ns Ar time
+.Dc 
+.Pc , 
+the 
+.Ar time 
+is interpreted as an absolute time in seconds when the records will expire.  
+.Po Sy NOTE :
+  All such times are interpreted as Universal Times.
+.Pc 
+With 
+.Dq Cm +
+specified 
+.Pq i.e., Dq Cm + Ns Ar time ,
+the
+.Ar time 
+time is interpreted as an offset into the future.
+.Pp
+If not specified on the command line, the default 
+.Cm expiration-time
+is 3600*24*30 sec (30 days).
+.It Cm seq-no Ar number
+Force the serial number in the SOA records to the specified value. 
+If this parameter is not set, the serial number will be set to a value
+based on the current time.
+.It Cm hide 
+This flag will cause NXT records in zones with wildcard
+records to point to 
+.Li *.<zone> 
+as the next host. The purpose of this
+flag is to hide all information about valid names in a zone.
+.It Cm noaxfr
+Turn of generation of zone transfer signature records,
+which validate the transfer of an entire zone.
+.It Cm nosign
+When this flag is specified, the boot files are read, NXT
+records are generated and zone file is written to the output
+directory. No SIG records are generated. This flag is useful for
+quickly checking the format of the data in the boot files, and to 
+have boot files sorted into DNSSEC order.  
+.It Cm verify
+When this flag is present,
+.Ic dnssigner
+will verify all
+signed records and print out a confirmation message for each SIG
+verified. The main use of this flag is to see how long it takes to
+generate each signature. 
+.It Cm update-zonekey 
+If this flag is specified, then the zonekeys used
+to sign files will be updated with new records.  Specify this flag if
+one or more of the keys have been updated.  If there are no zonekeys
+specified in the boot files, this flag will insert them. Omitting
+zonekeys will cause primary nameservers to reject the zone. 
+.It Fl d Ns Ar level
+Debug level to use for running 
+.Ic dnssigner ;
+these levels are the same as those used by 
+.Xr @INDOT_U@NAMED @SYS_OPS_EXT_U@ 
+.El
+.Ss DETAILS
+.Ic Dnssigner
+reads BIND-4 
+.Pa named.boot 
+and zone files, adds SIG and NXT
+records and writes out the records (to one file per zone, regardless of
+how many include files the original zone was in).  The files generated by
+.Ic dnssigner
+are ordinary textual zone files and are then normally
+loaded by 
+.Xr @INDOT_U@NAMED @SYS_OPS_EXT_U@ 
+to serve the zone.
+.Ic Dnssigner
+\fBrequires that the PRIVATE key(s) reside in the input directory\fP.
+.Pp
+Making manual changes to the output files is hazardous, because most
+changes will invalidate one or more signatures contained therein.  This
+will cause the zone to fail to load into 
+.Xr @INDOT_U@NAMED @SYS_OPS_EXT_U@ , 
+or will cause subsequent
+failures in retrieving records from the zone.  It is far better to make
+changes in 
+.Ic dnssigner's
+input files, and rerun 
+.Ic dnssigner .
+.Pp
+When 
+.Ic dnssigner
+detects a delegation point, it creates a special file
+.Pa <zone_name>.PARENT 
+which contains the RR's the parent zone signs for the 
+child zone (NS, KEY, NXT). The intent is that the child will include this
+file when loading primary nameservers.  Similarly, each zone file ends
+with the 
+.Dq Li #include <zone_name>.PARENT 
+command.  The records 
+in the
+.Pa .PARENT 
+files are omitted from the SIG(AXFR) calculations as these
+records usualy are on a different signing cycle.  
+.Pp
+The 
+.Em Li Dq $SIGNER Op Ar keyname
+directive can be used to change signers in a
+zone.  If 
+.Ar keyname 
+is omitted, signing is turned off.  Keys are loaded the
+first time the keys are accessed.  Only records that are signed by the
+zone signer (the key that signs the SOA) are included in the SIG(AXFR)
+calculation.  It is not generally recommended that multiple keys sign
+records in the same zone, unless this is useful for dynamic updates.
+.Sh ENVIRONMENT
+No environmental variables are used.
+.Sh SEE ALSO
+.Xr @INDOT_U@NAMED @SYS_OPS_EXT_U@ ,
+RSAREF documentation,
+Internet-Draft 
+.Em draft-ietf-dnssec-secext-10.txt
+on Secure DNS, or its successor.
+.Sh AUTHOR
+Olafur Gudmundsson (ogud@tis.com)
+.Sh ACKNOWLEDGMENTS
+The underlying crypto math is done by the RSAREF or BSAFE libraries.
diff --git a/contrib/bind/doc/man/named.conf.5 b/contrib/bind/doc/man/named.conf.5
index 6dde5cacdb57..e2f4a0f7beff 100644
--- a/contrib/bind/doc/man/named.conf.5
+++ b/contrib/bind/doc/man/named.conf.5
@@ -1,4 +1,4 @@
-.\" Copyright (c) 1999 by Internet Software Consortium
+.\" Copyright (c) 1999-2000 by Internet Software Consortium
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -826,6 +826,7 @@ options {
   [ fetch-glue \fIyes_or_no\fR; ]
   [ has-old-clients \fIyes_or_no\fR; ]
   [ host-statistics \fIyes_or_no\fR; ]
+  [ host-statistics-max \fInumber\fR; ]
   [ multiple-cnames \fIyes_or_no\fR; ]
   [ notify \fIyes_or_no\fR; ]
   [ recursion \fIyes_or_no\fR; ]
@@ -1070,15 +1071,20 @@ turning on
 .Ic host-statistics
 can consume huge amounts of memory.
 
+.It IC host-statistics-max
+The maximum number of host records that will be kept.
+When this limit is reached no new hosts will be added to the host statistics.
+If the set to zero then there is no limit set.
+The default value is zero.
+
 .It Ic maintain-ixfr-base
 If
 .Li yes ,
-statistics are kept for every host that the nameserver interacts with.  The default is
+a IXFR database file is kept for all dynamicaly updated zones.
+This enables the server to answer IXFR queries which can speed up
+zone transfers enormously.
+The default is
 .Li no .
-.Em Note:
-turning on 
-.Li host-statistics
-can consume huge amounts of memory.
 
 .It Ic multiple-cnames
 If
@@ -1287,12 +1293,7 @@ from all hosts.
 .Bl -tag -width 1 
 .It Ic allow-recursion
 Specifies which hosts are allowed to ask recursive questions.
-.Ic allow-recursion
-may also be specified in the
-.Ic zone
-statement, in which case it overrides the
-.Ic options allow-recursion 
-statement.  If not specified, the default is to allow recursive queries 
+If not specified, the default is to allow recursive queries 
 from all hosts.
 
 .It Ic allow-transfer
@@ -2141,6 +2142,11 @@ will prevent further queries to it.  The default value of
 .Ic bogus
 is
 .Li no .
+Marking a server as
+.Ic bogus
+will mark all other addresses for that server as
+.Ic bogus
+when a match is made when looking up a server's address by name.
 
 .Pp
 The server supports two zone transfer methods.  The first,
diff --git a/contrib/bind/doc/man/nsupdate.8 b/contrib/bind/doc/man/nsupdate.8
index 296709b7fa0d..78f9a193a1c3 100644
--- a/contrib/bind/doc/man/nsupdate.8
+++ b/contrib/bind/doc/man/nsupdate.8
@@ -1,4 +1,5 @@
-.\" $Id: nsupdate.8,v 8.5 2000/02/29 03:50:48 vixie Exp $
+.\" $FreeBSD$
+.\" $Id: nsupdate.8,v 8.6 2000/10/30 23:06:57 cyarnell Exp $
 .\"
 .\"Copyright (c) 1999 by Internet Software Consortium
 .\"
@@ -55,6 +56,8 @@ each line contributing a resource record to an
 update request.
 All domain names used in a single update request
 must belong to the same DNS zone.
+Updates are sent to the master server as defined in the SOA
+MNAME field.
 A blank line causes the accumulated
 records to be formated into a single update request
 and transmitted to the zone's authoritative name servers.
diff --git a/contrib/bind/doc/man/resolver.3 b/contrib/bind/doc/man/resolver.3
index 890c836ff6e4..4569e84ce9ca 100644
--- a/contrib/bind/doc/man/resolver.3
+++ b/contrib/bind/doc/man/resolver.3
@@ -16,7 +16,8 @@
 .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 .\"
 .\"	@(#)resolver.3	6.5 (Berkeley) 6/23/90
-.\"	$Id: resolver.3,v 8.12 2000/07/11 06:10:55 vixie Exp $
+.\"	$Id: resolver.3,v 8.13 2000/12/05 02:37:33 vixie Exp $
+.\" $FreeBSD$
 .\"
 .Dd July 4, 2000
 .Dt RESOLVER @LIB_NETWORK_EXT_U@ 
@@ -59,6 +60,8 @@
 .Fd #include <netinet/in.h>
 .Fd #include <arpa/nameser.h>
 .Fd #include <resolv.h>
+.Ft typedef struct __res_state *res_state;
+.Pp
 .Fn res_ninit "res_state statp"
 .Fn res_ourserver_p "const res_state statp" "const struct sockaddr_in *addr"
 .Fn fp_resstat "const res_state statp" "FILE *fp"
diff --git a/contrib/bind/doc/misc/IPv6 b/contrib/bind/doc/misc/IPv6
new file mode 100644
index 000000000000..49fc3f5ec37c
--- /dev/null
+++ b/contrib/bind/doc/misc/IPv6
@@ -0,0 +1,72 @@
+IPv6 notes for BIND 4.9.3 Patch 2 Candidate 5 (and later?)
+Paul Vixie, May 20, 1996
+doc/misc/IPv6
+
+			*** Introduction ***
+
+The IPv6 support in this release is latent, in that its presence is not
+documented.  The support is not optional, since its presence ought not to
+affect anyone who does not go looking for it.  The support includes:
+
+	inet_ntop()	new function.
+	inet_pton()	new function.
+	RES_USE_INET6	causes gethostby*() to return either real IPv6
+			addresses (if available) or mapped (::FFFF:a.b.c.d)
+			addresses if only IPv4 address records are found.
+	gethostbyname()	can search for T_AAAA in preference to T_A.
+	gethostbyaddr()	can search in IP6.INT for PTR RR's.
+	named		can load, transfer, cache, and dump T_AAAA RRs.
+
+		*** Some notes on the new functions ***
+
+The inet_pton() and inet_ntop() functions differ from the current (as of
+this writing) IPv6 BSD API draft.  Discussions were held, primarily between
+myself and Rich Stevens, on the ipng@sunroof.eng.sun.com mailing list, and
+the BIND definitions of these functions are likely to go into the next draft.
+(If not, and BIND has to change its definitions of these functions, then you
+will know why I chose not to document them yet!)
+
+These functions can return error values, and as such the process of porting
+code that used inet_aton() to use inet_pton() is not just syntactic.  Not all
+nonzero values indicate success; consider "-1".  Likewise, inet_ntoa() is not
+just smaller than inet_ntop() -- it's a whole new approach.  Inet_ntop() does
+not return a static pointer, the caller has to supply a sized buffer.  Also,
+inet_ntop() can return NULL, so you should only printf() the result if you
+have verified that your arguments will be seen as error free.
+
+The inet_pton() function is much pickier about its input format than the old
+inet_aton() function has been.  You can't abbreviate 10.0.0.53 as 10.53 any
+more.  Hexadecimal isn't accepted.  You have to supply four decimal numeric
+strings, each of whose value is within the range from 0 to 255.  No spaces
+are allowed either before, after, or within an address.  If you need the older
+functionality with all the shortcuts and exceptions, continue using inet_aton()
+for your IPv4 address parsing needs.
+
+		   *** Some notes on RES_USE_INET6 ***
+
+You can set this by modifying _res.options after calling res_init(), or you
+can turn it on globally by setting "options inet6" in /etc/resolv.conf.  This
+latter option ought to be used carefully, since _all_ applications will then
+receive IPv6 style h_addr_list's from their gethostby*() calls.  Once you know
+that every application on your system can cope with IPv6 addressing, it is safe
+and reasonable to turn on the global option.  Otherwise, don't do it.
+
+		*** Some notes on mapped IPv4 addresses ***
+
+There are two IPv6 prefixes set aside for IPv4 address encapsulation.  See
+RFC 1884 for a detailed explaination.  The ::a.b.c.d form is used for
+tunnelling, which means wrapping an IPv4 header around IPv6 packets and using
+the existing IPv4 routing infrastructure to reach what are actually IPv6
+endpoints.  The ::FFFF:a.b.c.d form can be used on dual-stack (IPv4 and IPv6)
+hosts to signal a predominantly IPv6 stack that it should use ``native'' IPv4
+to reach a given destination, even though the socket's address family is
+AF_INET6.
+
+BIND supports both of these address forms, to the extent that inet_pton() will
+parse them, inet_ntop() will generate them, gethostby*() will map IPv4 into
+IPv6 if the RES_USE_INET6 option is set, and gethostbyaddr() will search the
+IN-ADDR.ARPA domain rather than the IP6.INT domain when it needs a PTR RR.
+This last bit of behaviour is still under discussion and it's not clear that
+tunnelled addresses should be mapped using IN-ADDR.ARPA.  In other words, this
+bit of behaviour may change in a subsequent BIND release.  So now you know
+another reason why none of this stuff is ``officially'' documented.