Vender import of BIND 9.3.0rc4.

1090 files changed, 509412 insertions, 0 deletions

diff --git a/contrib/bind9/CHANGES b/contrib/bind9/CHANGES
new file mode 100644
index 000000000000..ac7f212853fa
--- /dev/null
+++ b/contrib/bind9/CHANGES
@@ -0,0 +1,5479 @@
+
+	--- 9.3.0rc4 released ---
+
+1709.	[port]		solaris: add SMF support.
+
+1708.	[cleanup]	Replaced dns_fullname_hash() with dns_name_fullhash()
+			for conformance to the name space convention.  Binary
+			backward compatibility to the old function name is
+			provided. [RT #12376]
+
+1707.	[contrib]	sdb/ldap updated to version 1.0-beta.
+
+1706.	[bug]		'rndc stop' failed to cause zones to be flushed
+			sometimes. [RT #12328]
+
+1704.	[port]		lwres needed a snprintf() implementation for
+			platforms without snprintf().  Add missing
+			"#include <isc/print.h>". [RT #12321]
+
+1703.	[bug]		named would loop sending NOTIFY messages when it
+			failed to receive a response. [RT #12322]
+
+1702.	[bug]		also-notify should not be applied to builtin zones.
+			[RT #12323]
+
+1701.	[doc]		A minimal named.conf man page.
+
+1700.	[func]		nslookup is no longer to be treated as deprecated.
+			Remove "deprecated" warning message.  Add man page.
+
+1699.	[bug]		dnssec-signzone can generate "not exact" errors
+			when resigning. [RT #12281]
+
+1698.	[doc]		Use reserved IPv6 documentation prefix.
+
+1697.	[bug]		xxx-source{,-v6} was not effective when it
+			specified one of listening addresses and a
+			different port than the listening port. [RT #12257]
+
+	--- 9.3.0rc3 released ---
+
+1696.	[bug]		dnssec-signzone failed to clean out nodes that
+			consisted of only NSEC and RRSIG records.
+			[RT #12154]
+
+1695.	[bug]		DS records when forwarding require special handling.
+			[RT #12133]
+
+1694.	[bug]		Report if the builtin views of "_default" / "_bind"
+			are defined in named.conf. [RT #12023]
+
+1693.	[bug]		max-journal-size was not effective for master zones
+			with ixfr-from-differences set. [RT# 12024]
+
+1692.	[bug]		Don't set -I, -L and -R flags when libcrypto is in
+			/usr/lib. [RT #11971]
+
+1691.	[bug]		sdb's attachversion was not complete. [RT #11990]
+
+1690.	[bug]		Delay detaching view from the client until UPDATE
+			processing completes when shutting down. [RT #11714]
+
+1689.	[bug]		DNS_NAME_TOREGION() and DNS_NAME_SPLIT() macros
+			contained gratuitous semicolons. [RT #11707]
+
+1688.	[bug]		LDFLAGS was not supported.
+
+1687.	[bug]		Race condition in dispatch. [RT #10272]
+
+1686.	[bug]		Named sent a extraneous NOTIFY when it received a
+			redundant UPDATE request. [RT #11943]
+
+	--- 9.3.0rc2 released ---
+
+1685.	[bug]		Change #1679 loop tests weren't quite right.
+
+1683.	[bug]		dig +sigchase could leak memory. [RT #11445]
+
+1682.	[port]		Update configure test for (long long) printf format.
+			[RT #5066]
+
+1681.	[bug]		Only set SO_REUSEADDR when a port is specified in
+			isc_socket_bind(). [RT #11742]
+
+1679.	[bug]		When there was a single nameserver with multiple
+			addresses for a zone not all addresses were tried.
+			[RT #11706]
+
+1678.	[bug]		RRSIG should use TYPEXXXXX for unknown types.
+
+1677.	[bug]		dig: +aaonly didn't work, +aaflag undocumented.
+
+1675.	[bug]		named would sometimes add extra NSEC records to
+			the authority section.
+			
+1674.	[port]		linux: increase buffer size used to scan
+			/proc/net/if_inet6.
+
+1673.	[port]		linux: issue a error messages if IPv6 interface
+			scans fails.
+
+1672.	[cleanup]	Tests which only function in a threaded build
+			now return R:THREADONLY (rather than R:UNTESTED)
+			in a non-threaded build.
+
+1671.	[contrib]	queryperf: add NAPTR to the list of known types.
+
+1670.	[func]		Log UPDATE requests to slave zones without an acl as
+			"disabled" at debug level 3. [RT# 11657]
+
+1668.	[bug]		DIG_SIGCHASE was making bin/dig/host dump core.
+
+1667.	[port]		linux: not all versions have IF_NAMESIZE.
+
+1666.	[bug]		The optional port on hostnames in dual-stack-servers
+			was being ignored.
+
+1663.	[func]		Look for OpenSSL by default.
+
+1661.	[bug]		Restore dns_name_concatenate() call in
+			adb.c:set_target().  [RT #11582]
+
+1660.	[bug]		win32: connection_reset_fix() was being called
+			unconditionally.  [RT #11595]
+
+	--- 9.3.0rc1 released ---
+
+1664.	[bug]		nsupdate needed KEY for SIG(0), not DNSKEY.
+
+1662.	[bug]		Change #1658 failed to change one use of 'type'
+			to 'keytype'.
+
+1659.	[cleanup]	Cleanup some messages that were referring to KEY vs
+			DNSKEY, NXT vs NSEC and SIG vs RRSIG.
+
+1658.	[func]		Update dnssec-keygen to default to KEY for HMAC-MD5
+			and DH.  Tighten which options apply to KEY and
+			DNSKEY records.
+
+1657.	[doc]		ARM: document query log output.
+
+1656.	[doc]		Update DNSSEC description in ARM to cover DS, NSEC
+			DNSKEY and RRSIG.  [RT #11542]
+
+1655.	[bug]		Logging multiple versions w/o a size was broken.
+			[RT #11446]
+
+1654.	[bug]		isc_result_totext() contained array bounds read
+			error.
+
+1653.	[func]		Add key type checking to dst_key_fromfilename(),
+			DST_TYPE_KEY should be used to read TSIG, TKEY and
+			SIG(0) keys.
+
+1652.	[bug]		TKEY still uses KEY.
+
+1651.	[bug]		dig: process multiple dash options.
+
+1650.	[bug]		dig, nslookup: flush standard out after each command.
+
+1649.	[bug]		Silence "unexpected non-minimal diff" message.
+			[RT #11206]
+
+1648.	[func]		Update dnssec-lookaside named.conf syntax to support
+			multiple dnssec-lookaside namespaces (not yet
+			implemented).  
+
+1647.	[bug]		It was possible trigger a INSIST when chasing a DS
+			record that required walking back over a empty node.
+			[RT #11445]
+
+1646.	[bug]		win32: logging file versions didn't work with
+			non-UNC filenames.  [RT#11486]
+
+1645.	[bug]		named could trigger a REQUIRE failure if multiple
+			masters with keys are specified.
+
+1644.	[bug]		Update the journal modification time after a
+			sucessfull refresh query. [RT #11436]
+
+1643.	[bug]		dns_db_closeversion() could leak memory / node
+			references. [RT #11163]
+
+1642.	[port]		Support OpenSSL implementations which don't have
+			DSA support. [RT #11360]
+
+1641.	[bug]		Update the check-names description in ARM. [RT #11389]
+
+	--- 9.3.0beta4 released ---
+
+1640.	[bug]		win32: isc_socket_cancel(ISC_SOCKCANCEL_ACCEPT) was
+			incorrectly closing the socket.  [RT #11291]
+
+1639.	[func]		Initial dlv system test.
+
+1638.	[bug]		"ixfr-from-differences" could generate a REQUIRE
+			failure if the journal open failed. [RT #11347]
+			
+1637.	[bug]		Node reference leak on error in addnoqname().
+
+1636.	[bug]		The dump done callback could get ISC_R_SUCCESS even if
+			a error had occured.  The database version no longer
+			matched the version of the database that was dumped.
+
+1635.	[bug]		Memory leak on error in query_addds().
+
+1634.	[bug]		named didn't supply a useful error message when it
+			detected duplicate views.  [RT #11208]
+
+1633.	[bug]		named should return NOTIMP to update requests to a
+			slaves without a allow-update-forwarding acl specified.
+			[RT #11331]
+
+1632.	[bug]		nsupdate failed to send prerequisite only UPDATE
+			messages. [RT #11288]
+
+1631.	[bug]		dns_journal_compact() could sometimes corrupt the
+			journal. [RT #11124]
+
+1630.	[contrib]	queryperf: add support for IPv6 transport.
+
+1629.	[func]		dig now supports IPv6 scoped addresses with the
+			extended format in the local-server part. [RT #8753]
+
+1628.	[bug]		Typo in Compaq Trucluster support. [RT# 11264]
+
+1627.	[bug]		win32: sockets were not being closed when the
+			last external reference was removed. [RT# 11179]
+
+1626.	[bug]		--enable-getifaddrs was broken. [RT#11259]
+
+1625.	[bug]		named failed to load/transfer RFC2535 signed zones
+			which contained CNAMES. [RT# 11237]
+
+1606.	[bug]	 	DLV insecurity proof was failing.
+
+1605.	[func]		New dns_db_find() option DNS_DBFIND_COVERINGNSEC.
+
+	--- 9.3.0beta3 released ---
+
+1624.	[bug]		zonemgr_putio() call should be locked. [RT# 11163]
+
+1623.	[bug]		A serial number of zero was being displayed in the
+			"sending notifies" log message when also-notify was
+			used. [RT #11177]
+
+1622.	[func]		probe the system to see if IPV6_(RECV)PKTINFO is
+			available, and suppress wildcard binding if not.
+
+1621.	[bug]		match-destinations did not work for IPv6 TCP queries.
+			[RT# 11156]
+
+1620.	[func]		When loading a zone report if it is signed. [RT #11149]
+
+1619.	[bug]		Missing ISC_LIST_UNLINK in end_reserved_dispatches().
+			[RT# 11118]
+
+1618.	[bug]		Fencepost errors in dns_name_ishostname() and
+			dns_name_ismailbox() could trigger a INSIST().
+
+1617.	[port]		win32: VC++ 6.0 support.
+
+1616.	[compat]	Ensure that named's version is visible in the core
+			dump. [RT #11127]
+
+1615.	[port]		Define ISC_SOCKADDR_LEN_T based on _BSD_SOCKLEN_T_ if
+			it is defined.
+
+1614.	[port]		win32: silence resource limit messages. [RT# 11101]
+
+1613.	[bug]		Builds would fail on machines w/o a if_nametoindex().
+			Missing #ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX/#endif.
+			[RT #11119]
+
+1612.	[bug]		check-names at the option/view level could trigger
+			an INSIST. [RT# 11116]
+
+1611.	[bug]		solaris: IPv6 interface scanning failed to cope with
+			no active IPv6 interfaces.
+
+1610.	[bug]		On dual stack machines "dig -b" failed to set the
+			address type to be looked up with "@server".
+			[RT #11069]
+
+1600.	[bug]		Duplicate zone pre-load checks were not case
+			insensitive.
+
+1599.	[bug]		Fix memory leak on error path when checking named.conf.
+
+1598.	[func]		Specify that certain parts of the namespace must
+			be secure (dnssec-must-be-secure).
+
+	--- 9.3.0beta2 released ---
+
+1609.	[func]		dig now has support to chase DNSSEC signature chains.
+			Requires -DDIG_SIGCHASE=1 to be set in STD_CDEFINES.
+
+1608.	[func]		dig and host now accept -4/-6 to select IP transport
+			to use when making queries.
+
+1607.	[bug]		dig, host and nslookup were still using random()
+			to generate query ids. [RT# 11013]
+
+1604.	[bug]		A xfrout_ctx_create() failure would result in
+			xfrout_ctx_destroy() being called with a
+			partially initialized structure.
+			
+1603.	[bug]		nsupdate: set interactive based on isatty().
+			[RT# 10929]
+
+1602.	[bug]		Logging to a file failed unless a size was specified.
+			[RT# 10925]
+
+1601.	[bug]		Silence spurious warning 'both "recursion no;" and 
+			"allow-recursion" active' warning from view "_bind".
+			[RT# 10920]
+
+1594.	[bug]		'rndc dumpdb' could prevent named from answering
+			queries while the dump was in progress.  [RT #10565]
+
+1593.	[bug]		rndc should return "unknown command" to unknown
+			commands. [RT# 10642]
+
+	--- 9.3.0beta1 released ---
+
+1592.	[bug]		configure_view() could leak a dispatch. [RT #10675]
+
+1591.	[bug]		libbind: updated to BIND 8.4.5.
+
+1590.	[port]		netbsd: update thread support.
+
+1589.	[func]		DNSSEC lookaside validation.
+
+1588.	[bug]		win32: TCP sockets could become blocked. [RT #10115]
+
+1587.	[bug]		dns_message_settsigkey() failed to clear existing key.
+			[RT #10590]
+
+1586.	[func]		"check-names" is now implemented.
+
+1584.	[bug]		"make test" failed with a read only source tree.
+			[RT #10461]
+
+1583.	[bug]		Records add via UPDATE failed to get the correct trust
+			level. [RT #10452]
+
+1582.	[bug]		rrset-order failed to work on RRsets with more
+			than 32 elements. [RT #10381]
+
+1581.	[func]		Disable DNSSEC support by default.  To enable
+			DNSSEC specify "dnssec-enable yes;" in named.conf.
+
+1580.	[bug]		Zone destruction on final detach takes a long time.
+			[RT #3746]
+
+1579.	[bug]		Multiple task managers could not be created.
+
+1578.	[bug]		Don't use CLASS E IPv4 addresses when resolving.
+			[RT #10346]
+
+1577.	[bug]		Use isc_uint32_t in ultrasparc optimizer bug
+			workaround code. [RT #10331]
+
+1576.	[bug]		Race condition in dns_dispatch_addresponse().
+			[RT# 10272]
+
+1575.	[func]		Log TSIG name on TSIG verify failure. [RT #4404]
+
+1574.	[bug]		Don't attempt to open the controls socket(s) when
+			running tests. [RT #9091]
+
+1573.	[port]		linux: update to libtool 1.5.2 so that
+			"make install DESTDIR=/xx" works with
+			"configure --with-libtool".  [RT #9941]
+
+1572.	[bug]		nsupdate: sign the soa query to find the enclosing
+			zone if the server is specified. [RT #10148]
+
+1571.	[bug]		rbt:hash_node() could fail leaving the hash table
+			in an inconsistent state.  [RT #10208]
+
+1570.	[bug]		nsupdate failed to handle classes other than IN.
+			New keyword 'class' which sets the default class.
+			[RT #10202]
+
+1569.	[func]		nsupdate new command 'answer' which displays the
+			complete answer message to the last update.
+
+1568.	[bug]		nsupdate now reports that the update failed in
+			interactive mode. [RT# 10236]
+
+1567.	[bug]		B.ROOT-SERVERS.NET is now 192.228.79.201.
+
+1566.	[port]		Support for the cmsg framework on Solaris and HP/UX.
+			This also solved the problem that match-destinations
+			for IPv6 addresses did not work on these systems.
+			[RT #10221]
+
+1565.	[bug]		CD flag should be copied to outgoing queries unless
+			the query is under a secure entry point in which case
+			CD should be set.
+
+1564.	[func]		Attempt to provide a fallback entropy source to be
+			used if named is running chrooted and named is unable
+			to open entropy source within the chroot area.
+			[RT #10133]
+
+1563.	[bug]		Gracefully fail when unable to obtain neither an IPv4
+			nor an IPv6 dispatch. [RT #10230]
+
+1562.	[bug]		isc_socket_create() and isc_socket_accept() could
+			leak memory under error conditions. [RT #10230]
+
+1561.	[bug]		It was possible to release the same name twice if
+			named ran out of memory. [RT #10197]
+
+1560.	[port]		FreeBSD: work around FreeBSD 5.2 mapping EAI_NODATA
+			and EAI_NONAME to the same value.
+
+1559.	[port]		named should ignore SIGFSZ.
+
+1558.	[func]		New DNSSEC 'disable-algorithms'.  Support entry into
+			child zones for which we don't have a supported
+			algorithm.  Such child zones are treated as unsigned.
+
+1557.	[func]		Implement missing DNSSEC tests for
+			* NOQNAME proof with wildcard answers.
+			* NOWILDARD proof with NXDOMAIN.
+			Cache and return NOQNAME with wildcard answers.
+
+1556.	[bug]		nsupdate now treats all names as fully qualified.
+			[RT #6427]
+
+1555.	[func]		'rrset-order cyclic' no longer has a random starting
+			point. [RT #7572]
+
+1554.	[bug]		dig, host, nslookup failed when no nameservers
+			were specified in /etc/resolv.conf. [RT #8232]
+
+1553.	[bug]		The windows socket code could stop accepting
+			connections. [RT#10115]
+
+1552.	[bug]		Accept NOTIFY requests from mapped masters if
+			matched-mapped is set. [RT #10049]
+
+1551.	[port]		Open "/dev/null" before calling chroot().
+
+1550.	[port]		Call tzset(), if available, before calling chroot().
+
+1549.	[func]		named-checkzone can now write out the zone contents
+			in a easily parsable format (-D and -o).
+
+1548.	[bug]		When parsing APL records it was possible to silently
+			accept out of range ADDRESSFAMILY values. [RT# 9979]
+
+1547.	[bug]		Named wasted memory recording duplicate lame zone
+			entries. [RT #9341]
+
+1546.	[bug]		We were rejecting valid secure CNAME to negative
+			answers.
+
+1545.	[bug]		It was possible to leak memory if named was unable to
+			bind to the specified transfer source and TSIG was
+			being used. [RT #10120]
+
+1544.	[bug]		Named would logged a single entry to a file despite it
+			being over the specified size limit.
+
+1543.	[bug]		Logging using "versions unlimited" did not work.
+
+1541.	[func]		NSEC now uses new bitmap format.
+
+1540.	[bug]		"rndc reload <dynamiczone>" was silently accepted.
+			[RT #8934]
+
+1539.	[bug]		Open UDP sockets for notify-source and transfer-source
+			that use reserved ports at startup. [RT #9475]
+
+1537.	[func]		New option "querylog".  If set specify whether query
+			logging is to be enabled or disabled at startup.
+
+1536.	[bug]		Windows socket code failed to log a error description
+			when returning ISC_R_UNEXPECTED. [RT #9998]
+
+1534.	[bug]		Race condition when priming cache. [RT# 9940]
+
+1533.	[func]		Warn if both "recursion no;" and "allow-recursion"
+			are active. [RT# 4389]
+
+1532.	[port]		netbsd: the configure test for <sys/sysctl.h>
+			requires <sys/param.h>.
+
+1531.	[port]		AIX more libtool fixes.
+
+1530.	[bug]		It was possible to trigger a INSIST() failure if a
+			slave master file was removed at just the correct
+			moment. [RT #9462]
+
+1529.	[bug]		"notify explicit;" failed to log that NOTIFY messages
+			were being sent for the zone. [RT# 9442]
+
+1528.	[cleanup]	Simplify some dns_name_ functions based on the
+			deprecation of bitstring labels.
+
+1527.	[cleanup]	Reduce the number of gettimeofday() calls without
+			losing necessary timer granularity.
+
+1525.	[bug]		dns_cache_create() could trigger a REQUIRE
+			failure in isc_mem_put() during error cleanup.
+			[RT# 9360]
+
+1524.	[port]		AIX needs to be able to resolve all symbols when
+			creating shared libraries (--with-libtool).
+
+1523.	[bug]		Fix race condition in rbtdb. [RT# 9189]
+
+1522.	[bug]		dns_db_findnode() relax the requirements on 'name'.
+			[RT# 9286]
+
+1521.	[bug]		dns_view_createresolver() failed to check the
+			result from isc_mem_create(). [RT# 9294]
+
+1520.	[protocol]	Add SSHFP (SSH Finger Print) type.
+
+1519.	[bug]		dnssec-signzone:nsec_setbit() computed the wrong
+			length of the new bitmap.
+
+1518.	[bug]		dns_nsec_buildrdata(), and hence dns_nsec_build(),
+			contained a off-by-one error when working out the
+			number of octets in the bitmap.
+
+1517.	[port]		Support for IPv6 interface scanning on HP/UX and
+			TrueUNIX 5.1.
+
+1516.	[func]		Roll the DNSSEC types to RRSIG, NSEC and DNSKEY.
+
+1515.	[func]		Allow transfer source to be set in a server statement.
+			[RT #6496]
+
+1514.	[bug]		named: isc_hash_destroy() was being called too early.
+			[RT #9160]
+
+1513.	[doc]		Add "US" to root-delegation-only exclude list.
+
+1512.	[bug]		Extend the delegation-only logging to return query
+			type, class and responding nameserver.
+
+1511.	[bug]		delegation-only was generating false positives
+			on negative answers from subzones.
+
+1510.	[func]		New view option "root-delegation-only".  Apply
+			delegation-only check to all TLDs and root.
+			Note there are some TLDs that are NOT delegation
+			only (e.g. DE, LV, US and MUSEUM) these can be excluded
+			from the checks by using exclude.
+
+			root-delegation-only exclude {
+				"DE"; "LV"; "US"; "MUSEUM";
+			};
+
+1509.	[bug]		Hint zones should accept delegation-only.  Forward
+			zone should not accept delegation-only.
+
+1508.	[bug]		Don't apply delegation-only checks to answers from
+			forwarders.
+
+1507.	[bug]		Handle BIND 8 style returns to NS queries to parents
+			when making delegation-only checks.
+
+1506.	[bug]		Wrong return type for dns_view_isdelegationonly().
+
+1505.	[bug]		Uninitialized rdataset in sdb. [RT #8750]
+
+1504.	[func]		New zone type "delegation-only".
+
+1503.	[port]		win32: install libeay32.dll outside of system32.
+
+1502.	[bug]		nsupdate: adjust timeouts for UPDATE requests over TCP.
+
+1501.	[func]		Allow TCP queue length to be specified via
+			named.conf, tcp-listen-queue.
+
+1500.	[bug]		host failed to lookup MX records.  Also look up
+			AAAA records.
+
+1475.	[port]		Probe for old sprintf().
+
+1474.	[port]		Provide strtoul() and memmove() for platforms
+			without them.
+
+1469.	[func]		Log end of outgoing zone transfer at same level
+			as the start of transfer is logged. [RT #4441]
+
+1468.	[func]		Internal zones are no longer counted for
+			'rndc status'.  [RT #4706]
+
+1467.	[func]		$GENERATES now supports optional class and ttl.
+
+1458.	[cleanup]	sprintf() -> snprintf().
+
+1457.	[port]		Provide strlcat() and strlcpy() for platforms without
+			them.
+
+1455.	[bug]		<netaddr> missing from server grammar in
+			doc/misc/options. [RT #5616]
+
+1454.	[port]		Use getifaddrs() if available for interface scanning.
+			--disable-getifaddrs to override.  Glibc currently
+			has a getifaddrs() that does not support IPv6.
+			Use --enable-getifaddrs=glibc to force the use of
+			this version under linux machines.
+
+1446.	[func]		Implemented undocumented alternate transfer sources
+			from BIND 8.  See use-alt-transfer-source,
+			alt-transfer-source and alt-transfer-source-v6.
+
+			SECURITY: use-alt-transfer-source is ENABLED unless
+			you are using views.  This may cause a security risk
+			resulting in accidental disclosure of wrong zone
+			content if the master supplying different source
+			content based on IP address.  If you are not certain
+			ISC recommends setting use-alt-transfer-source no;
+
+1444.	[func]		dns_view_findzonecut2() allows you to specify if the
+			cache should be searched for zone cuts.
+
+1443.	[func]		Masters lists can now be specified and referenced
+			in zone masters clauses and other masters lists.
+
+1442.	[func]		New functions for manipulating port lists:
+			dns_portlist_create(), dns_portlist_add(),
+			dns_portlist_remove(), dns_portlist_match(),
+			dns_portlist_attach() and dns_portlist_detach().
+
+1441.	[func]		It is now possible to tell dig to bind to a specific
+			source port.
+
+1440.	[func]		It is now possible to tell named to avoid using
+			certain source ports (avoid-v4-udp-ports,
+			avoid-v6-udp-ports).
+
+1438.	[func]		Log TSIG (if any) when logging NOTIFY requests.
+
+1436.	[func]		dns_zonemgr_resumexfrs() can be used to restart
+			stalled transfers.
+
+1433.	[bug]		named could trigger a REQUIRE failure if it could
+			not get a file descriptor when attempting to write
+			a master file. [RT #4347]
+
+1432.	[func]		The advertised EDNS UDP buffer size can now be set
+			via named.conf (edns-udp-size).
+
+1430.	[port]		linux: IPv6 interface scanning support.
+
+1422.	[func]		Log name/type/class when denying a query.  [RT #4663]
+
+1421.	[func]		Differentiate updates that don't succeed due to
+			prerequisites (unsuccessful) vs other reasons
+			(failed).
+
+1417.	[func]		ID.SERVER/CHAOS is now a built in zone.
+			See "server-id" for how to configure.
+
+1415.	[func]		DS TTL now derived from NS ttl.  NXT TTL now derived
+			from SOA MINIMUM.
+
+1414.	[func]		Support for KSK flag.
+
+1413.	[func]		Explictly request the (re-)generation of DS records from
+			keysets (dnssec-signzone -g).
+
+1412.	[func]		You can now specify servers to be tried if a nameserver
+			has IPv6 address and you only support IPv4 or the
+			reverse. See dual-stack-servers.
+
+1410.	[func]		Handle records that live in the parent zone, e.g. DS.
+
+1409.	[bug]		DS should have attribute DNS_RDATATYPEATTR_DNSSEC.
+
+1404.	[bug]		libbind: ns_name_ntol() could overwrite a zero length
+			buffer.
+
+1403.	[func]		dnssec-signzone, dnssec-keygen, dnssec-makekeyset
+			dnssec-signkey now report their version in the
+			usage message.
+
+1402.	[cleanup]	A6 has been moved to experimental and is no longer
+			fully supported.
+
+1400.	[bug]		Block the addition of wildcard NS records by IXFR
+			or UPDATE. [RT #3502]
+
+1398.	[doc]		ARM: notify-also should have been also-notify.
+			[RT #4345]
+
+1396.	[func]		dnssec-signzone: adjust the default signing time by
+			1 hour to allow for clock skew.
+
+1394.	[func]		It is now possible to check if a particular element is
+			in a acl.  Remove duplicate entries from the localnets
+			acl.
+
+1393.	[port]		Bind to individual IPv6 interfaces if IPV6_IPV6ONLY
+			is not available in the kernel to prevent accidently
+			listening on IPv4 interfaces.
+
+1392.	[bug]		named-checkzone: update usage.
+
+1391.	[func]		Add support for IPv6 scoped addresses in named.
+
+1390.	[func]		host now supports ixfr.
+
+1386.	[bug]		named-checkzone -z stopped on errors in a zone.
+			[RT #3653]
+
+1383.	[func]		Track the serial number in a IXFR response and log if
+			a mismatch occurs.  This is a more specific error than
+			"not exact". [RT #3445]
+
+1380.	[func]		'rndc recursing' dump recursing queries to
+			'recursing-file = "named.recursing";'.
+
+1379.	[func]		'rndc status' now reports tcp and recursion quota
+			states.
+
+1378.	[func]		Improved positive feedback for 'rndc {reload|refresh}.
+
+1377.	[func]		dns_zone_load{new}() now reports if the zone was
+			loaded, queued for loading to up to date.
+
+1376.	[func]		New function dns_zone_logc() to log to specified
+			category.
+
+1375.	[func]		'rndc dumpdb' now dumps the adb cache along with the
+			data cache.
+
+1374.	[func]		dns_adb_dump() now logs the lame zones associated
+			with each server.
+
+1371.	[bug]		notify-source-v6, transfer-source-v6 and
+			query-source-v6 with explicit addresses and using the
+			same ports as named was listening on could interfere
+			with named's ability to answer queries sent to those
+			addresses.
+
+1368.	[func]		remove support for bitstring labels.
+
+1367.	[func]		Use response times to select forwarders.
+
+1365.	[func]		"localhost" and "localnets" acls now include IPv6
+			addresses / prefixes.
+
+1364.	[func]		Log file name when unable to open memory statistics
+			and dump database files. [RT# 3437]
+
+1363.	[func]		Listen-on-v6 now supports specific addresses.
+
+1362.	[bug]		remove IFF_RUNNING test when scanning interfaces.
+
+1361.	[func]		log the reason for rejecting a server when resolving
+			queries.
+
+1355.	[bug]		Fix DNSSEC wildcard proof for CNAME/DNAME.
+
+1344.	[func]		Log if the serial number on the master has gone
+			backwards.
+			If you have multiple machines specified in the masters
+			clause you may want to set 'multi-master yes;' to
+			suppress this warning.
+
+1343.	[func]		Log successful notifies received (info).  Adjust log
+			level for failed notifies to notice.
+
+1342.	[func]		Log remote address with TCP dispatch failures.
+
+1341.	[func]		Allow a rate limiter to be stalled.
+
+1339.	[func]		dig, host and nslookup now use IP6.ARPA for nibble
+			lookups.  Bit string lookups are no longer attempted.
+
+1336.	[func]		Nibble lookups under IP6.ARPA are now supported by
+			dns_byaddr_create().  dns_byaddr_createptrname() is
+			deprecated, use dns_byaddr_createptrname2() instead.
+
+1332.	[func]		Report the current serial with periodic commits when
+			rolling forward the journal.
+
+1331.	[func]		Generate DNSSEC wildcard proofs.
+
+1329.	[func]		named-checkzone will now check if nameservers that
+			appear to be IP addresses.  Available modes "fail",
+			"warn" (default) and "ignore" the results of the
+			check.
+
+1328.	[bug]		The validator could incorrectly verify an invalid
+			negative proof.
+
+1322.	[bug]		dnssec-signzone usage message was misleading.
+
+1321.	[bug]		If the last RRset in a zone is glue, dnssec-signzone
+			would incorrectly duplicate its output and sign it.
+
+1313.	[func]		Query log now says if the query was signed (S) or
+			if EDNS was used (E).
+
+1312.	[func]		Log TSIG key used w/ outgoing zone transfers.
+
+1309.	[func]		Log that a zone transfer was covered by a TSIG.
+
+1308.	[func]		DS (delegation signer) support.
+
+1304.	[func]		New function: dns_zone_name().
+
+1303.	[func]		Option 'flush-zones-on-shutdown <boolean>;'.
+
+1302.	[func]		Extended rndc dumpdb to support dumping of zones and
+			view selection: 'dumpdb [-all|-zones|-cache] [view]'.
+
+1301.	[func]		New category 'update-security'.
+
+1300.	[port]		Compaq Trucluster support.
+
+1293.	[func]		Entropy can now be retrieved from EGDs. [RT #2438]
+
+1292.	[func]		Enable IPv6 support when using ioctl style interface
+			scanning and OS supports SIOCGLIFADDR using struct
+			if_laddrreq.
+
+1291.	[func]		Enable IPv6 support when using sysctl style interface
+			scanning.
+
+1290.	[func]		"dig axfr" now reports the number of messages
+			as well as the number of records.
+
+1285.	[func]		lwres: probe the system to see what address families
+			are currently in use.
+
+1283.	[func]		Use "dataready" accept filter if available.
+
+1281.	[func]		Log zone when unable to get private keys to update
+			zone.  Log zone when NXT records are missing from
+			secure zone.
+
+1278.	[func]		dig: now supports +[no]cl +[no]ttlid.
+
+1277.	[func]		You can now create your own customized printing
+			styles: dns_master_stylecreate() and
+			dns_master_styledestroy().
+
+1271.	[bug]		"recursion available: {denied,approved}" was too
+			confusing.
+
+1267.	[func]		isc_file_openunique() now creates file using mode
+			0666 rather than 0600.
+
+1254.	[func]		preferred-glue option from BIND 8.3.
+
+1250.	[func]		Nsupdate will report the address the update was
+			sent to.
+
+1247.	[bug]		Don't reset the interface index for link/site local
+			addresses. [RT #2576]
+
+1246.	[func]		New functions isc_sockaddr_issitelocal(),
+			isc_sockaddr_islinklocal(), isc_netaddr_issitelocal()
+			and isc_netaddr_islinklocal().
+
+1243.	[bug]		It was possible to trigger a REQUIRE() in
+			dns_message_findtype(). [RT #2659]
+
+1235.	[func]		Report 'out of memory' errors from openssl.
+
+1234.	[bug]		contrib/sdb: 'zonetodb' failed to call
+			dns_result_register().  DNS_R_SEENINCLUDE should not
+			be fatal.
+
+1233.	[bug]		The flags field of a KEY record can be expressed in
+			hex as well as decimal.
+
+1226.	[func]		Use EDNS for zone refresh queries. [RT #2551]
+
+1225.	[func]		dns_message_setopt() no longer requires that
+			dns_message_renderbegin() to have been called.
+
+1224.	[bug]		'rrset-order' and 'sortlist' should be additive
+			not exclusive.
+
+1223.	[func]		'rrset-order' partially works 'cyclic' and 'random'
+			are supported.
+
+1220.	[func]		Support for APL rdata type.
+
+1219.	[func]		Named now reports the TSIG extended error code when
+			signature verification fails. [RT #1651]
+
+1217.	[func]		Report locations of previous key definition when a
+			duplicate is detected.
+
+1213.	[func]		Report view associated with client if it is not a
+			standard view (_default or _bind).
+
+1203.	[func]		Report locations of previous acl and zone definitions
+			when a duplicate is detected.
+
+1202.	[func]		New functions: cfg_obj_line() and cfg_obj_file().
+
+1192.	[bug]		The seconds fields in LOC records were restricted
+			to three decimal places.  More decimal places should
+			be allowed but warned about.
+
+1190.	[func]		Add the "rndc freeze" and "rndc unfreeze" commands.
+			[RT #2394]
+
+1187.	[bug]		named was incorrectly returning DNSSEC records
+			in negative responses when the DO bit was not set.
+
+1181.	[func]		Add the "key-directory" configuration statement,
+			which allows the server to look for online signing
+			keys in alternate directories.
+
+1180.	[func]		dnssec-keygen should always generate keys with
+			protocol 3 (DNSSEC), since it's less confusing
+			that way.
+
+1179.	[func]		Add SIG(0) support to nsupdate.
+
+1177.	[func]		Report view when loading zones if it is not a
+			standard view (_default or _bind). [RT #2270]
+
+1171.	[func]		Added function isc_region_compare(), updated files in
+			lib/dns to use this function instead of local one.
+
+1169.	[func]		Identify recursive queries in the query log.
+
+1163.	[func]		isc_time_formattimestamp() now includes the year.
+
+1159.	[bug]		MD and MF are not permitted to be loaded by RFC1123.
+
+1158.	[func]		Report the client's address when logging notify
+			messages.
+
+1157.	[func]		match-clients and match-destinations now accept
+			keys. [RT #2045]
+
+1155.	[func]		Recover from master files being removed from under
+			us.
+
+1153.	[func]		'rndc {stop|halt} -p' now reports the process id
+			of the instance of named being shutdown.
+
+1151.	[bug]		nslookup failed to check that the arguments to
+			the port, timeout, and retry options were
+			valid integers and in range. [RT #2099]
+
+1150.	[bug]		named incorrectly accepted TTL values
+			containing plus or minus signs, such as
+			1d+1h-1s.
+
+1149.	[func]		New function isc_parse_uint32().
+
+1148.	[func]		'rndc-confgen -a' now provides positive feedback.
+
+1147.	[func]		Set IPV6_V6ONLY on IPv6 sockets if supported by
+			the OS.  listen-on-v6 { any; }; should no longer
+			result in IPv4 queries be accepted.  Similarly
+			control { inet :: ... }; should no longer result
+			in IPv4 connections being accepted.  This can be
+			overridden at compile time by defining
+			ISC_ALLOW_MAPPED=1.
+
+1146.	[func]		Allow IPV6_IPV6ONLY to be set/cleared on a socket if
+			supported by the OS by a new function
+			isc_socket_ipv6only().
+
+1145.	[func]		"host" no longer reports a NOERROR/NODATA response
+			by printing nothing. [RT #2065]
+
+1143.	[bug]		When a trusted-keys statement was present and named
+			was built without crypto support, it would leak memory.
+
+1139.	[func]		It is now possible to flush a given name from the
+			cache(s) via 'rndc flushname name [view]'. [RT #2051]
+
+1138.	[func]		It is now possible to flush a given name from the
+			cache by calling the new function
+			dns_cache_flushname().
+
+1137.	[func]		It is now possible to flush a given name from the
+			ADB by calling the new function dns_adb_flushname().
+
+1135.	[func]		You can now override the default syslog() facility for
+			named/lwresd at compile time. [RT #1982]
+
+1132.	[func]		Improve UPDATE prerequisite failure diagnostic messages.
+
+1128.	[func]		sdb drivers can now provide RR data in either text
+			or wire format, the latter using the new functions
+			dns_sdb_putrdata() and dns_sdb_putnamedrdata().
+
+1127.	[func]		rndc: If the server to contact has multiple addresses,
+			try all of them.
+
+1119.	[func]		Added support in Win32 for NTFS file/directory ACL's
+			for access control.
+
+1115.	[func]		Set maximum values for cleaning-interval,
+			heartbeat-interval, interface-interval,
+			max-transfer-idle-in, max-transfer-idle-out,
+			max-transfer-time-in, max-transfer-time-out,
+			statistics-interval of 28 days and
+			sig-validity-interval of 3660 days. [RT #2002]
+
+1110.	[bug]		dig should only accept valid abbreviations of +options.
+			[RT #2003]
+
+1105.	[port]		OpenUNIX 8 enable threads by default. [RT #1970]
+
+1080.	[bug]		BIND 8 compatibility: accept bare IP prefixes
+			as the second element of a two-element top level
+			sort list statement. [RT #1964]
+
+1079.	[bug]		BIND 8 compatibility: accept bare elements at top
+			level of sort list treating them as if they were
+			a single element list. [RT #1963]
+
+1077.	[func]		Do not accept further recursive clients when
+			the total number of recursive lookups being
+			processed exceeds max-recursive-clients, even
+			if some of the lookups are internally generated.
+			[RT #1915, #1938]
+
+1073.	[bug]		The ADB cache cleaning should also be space driven.
+			[RT #1915, #1938]
+
+1067.	[func]		Allow quotas to be soft, isc_quota_soft().
+
+1065.	[func]		Runtime support to select new / old style interface
+			scanning using ioctls.
+
+1060.	[func]		Move refresh, stub and notify UDP retry processing
+			into dns_request.
+
+1059.	[func]		dns_request now support will now retry UDP queries,
+			dns_request_createvia2() and dns_request_createraw2().
+
+1058.	[func]		Limited lifetime ticker timers are now available,
+			isc_timertype_limited.
+
+1055.	[func]		Version and hostname queries can now be disabled
+			using "version none;" and "hostname none;",
+			respectively.
+
+1049.	[func]		"pid-file none;" will disable writing a pid file.
+			[RT #1848]
+
+1037.	[bug]		Negative responses whose authority section contain
+			SOA or NS records whose owner names are not equal
+			equal to or parents of the query name should be
+			rejected. [RT #1862]
+
+1036.	[func]		Silently drop requests received via multicast as
+			long as there is no final multicast DNS standard.
+
+1035.	[bug]		If we respond to multicast queries (which we
+			currently do not), respond from a unicast address
+			as specified in RFC 1123. [RT #137]
+
+1034.	[bug]		Ignore the RD bit on multicast queries as specified
+			in RFC 1123. [RT #137]
+
+1032.	[func]		hostname.bind/txt/chaos now returns the name of
+			the machine hosting the nameserver.  This is useful
+			in diagnosing problems with anycast servers.
+
+1025.	[bug]		Don't use multicast addresses to resolve iterative
+			queries. [RT #101]
+
+1024.	[port]		Compilation failed on HP-UX 11.11 due to
+			incompatible use of the SIOCGLIFCONF macro
+			name. [RT #1831]
+
+1023.	[func]		Accept hints without TTLs.
+
+1011.	[cleanup]	Removed isc_dir_current().
+
+1009.	[port]		OpenUNIX 8 support. [RT #1728]
+
+1008.	[port]		libtool.m4, ltmain.sh from libtool-1.4.2.
+
+1007.	[port]		config.guess, config.sub from autoconf-2.52.
+
+1003.	[func]		Add the +retry option to dig.
+
+ 999.	[func]		"rndc retransfer zone [class [view]]" added.
+			[RT #1752]
+
+ 998.	[func]		named-checkzone now has arguments to specify the
+			chroot directory (-t) and working directory (-w).
+			[RT #1755]
+
+ 997.	[func]		Add support for RSA-SHA1 keys (RFC3110).
+
+ 996.	[func]		Issue warning if the configuration filename contains
+			the chroot path.
+
+ 994.	[func]		Treat non-authoritative responses to queries for type
+			NS as referrals even if the NS records are in the
+			answer section, because BIND 8 servers incorrectly
+			send them that way.  This is necessary for DNSSEC
+			validation of the NS records of a secure zone to
+			succeed when the parent is a BIND 8 server. [RT #1706]
+
+ 993.	[func]		dig: -v now reports the version.
+
+ 991.	[func]		Lower UDP refresh timeout messages to level
+			debug 1.
+
+ 985.	[func]		Consider network interfaces to be up iff they have
+			a nonzero IP address rather than based on the
+			IFF_UP flag. [RT #1160]
+
+ 983.	[func]		The server now supports generating IXFR difference
+			sequences for non-dynamic zones by comparing zone
+			versions, when enabled using the new config
+			option "ixfr-from-differences". [RT #1727]
+
+ 982.	[func]		If "memstatistics-file" is set in options the memory
+			statistics will be written to it.
+
+ 981.	[func]		The dnssec tools can now take multiple '-r randomfile'
+			arguments.
+
+ 979.	[func]		Incremental master file dumping.  dns_master_dumpinc(),
+			dns_master_dumptostreaminc(), dns_dumpctx_attach(),
+			dns_dumpctx_detach(), dns_dumpctx_cancel(),
+			dns_dumpctx_db() and dns_dumpctx_version().
+
+ 976.	[func]		named-checkconf can now test load master zones
+			(named-checkconf -z). [RT #1468]
+
+ 970.	[func]		'max-journal-size' can now be used to set a target
+			size for a journal.
+
+ 969.	[func]		dig now supports the undocumented dig 8 feature
+			of allowing arbitrary labels, not just dotted
+			decimal quads, with the -x option.  This can be
+			used to conveniently look up RFC2317 names as in
+			"dig -x 10.0.0.0-127". [RT #827, #1576, #1598]
+
+	--- 9.2.3rc1 released ---
+
+1499.	[bug]		isc_random need to be seeded better if arc4random()
+			is not used.
+
+1498.	[port]		bsdos: 5.x support.
+
+1497.	[protocol]	dig, nslookup and host now perform nibble lookups
+			under IP6.ARPA, use -i for IP6.INT (dig and host).
+			lwres now uses IP6.ARPA.
+
+1496.	[port]		test for pthread_attr_setstacksize().
+
+1495.	[cleanup]	Replace hash functions with universal hash.
+
+1494.	[security]	Turn on RSA BLINDING as a precaution.
+
+1493.	[doc]		A6 and "bitstring" labels are now experimental.
+
+1492.	[cleanup]	Preserve rwlock quota context when upgrading /
+			downgrading. [RT #5599]
+
+1491.	[bug]		dns_master_dump*() would produce extraneous $ORIGIN
+			lines. [RT #6206]
+
+1490.	[bug]		Accept reading state as well as working state in
+			ns_client_next(). [RT #6813]
+
+1489.	[compat]	Treat 'allow-update' on slave zones as a warning.
+			[RT #3469]
+
+1488.	[bug]		Don't override trust levels for glue addresses.
+			[RT #5764]
+
+1487.	[bug]		A REQUIRE() failure could be triggered if a zone was
+			queued for transfer and the zone was then removed.
+			[RT #6189]
+
+1486.	[bug]		isc_print_snprintf() '%%' consumed one too many format
+			characters. [RT# 8230]
+
+1485.	[bug]		gen failed to handle high type values. [RT #6225]
+
+1484.	[bug]		The number of records reported after a AXFR was wrong.
+			[RT #6229]
+
+1483.	[bug]		dig axfr failed if the message id in the answer failed
+			to match that in the request.  Only the id in the first
+			message is required to match. [RT #8138]
+
+1482.	[bug]		named could fail to start if the kernel supports
+			IPv6 but no interfaces are configured.  Similarly
+			for IPv4. [RT #6229]
+
+1481.	[bug]		Refresh and stub queries failed to use masters keys
+			if specified. [RT #7391]
+
+1480.	[bug]		Provide replay protection for rndc commands.  Full
+			replay protection requires both rndc and named to
+			be updated.  Partial replay protection (limited
+			exposure after restart) is provided if just named
+			is updated.
+
+1479.	[bug]		cfg_create_tuple() failed to handle out of
+			memory cleanup.  parse_list() would leak memory
+			on syntax errors.
+
+1478.	[port]		ifconfig.sh didn't account for other virtual
+			interfaces.  It now takes a optional argument
+			to specify the first interface number. [RT #3907]
+
+1477.	[bug]		memory leak using stub zones and TSIG.
+
+1476.	[port]		win32: port unreachables were blocking further i/o
+			on sockets (Windows 2000 SP2 and later).
+
+1473.	[bug]		create_map() and create_string() failed to handle out
+			of memory cleanup.  [RT #6813]
+
+1472.	[contrib]	idnkit-1.0 from JPNIC, replaces mdnkit.
+
+1471.	[bug]		libbind: updated to BIND 8.4.0.
+
+1470.	[bug]		Incorrect length passed to snprintf. [RT #5966]
+
+1466.	[bug]		lwresd configuration errors resulted in memory
+			and lock leaks.  [RT #5228]
+
+1465.	[bug]		isc_base64_decodestring() and isc_base64_tobuffer()
+			failed to check that trailing bits were zero allowing
+			some invalid base64 strings to be accepted.  [RT #5397]
+
+1464.	[bug]		Preserve "out of zone" data for outgoing zone
+			transfers. [RT #5192]
+
+1463.	[bug]		dns_rdata_from{wire,struct}() failed to catch bad
+			NXT bit maps. [RT #5577]
+
+1462.	[bug]		parse_sizeval() failed to check the token type.
+			[RT #5586]
+
+1461.	[bug]		Remove deadlock from rbtdb code. [RT #5599]
+
+1460.	[bug]		inet_pton() failed to reject certain malformed
+			IPv6 literals.
+
+1459.	[bug]		win32: we were leaking a bits in the exception
+			fd_set resulting in "Socket operation on non-socket"
+			errors from select(). [RT #2966]
+
+1456.	[contrib]	gen-data-queryperf.py from Stephane Bortzmeyer.
+
+1453.	[doc]		ARM: $GENERATE example wasn't accurate. [RT #5298]
+
+1452.	[bug]		Bad #ifdef, ISC_RFC2335 -> ISC_RFC2535.
+
+1451.	[bug]		rndc-confgen didn't exit with a error code for all
+			failures. [RT #5209]
+
+1450.	[bug]		Fetching expired glue failed under certain
+			circumstances.  [RT #5124]
+
+1449.	[bug]		query_addbestns() didn't handle running out of memory
+			gracefully.
+
+1448.	[bug]		Handle empty wildcards labels.
+
+1447.	[bug]		We were casting (unsigned int) to and from (void *).
+			rdataset->private4 is now rdataset->privateuint4
+			to reflect a type change.
+
+1445.	[bug]		DNS_ADBFIND_STARTATROOT broke stub zones.  This has
+			been replaced with DNS_ADBFIND_STARTATZONE which
+			causes the search to start using the closest zone.
+
+1439.	[bug]		Named could return NOERROR with certain NOTIFY
+			failures.  Return NOTAUTH if the NOTIFY zone is
+			not being served.
+
+1435.	[bug]		zmgr_resume_xfrs() was being called read locked
+			rather than write locked.  zmgr_resume_xfrs()
+			was not being called if the zone was being
+			shutdown.
+
+1437.	[bug]		Leave space for stdio to work in. [RT #5033]
+
+1434.	[bug]		"rndc reconfig" failed to initiate the initial
+			zone transfer of new slave zones.
+
+1431.	[bug]		isc_print_snprintf() "%s" with precision could walk off
+			end of argument. [RT #5191]
+
+1429.	[bug]		Prevent the cache getting locked to old servers.
+
+1424.	[bug]		EDNS version not being correctly printed.
+
+1423.	[contrib]	queryperf: added A6 and SRV.
+
+1420.	[port]		solaris: work around gcc optimizer bug.
+
+1419.	[port]		openbsd: use /dev/arandom. [RT #4950]
+
+1418.	[bug]		'rndc reconfig' did not cause new slaves to load.
+
+1416.	[bug]		Empty node should return NOERROR NODATA, not NXDOMAIN.
+			[RT #4715]
+
+1411.	[bug]		empty nodes should stop wildcard matches. [RT #4802]
+
+1408.	[bug]		"make distclean" was not complete. [RT #4700]
+
+1407.	[bug]		lfsr incorrectly implements the shift register.
+			[RT #4617]
+
+1406.	[bug]		dispatch initializes one of the LFSR's with a incorrect
+			polynomial.  [RT #4617]
+
+1405.	[func]		Use arc4random() if available.
+
+1401.	[bug]		adb wasn't clearing state when the timer expired.
+
+1399.	[bug]		Use serial number arithmetic when testing SIG
+			timestamps. [RT #4268]
+
+1397.	[bug]		J.ROOT-SERVERS.NET is now 192.58.128.30.
+
+1389.	[bug]		named could fail to rotate long log files.  [RT #3666]
+
+1388.	[port]		irix: check for sys/sysctl.h and NET_RT_IFLIST before
+			defining HAVE_IFLIST_SYSCTL. [RT #3770]
+
+1387.	[bug]		named could crash due to an access to invalid memory
+			space (which caused an assertion failure) in
+			incremental cleaning.  [RT #3588]
+
+1385.	[bug]		Setting serial-query-rate to 10 would trigger a
+			REQUIRE failure.
+
+1384.	[bug]		host was incompatible with BIND 8 in its exit code and
+			in the output with the -l option.  [RT #3536]
+
+1373.	[bug]		Recovery from expired glue failed under certain
+			circumstances.
+
+1372.	[bug]		named crashes with an assertion failure on exit when
+			sharing the same port for listening and querying, and
+			changing listening addresses several times. [RT# 3509]
+
+1370.	[bug]		dig '+[no]recurse' was incorrectly documented.
+
+1369.	[bug]		Adding an NS record as the lexicographically last
+			record in a secure zone didn't work.
+
+1366.	[contrib]	queryperf usage was incomplete.  Add '-h' for help.
+
+1348.	[port]		win32: Rewrote code to use I/O Completion Ports
+			in socket.c and eliminating a host of socket
+			errors. Performance is enhanced.
+
+1333.	[contrib]	queryperf now reports a summary of returned
+			rcodes (-c), rcodes are printed in mnemonic form (-v).
+
+1299.	[bug]		Set AI_ADDRCONFIG when looking up addresses
+			via getaddrinfo() (affects dig, host, nslookup, rndc
+			and nsupdate).
+
+1199.	[doc]		ARM reference to RFC 2157 should have been RFC 1918.
+			[RT #2436]
+
+1122.	[tuning]	Resolution timeout reduced from 90 to 30 seconds.
+			[RT #2046]
+
+ 992.	[doc]		dig: ~/.digrc is now documented.
+
+	--- 9.2.2 released ---
+
+1428.	[port]		hpux: temporary work around of hpux 11.11 interface
+			scanning.
+
+1427.	[bug]		Race condition in adb with threaded build.
+
+1426.	[cleanup]	Disable RFC2535 style DNSSEC.  This is incompatible
+			with the forthcoming DS style DNSSEC.
+
+1425.	[port]		linux/libbind: define __USE_MISC when testing *_r()
+			function prototypes in netdb.h.  [RT #4921]
+
+1395.	[port]		OpenSSL 0.9.7 defines CRYPTO_LOCK_ENGINE but doesn't
+			have a working implementation.  [RT #4079]
+
+1382.	[bug]		make install failed with --enable-libbind. [RT #3656]
+
+1381.	[bug]		named failed to correctly process answers that
+			contained DNAME records where the resulting CNAME
+			resulted in a negative answer.
+
+	--- 9.2.2rc1 released ---
+
+1360.	[bug]		--enable-libbind would fail when not built in the
+			source tree for certain OS's.
+
+1359.	[security]	Support patches OpenSSL libraries.
+			http://www.cert.org/advisories/CA-2002-23.html
+
+1358.	[bug]		It was possible to trigger a INSIST when debugging
+			large dynamic updates. [RT #3390]
+
+1357.	[bug]		nsupdate was extremely wasteful of memory.
+
+1356.	[tuning]	Reduce the number of events / quantum for zone tasks.
+
+1354.	[doc]		lwres man pages had illegal nroff.
+
+1353.	[contrib]	sdb/ldap to version 0.9.
+
+1352.	[bug]		dig, host, nslookup when falling back to TCP use the
+			current search entry (if any). [RT #3374]
+
+1351.	[bug]		lwres_getipnodebyname() returned the wrong name
+			when given a IPv4 literal, af=AF_INET6 and AI_MAPPED
+			was set.
+
+1350.	[bug]		dns_name_fromtext() failed to handle too many labels
+			gracefully.
+
+1349.	[security]	Minimum OpenSSL version now 0.9.6e (was 0.9.5a).
+			http://www.cert.org/advisories/CA-2002-23.html
+
+1346.	[bug]		Win32: select timeout in socket.c was too small
+			as value given was meant to be milliseconds and
+			timeval structure requires microseconds. This
+			caused high CPU loads with a compute bound loop.
+			[RT #3358]
+
+1345.	[port]		Use a explicit -Wformat with gcc.  Not all versions
+			include it in -Wall.
+
+1340.	[bug]		Delay and spread out the startup refresh load.
+
+1335.	[bug]		When performing a nonexistence proof, the validator
+			should discard parent NXTs from higher in the DNS.
+
+1334.	[bug]		When signing/verifying rdatasets, duplicate rdatas
+			need to be suppressed.
+
+1330.	[bug]		When processing events (non-threaded) only allow
+			the task one chance to use to use its quantum.
+
+1327.	[bug]		The validator would incorrectly mark data as insecure
+			when seeing a bogus signature before a correct
+			signature.
+
+1326.	[bug]		DNAME/CNAME signatures were not being cached when
+			validation was not being performed. [RT #3284]
+
+1325.	[bug]		If the tcpquota was exhausted it was possible to
+			to trigger a INSIST() failure.
+
+1324.	[port]		darwin: ifconfig.sh now supports darwin.
+
+1323.	[port]		linux: Slackware 4.0 needs <asm/unistd.h>. [RT #3205]
+
+1320.	[doc]		query-source-v6 was missing from options section.
+			[RT #3218]
+
+1319.	[func]		libbind: log attempts to exploit #1318.
+
+1318.	[bug]		libbind: Remote buffer overrun.
+
+1317.	[port]		libbind: TrueUNIX 5.1 does not like __align as a
+			element name.
+
+1316.	[bug]		libbind: gethostans() could get out of sync parsing
+			the response if there was a very long CNAME chain.
+
+1315.	[bug]		Options should apply to the internal _bind view.
+
+1314.	[port]		Handle ECONNRESET from sendmsg() [unix].
+
+1311.	[bug]		lwres_getrrsetbyname leaked memory.  [RT #3159]
+
+1310.	[bug]		'rndc stop' failed to cause zones to be flushed
+			sometimes. [RT #3157]
+
+1307.	[bug]		nsupdate: allow white space base64 key data.
+
+1306.	[bug]		Badly encoded LOC record when the size, horizontal
+			precision or vertical precision was 0.1m.
+
+1305.	[bug]		Document that internal zones are included in the
+			rndc status results.
+
+1298.	[bug]		The CINCLUDES macro in lib/dns/sec/dst/Makefile
+			could be left with a trailing "\" after configure
+			has been run.
+
+1297.	[port]		linux: make handling EINVAL from socket() no longer
+			conditional on #ifdef LINUX.
+
+1296.	[bug]		isc_log_closefilelogs() needed to lock the log
+			context.
+
+1295.	[bug]		isc_log_setdebuglevel() needed to lock the log
+			context.
+
+1294.	[func]		libbind: no longer attempts bit string labels for
+			IPv6 reverse resolution.  Try IP6.ARPA then IP6.INT
+			for nibble style resolution.
+
+1289.	[port]		See if -ldl is required for OpenSSL? [RT #2672]
+
+1288.	[bug]		Adjusted REQUIRE's in lib/dns/name.c to better
+			reflect written requirements.
+
+1287.	[bug]		REQUIRE that DNS_DBADD_MERGE only be set when adding
+			a rdataset to a zone db in the rbtdb implementation of
+			addrdataset.
+
+1286.	[bug]		dns_name_downcase() enforce requirement that
+			target != NULL or name->buffer != NULL.
+
+1284.	[bug]		The RTT estimate on unused servers was not aged.
+			[RT #2569]
+
+1282.	[port]		libbind: hpux 11.11 interface scanning.
+
+1280.	[bug]		libbind: escape '(' and ')' when converting to
+			presentation form.
+
+1279.	[port]		Darwin uses (unsigned long) for size_t. [RT #2590]
+
+1276.	[bug]		libbind: const pointer conflicts in res_debug.c.
+
+1275.	[port]		libbind: hpux: treat all hpux systems as BIG_ENDIAN.
+
+1274.	[bug]		Memory leak in lwres_gnbarequest_parse().
+
+1273.	[port]		libbind: solaris: 64 bit binary compatibility.
+
+1272.	[contrib]	Berkeley DB 4.0 sdb implementation from
+			Nuno Miguel Rodrigues <nmr@co.sapo.pt>.
+
+1270.	[bug]		Check that system inet_pton() and inet_ntop() support
+			AF_INET6.
+
+1269.	[port]		Openserver: ifconfig.sh support.
+
+1268.	[port]		Openserver: the value FD_SETSIZE depends on whether
+			<sys/param.h> is included or not.  Be consistent.
+
+1266.	[bug]		ISC_LINK_INIT, ISC_LINK_UNLINK, ISC_LIST_DEQUEUE,
+			__ISC_LINK_UNLINKUNSAFE and __ISC_LIST_DEQUEUEUNSAFE
+			are not C++ compatible, use *_TYPE versions instead.
+
+1265.	[bug]		libbind: LINK_INIT and UNLINK were not compatible with
+			C++, use LINK_INIT_TYPE and UNLINK_TYPE instead.
+
+1263.	[bug]		Reference after free error if dns_dispatchmgr_create()
+			failed.
+
+1262.	[bug]		ns_server_destroy() failed to set *serverp to NULL.
+
+1261.	[func]		libbind: ns_sign2() and ns_sign_tcp() now provide
+			support for compressed TSIG owner names.
+
+1260.	[func]		libbind: res_update can now update IPv6 servers,
+			new function res_findzonecut2().
+
+1259.	[bug]		libbind: get_salen() IPv6 support was broken for OSs
+			w/o sa_len.
+
+1258.	[bug]		libbind: res_nametotype() and res_nametoclass() were
+			broken.
+
+1257.	[bug]		Failure to write pid-file should not be fatal on
+			reload. [RT #2861]
+
+1256.	[contrib]	'queryperf' now has EDNS (-e) + DNSSEC DO (-D) support.
+
+1255.	[bug]		When verifying that an NXT proves nonexistence, check
+			the rcode of the message and only do the matching NXT
+			check.  That is, for NXDOMAIN responses, check that
+			the name is in the range between the NXT owner and
+			next name, and for NOERROR NODATA responses, check
+			that the type is not present in the NXT bitmap.
+
+1253.	[bug]		The dnssec system test failed to remove the correct
+			files.
+
+1252.	[bug]		Dig, host and nslookup were not checking the address
+			the answer was coming from against the address it was
+			sent to. [RT# 2692]
+
+1248.	[bug]		DESTDIR was not being propagated between makes.
+
+1245.	[bug]		Treat ENOBUFS, ENOMEM and ENFILE as soft errors for
+			accept().
+
+1242.	[bug]		named-checkzone failed if a journal existed. [RT #2657]
+
+1241.	[bug]		Drop received UDP messages with a zero source port
+			as these are invariably forged. [RT #2621]
+
+1209.	[bug]		Dig, host, nslookup were not checking the message ids
+			on the responses. [RT #2454]
+
+1097.	[func]		libbind: RES_PRF_TRUNC for dig.
+
+1096.	[func]		libbind: "DNSSEC OK" (DO) support.
+
+1095.	[func]		libbind: resolver option: no-tld-query.  disables
+			trying unqualified as a tld.  no_tld_query is also
+			supported for FreeBSD compatibility.
+
+1094.	[func]		libbind: add support gcc's format string checking.
+
+1089.	[func]		libbind: inet_{cidr,net}_{pton,ntop}() now have IPv6
+			support.
+
+	--- 9.2.1 released ---
+
+1251.	[port]		win32: a make file contained absolute version specific
+			references.
+
+1249.	[bug]		Missing masters clause was not handled gracefully.
+			[RT #2703]
+
+1244.	[bug]		Receiving a TCP message from a blackhole address would
+			prevent further messages being received over that
+			interface.
+
+1178.	[bug]		Follow and cache (if appropriate) A6 and other
+			data chains to completion in the additional section.
+
+	--- 9.2.1rc2 released ---
+
+1240.	[bug]		It was possible to leak zone references by
+			specifying an incorrect zone to rndc.
+
+1239.	[bug]		Under certain circumstances named could continue to
+			use a name after it had been freed triggering
+			INSIST() failures.  [RT #2614]
+
+1238.	[bug]		It is possible to lockup the server when shutting down
+			if notifies were being processed. [RT #2591]
+
+1237.	[bug]		nslookup: "set q=type" failed.
+
+1236.	[bug]		dns_rdata{class,type}_fromtext() didn't handle non
+			NULL terminated text regions. [RT #2588]
+
+1232.	[bug]		unix/errno2result() didn't handle EADDRNOTAVAIL.
+
+1231.	[port]		HPUX 11.11 recvmsg() can return spurious EADDRNOTAVAIL.
+
+1230.	[bug]		isccc_cc_isreply() and isccc_cc_isack() were broken.
+
+1229.	[bug]		named would crash if it received a TSIG signed
+			query as part of an AXFR response. [RT #2570]
+
+1228.	[bug]		'make install' did not depend on 'make all'. [RT #2559]
+
+1227.	[bug]		dns_lex_getmastertoken() now returns ISC_R_BADNUMBER
+			if a number was expected and some other token was
+			found. [RT#2532]
+
+1222.	[bug]		Specifying 'port *' did not always result in a system
+			selected (non-reserved) port being used. [RT #2537]
+
+1221.	[bug]		Zone types 'master', 'slave' and 'stub' were not being
+			compared case insensitively. [RT #2542]
+
+1218.	[bug]		Named incorrectly returned SERVFAIL rather than
+			NOTAUTH when there was a TSIG BADTIME error. [RT #2519]
+
+1216.	[bug]		Multiple server clauses for the same server were not
+			reported.  [RT #2514]
+
+1215.	[port]		solaris: add support to ifconfig.sh for x86 2.5.1
+
+1214.	[bug]		Win32: isc_file_renameunique() could leave zero length
+			files behind.
+
+1212.	[port]		libbind: 64k answer buffers were causing stack space
+			to be exceeded for certain OS.  Use heap space instead.
+
+1211.	[bug]		dns_name_fromtext() incorrectly handled certain
+			valid octal bitlabels. [RT #2483]
+
+1210.	[bug]		libbind: getnameinfo() failed to lookup IPv4 mapped /
+			compatible addresses. [RT #2461]
+
+1208.	[bug]		dns_master_load*() failed to log a error message if
+			an error was detected when parsing the ownername of
+			a record.  [RT #2448]
+
+	--- 9.2.1rc1 released ---
+
+1207.	[bug]		libbind: getaddrinfo() could call freeaddrinfo() with
+			an invalid pointer.
+
+1206.	[bug]		SERVFAIL and NOTIMP responses to an EDNS query should
+			trigger a non-EDNS retry.
+
+1205.	[bug]		OPT, TSIG and TKEY cannot be used to set the "class"
+			of the message. [RT #2449]
+
+1204.	[bug]		libbind: res_nupdate() failed to update the name
+			server addresses before sending the update.
+
+1201.	[bug]		Require that if 'callbacks' is passed to
+			dns_rdata_fromtext(), callbacks->error and
+			callbacks->warn are initialized.
+
+1200.	[bug]		Log 'errno' that we are unable to convert to
+			isc_result_t. [RT #2404]
+
+1198.	[bug]		OPT printing style was not consistent with the way the
+			header fields are printed.  The DO bit was not reported
+			if set.  Report if any of the MBZ bits are set.
+
+1197.	[bug]		Attempts to define the same acl multiple times were not
+			detected.
+
+1196.	[contrib]	update mdnkit to 2.2.3.
+
+1195.	[bug]		Attempts to redefine builtin acls should be caught.
+			[RT #2403]
+
+1194.	[bug]		Not all duplicate zone definitions were being detected
+			at the named.conf checking stage. [RT #2431]
+
+1193.	[bug]		Best effort parsing didn't handle packet truncation.
+
+1191.	[bug]		A dynamic update removing the last non-apex name in
+			a secure zone would fail. [RT #2399]
+
+1189.	[bug]		On some systems, malloc(0) returns NULL, which
+			could cause the caller to report an out of memory
+			error. [RT #2398]
+
+1188.	[bug]		Dynamic updates of a signed zone would fail if
+			some of the zone private keys were unavailable.
+
+1186.	[bug]		isc_hex_tobuffer(,,length = 0) failed to unget the
+			EOL token when reading to end of line.
+
+1185.	[bug]		libbind: don't assume statp->_u._ext.ext is valid
+			unless RES_INIT is set when calling res_*init().
+
+1184.	[bug]		libbind: call res_ndestroy() if RES_INIT is set
+			when res_*init() is called.
+
+1183.	[bug]		Handle ENOSR error when writing to the internal
+			control pipe. [RT #2395]
+
+1182.	[bug]		The server could throw an assertion failure when
+			constructing a negative response packet.
+
+1176.	[doc]		Document that allow-v6-synthesis is only performed
+			for clients that are supplied recursive service.
+			[RT #2260]
+
+1175.	[bug]		named-checkzone failed to call dns_result_register()
+			at startup which could result in runtime
+			exceptions when printing "out of memory" errors.
+			[RT #2335]
+
+1174.	[bug]		Win32: add WSAECONNRESET to the expected errors
+			from connect(). [RT #2308]
+
+1173.	[bug]		Potential memory leaks in isc_log_create() and
+			isc_log_settag(). [RT #2336]
+
+1172.	[doc]		Add CERT, GPOS, KX, NAPTR, NSAP, PX and TXT to
+			table of RR types in ARM.
+
+1170.	[bug]		Don't attempt to print the token when a I/O error
+			occurs when parsing named.conf. [RT #2275]
+
+1168.	[bug]		Empty also-notify clauses were not handled. [RT #2309]
+
+1167.	[contrib]	nslint-2.1a3 (from author).
+
+1166.	[bug]		"Not Implemented" should be reported as NOTIMP,
+			not NOTIMPL. [RT #2281]
+
+1165.	[bug]		We were rejecting notify-source{-v6} in zone clauses.
+
+1164.	[bug]		Empty masters clauses in slave / stub zones were not
+			handled gracefully. [RT #2262]
+
+1162.	[bug]		The allow-notify option was not accepted in slave
+			zone statements.
+
+1161.	[bug]		named-checkzone looped on unbalanced brackets.
+			[RT #2248]
+
+1160.	[bug]		Generating Diffie-Hellman keys longer than 1024
+			bits could fail. [RT #2241]
+
+1156.	[port]		The configure test for strsep() incorrectly
+			succeeded on certain patched versions of
+			AIX 4.3.3. [RT #2190]
+
+1154.	[bug]		Don't attempt to obtain the netmask of a interface
+			if there is no address configured. [RT #2176]
+
+1152.	[bug]		libbind: read buffer overflows.
+
+1144.	[bug]		rndc-confgen would crash if both the -a and -t
+			options were specified. [RT #2159]
+
+1142.	[bug]		dnssec-signzone would fail to delete temporary files
+			in some failure cases. [RT #2144]
+
+1141.	[bug]		When named rejected a control message, it would
+			leak a file descriptor and memory.  It would also
+			fail to respond, causing rndc to hang.
+			[RT #2139, #2164]
+
+1140.	[bug]		rndc-confgen did not accept IPv6 addresses as arguments
+			to the -s option. [RT #2138]
+
+1136.	[bug]		CNAME records synthesized from DNAMEs did not
+			have a TTL of zero as required by RFC2672.
+			[RT #2129]
+
+1125.	[bug]		rndc: -k option was missing from usage message.
+			[RT #2057]
+
+1124.	[doc]		dig: +[no]dnssec, +[no]besteffort and +[no]fail
+			are now documented. [RT #2052]
+
+1123.	[bug]		dig +[no]fail did not match description. [RT #2052]
+
+1109.	[bug]		nsupdate accepted illegal ttl values.
+
+1108.	[bug]		On Win32, rndc was hanging when named was not running
+			due to failure to select for exceptional conditions
+			in select(). [RT #1870]
+
+1081.	[bug]		Multicast queries were incorrectly identified
+			based on the source address, not the destination
+			address.
+
+1072.	[bug]		The TCP client quota could be exceeded when
+			recursion occurred. [RT #1937]
+
+1071.	[bug]		Sockets listening for TCP DNS connections
+			specified an excessive listen backlog. [RT #1937]
+
+1070.	[bug]		Copy DNSSEC OK (DO) to response as specified by
+			draft-ietf-dnsext-dnssec-okbit-03.txt.
+
+1014.	[bug]		Some queries would cause statistics counters to
+			increment more than once or not at all. [RT #1321]
+
+1012.	[bug]		The -p option to named did not behave as documented.
+
+ 988.	[bug]		'additional-from-auth no;' did not work reliably
+			in the case of queries answered from the cache.
+			[RT #1436]
+
+ 995.	[bug]		dig, host, nslookup: using a raw IPv6 address as a
+			target address should be fatal on a IPv4 only system.
+
+	--- 9.2.0 released ---
+
+1134.	[bug]		Multi-threaded servers could deadlock in ferror()
+			when reloading zone files. [RT #1951, #1998]
+
+1133.	[bug]		IN6_IS_ADDR_LOOPBACK was not portably defined on
+			platforms without IN6_IS_ADDR_LOOPBACK. [RT #2106]
+
+	--- 9.2.0rc10 released ---
+
+1131.	[bug]		The match-destinations view option did not work with
+			IPv6 destinations. [RT #2073, #2074]
+
+1130.	[bug]		Log messages reporting an out-of-range serial number
+			did not include the out-of-range number but the
+			following token. [RT #2076]
+
+1129.	[bug]		Multi-threaded servers could crash under heavy
+			resolution load due to a race condition. [RT #2018]
+
+1126.	[bug]		The server could access a freed event if shut
+			down while a client start event was pending
+			delivery. [RT #2061]
+
+1121.	[bug]		The server could attempt to access a NULL zone
+			table if shut down while resolving.
+			[RT #1587, #2054]
+
+1120.	[bug]		Errors in options were not fatal. [RT #2002]
+
+1118.	[bug]		On multi-threaded servers, a race condition
+			could cause an assertion failure in resolver.c
+			during resolver shutdown. [RT #2029]
+
+1117.	[port]		The configure check for in6addr_loopback incorrectly
+			succeeded on AIX 4.3 when compiling with -O2
+			because the test code was optimized away.
+			[RT #2016]
+
+1116.	[bug]		Setting transfers in a server clause, transfers-in,
+			or transfers-per-ns to a value greater than
+			2147483647 disabled transfers. [RT #2002]
+
+1114.	[port]		Ignore more accept() errors. [RT #2021]
+
+1113.	[bug]		The allow-update-forwarding option was ignored
+			when specified in a view. [RT #2014]
+
+1111.	[bug]		Multi-threaded servers could deadlock processing
+			recursive queries due to a locking hierarchy
+			violation in adb.c. [RT #2017]
+
+	--- 9.2.0rc9 released ---
+
+1107.	[bug]		nsupdate could catch an assertion failure if an
+			invalid domain name was given as the argument to
+			the "zone" command.
+
+1106.	[bug]		After seeing an out of range TTL, nsupdate would
+			treat all TTLs as out of range. [RT #2001]
+
+1104.	[bug]		Invalid arguments to the transfer-format option
+			could cause an assertion failure. [RT #1995]
+
+1103.	[port]		OpenUNIX 8 support (ifconfig.sh). [RT #1970]
+
+1102.	[doc]		Note that query logging is enabled by directing the
+			queries category to a channel.
+
+1101.	[bug]		Array bounds read error in lwres_gai_strerror.
+
+1100.	[bug]		libbind: DNSSEC key ids were computed incorrectly.
+
+1099.	[cleanup]	libbind: defining REPORT_ERRORS in lib/bind/dst caused
+			compile time errors.
+
+1098.	[bug]		libbind: HMAC-MD5 key files are now mode 0600.
+
+1093.	[doc]		libbind: miscellaneous nroff fixes.
+
+1092.	[bug]		libbind: get*by*() failed to check if res_init() had
+			been called.
+
+1091.	[bug]		libbind: misplaced va_end().
+
+1090.	[bug]		libbind: dns_ho.c:add_hostent() was not returning
+			the amount of memory consumed resulting in garbage
+			address being returned.  Alignment calculations were
+			wasting space.  We weren't suppressing duplicate
+			addresses.
+
+1088.	[port]		libbind: MPE/iX C.70 (incomplete)
+
+1087.	[bug]		libbind: struct __res_state too large on 64 bit arch.
+
+1086.	[port]		libbind: sunos: old sprintf.
+
+1085.	[port]		libbind: solaris: sys_nerr and sys_errlist do not
+			exist when compiling in 64 bit mode.
+
+1084.	[cleanup]	libbind: gai_strerror() rewritten.
+
+1083.	[bug]		The default control channel listened on the
+			wildcard address, not the loopback as documented.
+			[RT #1975]
+
+1082.	[bug]		The -g option to named incorrectly caused logging
+			to be sent to syslog in addition to stderr.
+			[RT #1974]
+
+1078.	[bug]		We failed to correct bad tv_usec values in one case.
+			[RT #1966]
+
+1076.	[bug]		A badly defined global key could trigger an assertion
+			on load/reload if views were used. [RT #1947]
+
+1075.	[bug]		Out-of-range network prefix lengths were not
+			reported. [RT #1954]
+
+1074.	[bug]		Running out of memory in dump_rdataset() could
+			cause an assertion failure. [RT #1946]
+
+	--- 9.2.0rc8 released ---
+
+1068.	[bug]		errno could be overwritten by catgets(). [RT #1921]
+
+1066.	[bug]		Provide a thread safe wrapper for strerror().
+			[RT #1689]
+
+1064.	[bug]		Do not shut down active network interfaces if we
+			are unable to scan the interface list. [RT #1921]
+
+1063.	[bug]		libbind: "make install" was failing on IRIX.
+			[RT #1919]
+
+1062.	[bug]		If the control channel listener socket was shut
+			down before server exit, the listener object could
+			be freed twice. [RT #1916]
+
+1061.	[bug]		If periodic cache cleaning happened to start
+			while cleaning due to reaching the configured
+			maximum cache size was in progress, the server
+			could catch an assertion failure. [RT #1912]
+
+1057.	[bug]		Reloading the server after adding a "file" clause
+			to a zone statement could cause the server to
+			crash due to a typo in change 1016.
+
+1056.	[bug]		Rndc could catch an assertion failure on SIGINT due
+			to an uninitialized variable. [RT #1908]
+
+	--- 9.2.0rc7 released ---
+
+1054.	[bug]		On Win32, cfg_categories and cfg_modules need to be
+			exported from the libisccfg DLL.
+
+1053.	[bug]		Dig did not increase its timeout when receiving
+			AXFRs unless the +time option was used. [RT #1904]
+
+1052.	[bug]		Journals were not being created in binary mode
+			resulting in "journal format not recognized" error
+			under Win32. [RT #1889]
+
+1051.	[bug]		Do not ignore a network interface completely just
+			because it has a noncontiguous netmask.  Instead,
+			omit it from the localnets ACL and issue a warning.
+			[RT #1891]
+
+1050.	[bug]		Log messages reporting malformed IP addresses in
+			address lists such as that of the forwarders option
+			failed to include the correct error code, file
+			name, and line number. [RT #1890]
+
+1048.	[bug]		Servers built with -DISC_MEM_USE_INTERNAL_MALLOC=1
+			didn't work.
+
+1047.	[bug]		named was incorrectly refusing all requests signed
+			with a TSIG key derived from an unsigned TKEY
+			negotiation with a NOERROR response. [RT #1886]
+
+1046.	[bug]		The help message for the --with-openssl configure
+			option was inaccurate. [RT #1880]
+
+1045.	[bug]		It was possible to skip saving glue for a nameserver
+			for a stub zone.
+
+1044.	[bug]		Specifying allow-transfer, notify-source, or
+			notify-source-v6 in a stub zone was not treated
+			as an error.
+
+1043.	[bug]		Specifying a transfer-source or transfer-source-v6
+			option in the zone statement for a master zone was
+			not treated as an error. [RT #1876]
+
+1042.	[bug]		The "config" logging category did not work properly.
+			[RT #1873]
+
+1041.	[bug]		Dig/host/nslookup could catch an assertion failure
+			on SIGINT due to an uninitialized variable. [RT #1867]
+
+1040.	[bug]		Multiple listen-on-v6 options with different ports
+			were not accepted. [RT #1875]
+
+1039.	[bug]		Negative responses with CNAMEs in the answer section
+			were cached incorrectly. [RT #1862]
+
+1038.	[bug]		In servers configured with a tkey-domain option,
+			TKEY queries with an owner name other than the root
+			could cause an assertion failure. [RT #1866, #1869]
+
+1033.	[bug]		Always respond to requests with an unsupported opcode
+			with NOTIMP, even if we don't have a matching view
+			or cannot determine the class.
+
+	--- 9.2.0rc6 released ---
+
+1031.	[bug]		libbind.a: isc__gettimeofday() infinite recursion.
+			[RT #1858]
+
+1030.	[bug]		On systems with no resolv.conf file, nsupdate
+			exited with an error rather than defaulting
+			to using the loopback address. [RT #1836]
+
+1029.	[bug]		Some named.conf errors did not cause the loading
+			of the configuration file to return a failure
+			status even though they were logged. [RT #1847]
+
+1028.	[bug]		On Win32, dig/host/nslookup looked for resolv.conf
+			in the wrong directory. [RT #1833]
+
+1027.	[bug]		RRs having the reserved type 0 should be rejected.
+			[RT #1471]
+
+1026.	[port]		Recognize OpenUNIX 8 in config.guess. [RT #1830]
+
+1022.	[bug]		Don't report empty root hints as "extra data".
+			[RT #1802]
+
+	--- 9.2.0rc5 released ---
+
+1021.	[bug]		On Win32, log message timestamps were one month
+			later than they should have been, and the server
+			would exhibit unspecified behavior in December.
+
+1020.	[bug]		IXFR log messages did not distinguish between
+			true IXFRs, AXFR-style IXFRs, and mere version
+			polls. [RT #1811]
+
+1019.	[bug]		The value of the lame-ttl option was limited to 18000
+			seconds, not 1800 seconds as documented. [RT #1803]
+
+1018.	[bug]		The default log channel was not always initialized
+			correctly. [RT #1813]
+
+1017.	[bug]		When specifying TSIG keys to dig and nsupdate using
+			the -k option, they must be HMAC-MD5 keys. [RT #1810]
+
+1016.	[bug]		Slave zones with no backup file were re-transferred
+			on every server reload.
+
+1015.	[bug]		Log channels that had a "versions" option but no
+			"size" option failed to create numbered log
+			files. [RT #1783]
+
+	--- 9.2.0rc4 released ---
+
+1013.	[bug]		It was possible to cancel a query twice when marking
+			a server as bogus or by having a blackhole acl.
+			[RT #1776]
+
+1010.	[bug]		The server could attempt to execute a command channel
+			command after initiating server shutdown, causing
+			an assertion failure. [RT #1766]
+
+1006.	[bug]		If a KEY RR was found missing during DNSSEC validation,
+			an assertion failure could subsequently be triggered
+			in the resolver. [RT #1763]
+
+1005.	[bug]		Don't copy nonzero RCODEs from request to response.
+			[RT #1765]
+
+1004.	[port]		Deal with recvfrom() returning EHOSTDOWN. [RT #1770]
+
+1002.	[bug]		When reporting an unknown class name in named.conf,
+			including the file name and line number. [RT #1759]
+
+1001.	[bug]		win32 socket code doio_recv was not catching a
+			WSACONNRESET error when a client was timing out
+			the request and closing its socket. [RT #1745]
+
+1000.	[bug]		BIND 8 compatibility: accept "HESIOD" as an alias
+			for class "HS". [RT #1759]
+
+	--- 9.2.0rc3 released ---
+
+ 990.	[bug]		The rndc-confgen man page was not installed.
+
+ 989.	[bug]		Report filename if $INCLUDE fails for file related
+			errors. [RT #1736]
+
+ 987.	[bug]		"dig -help" didn't show "+[no]stats".
+
+ 986.	[bug]		"dig +noall" failed to clear stats and command
+			printing.
+
+ 984.	[bug]		Multi-threading should be enabled by default on
+			Solaris 2.7 and newer, but it wasn't.
+
+	--- 9.2.0rc2 released ---
+
+ 980.	[bug]		Incoming zone transfers restarting after an error
+			could trigger an assertion failure. [RT #1692]
+
+ 978.	[bug]		dns_db_attachversion() had an invalid REQUIRE()
+			condition.
+
+ 977.	[bug]		Improve "not at top of zone" error message.
+
+ 975.	[bug]		"max-cache-size default;" as a view option
+			caused an assertion failure.
+
+ 974.	[bug]		"max-cache-size unlimited;" as a global option
+			was not accepted.
+
+ 973.	[bug]		Failed to log the question name when logging:
+			"bad zone transfer request: non-authoritative zone
+			(NOTAUTH)".
+
+ 972.	[bug]		The file modification time code in zone.c was using the
+			wrong epoch. [RT #1667]
+
+ 968.	[bug]		On win32, the isc_time_now() function was unnecessarily
+			calling strtime(). [RT #1671]
+
+ 967.	[bug]		On win32, the link for bindevt was not including the
+			required resource file to enable the event viewer
+			to interpret the error messages in the event log,
+			[RT #1668]
+
+ 966.	[placeholder]
+
+ 965.	[bug]		Including data other than root server NS and A
+			records in the root hint file could cause a rbtdb
+			node reference leak. [RT #1581, #1618]
+
+ 964.	[func]		Warn if data other than root server NS and A records
+			are found in the root hint file. [RT #1581, #1618]
+
+ 963.	[bug]		Bad ISC_LANG_ENDDECLS. [RT #1645]
+
+ 962.	[bug]		libbind: bad "#undef", don't attempt to install
+			non-existant nlist.h. [RT #1640]
+
+ 961.	[bug]		Tried to use a IPV6 feature when ISC_PLATFORM_HAVEIPV6
+			was not defined. [RT #1482]
+
+ 960.	[port]		liblwres failed to build on systems with support for
+			getrrsetbyname() in the OS. [RT #1592]
+
+ 959.	[port]		On FreeBSD, determine the number of CPUs by calling
+			sysctlbyname(). [RT #1584]
+
+ 958.	[port]		ssize_t is not available on all platforms. [RT #1607]
+
+ 957.	[bug]		sys/select.h inclusion was broken on older platforms.
+			[RT #1607]
+
+ 956.	[bug]		ns_g_autorndcfile changed to ns_g_keyfile
+			in named/win32/os.c due to code changes in
+			change #953. win32 .make file for rndc-confgen
+			updated to add include path for os.h header.
+
+	--- 9.2.0rc1 released ---
+
+ 955.	[bug]		When using views, the zone's class was not being
+			inherited from the view's class. [RT #1583]
+
+ 954.	[bug]		When requesting AXFRs or IXFRs using dig, host, or
+			nslookup, the RD bit should not be set as zone
+			transfers are inherently nonrecursive. [RT #1575]
+
+ 953.	[func]		The /var/run/named.key file from change #843
+			has been replaced by /etc/rndc.key.  Both
+			named and rndc will look for this file and use
+			it to configure a default control channel key
+			if not already configured using a different
+			method (rndc.conf / controls).  Unlike
+			named.key, rndc.key is not created automatically;
+			it must be created by manually running
+			"rndc-confgen -a".
+
+ 952.	[bug]		The server required manual intervention to serve the
+			affected zones if it died between creating a journal
+			and committing the first change to it.
+
+ 951.	[bug]		CFLAGS was not passed to the linker when
+			linking some of the test programs under
+			bin/tests. [RT #1555].
+
+ 950.	[bug]		Explicit TTLs did not properly override $TTL
+			due to a bug in change 834. [RT #1558]
+
+ 949.	[bug]		host was unable to print records larger than 512
+			bytes. [RT #1557]
+
+	--- 9.2.0b2 released ---
+
+ 948.	[port]		Integrated support for building on Windows NT /
+			Windows 2000.
+
+ 947.	[bug]		dns_rdata_soa_t had a badly named element "mname" which
+			was really the RNAME field from RFC1035.  To avoid
+			confusion and silent errors that would occur it the
+			"origin" and "mname" elements were given their correct
+			names "mname" and "rname" respectively, the "mname"
+			element is renamed to "contact".
+
+ 946.	[cleanup]	doc/misc/options is now machine-generated from the
+			configuration parser syntax tables, and therefore
+			more likely to be correct.
+
+ 945.	[func]		Add the new view-specific options
+			"match-destinations" and "match-recursive-only".
+
+ 944.	[func]		Check for expired signatures on load.
+
+ 943.	[bug]		The server could crash when receiving a command
+			via rndc if the configuration file listed only
+			nonexistent keys in the controls statement. [RT #1530]
+
+ 942.	[port]		libbind: GETNETBYADDR_ADDR_T was not correctly
+			defined on some platforms.
+
+ 941.	[bug]		The configuration checker crashed if a slave
+			zone didn't contain a masters statement. [RT #1514]
+
+ 940.	[bug]		Double zone locking failure on error path. [RT #1510]
+
+	--- 9.2.0b1 released ---
+
+ 939.	[port]		Add the --disable-linux-caps option to configure for
+			systems that manage capabilities outside of named.
+			[RT #1503]
+
+ 938.	[placeholder]
+
+ 937.	[bug]		A race when shutting down a zone could trigger a
+			INSIST() failure. [RT #1034]
+
+ 936.	[func]		Warn about IPv4 addresses that are not complete
+			dotted quads. [RT #1084]
+
+ 935.	[bug]		inet_pton failed to reject leading zeros.
+
+ 934.	[port]		Deal with systems where accept() spuriously returns
+			ECONNRESET.
+
+ 933.	[bug]		configure failed doing libbind on platforms not
+			supported by BIND 8. [RT #1496]
+
+	--- 9.2.0a3 released ---
+
+ 932.	[bug]		Use INSTALL_SCRIPT, not INSTALL_PROGRAM,
+			when installing isc-config.sh.
+			[RT #198, #1466]
+
+ 931.	[bug]		The controls statement only attempted to verify
+			messages using the first key in the key list.
+			(9.2.0a1/a2 only).
+
+ 930.	[func]		Query performance testing tool added as
+			contrib/queryperf.
+
+ 929.	[placeholder]
+
+ 928.	[bug]		nsupdate would send empty update packets if the
+			send (or empty line) command was run after
+			another send but before any new updates or
+			prerequisites were specified.  It should simply
+			ignore this command.
+
+ 927.	[bug]		Don't hold the zone lock for the entire dump to disk.
+			[RT #1423]
+
+ 926.	[bug]		The resolver could deadlock with the ADB when
+			shutting down (multi-threaded builds only).
+			[RT #1324]
+
+ 925.	[cleanup]	Remove openssl from the distribution; require that
+			--with-openssl be specified if DNSSEC is needed.
+
+ 924.	[port]		Extend support for pre-RFC2133 IPv6 implementation.
+			[RT #987]
+
+ 923.	[bug]		Multiline TSIG secrets (and other multiline strings)
+			were not accepted in named.conf. [RT #1469]
+
+ 922.	[func]		Added two new lwres_getrrsetbyname() result codes,
+			ERR_NONAME and ERR_NODATA.
+
+ 921.	[bug]		lwres returned an incorrect error code if it received
+			a truncated message.
+
+ 920.	[func]		Increase the lwres receive buffer size to 16K.
+			[RT #1451]
+
+ 919.	[placeholder]
+
+ 918.	[func]		In nsupdate, TSIG errors are no longer treated as
+			fatal errors.
+
+ 917.	[func]		New nsupdate command 'key', allowing TSIG keys to
+			be specified in the nsupdate command stream rather
+			than the command line.
+
+ 916.	[bug]		Specifying type ixfr to dig without specifying
+			a serial number failed in unexpected ways.
+
+ 915.	[func]		The named-checkconf and named-checkzone programs
+			now have a '-v' option for printing their version.
+			[RT #1151]
+
+ 914.	[bug]		Global 'server' statements were rejected when
+			using views, even though they were accepted
+			in 9.1. [RT #1368]
+
+ 913.	[bug]		Cache cleaning was not sufficiently aggressive.
+			[RT #1441, #1444]
+
+ 912.	[bug]		Attempts to set the 'additional-from-cache' or
+			'additional-from-auth' option to 'no' in a
+			server with recursion enabled will now
+			be ignored and cause a warning message.
+			[RT #1145]
+
+ 911.	[placeholder]
+
+ 910.	[port]		Some pre-RFC2133 IPv6 implementations do not define
+			IN6ADDR_ANY_INIT. [RT #1416]
+
+ 908.	[func]		New program, rndc-confgen, to simplify setting up rndc.
+
+ 907.	[func]		The ability to get entropy from either the
+			random device, a user-provided file or from
+			the keyboard was migrated from the DNSSEC tools
+			to libisc as isc_entropy_usebestsource().
+
+ 906.	[port]		Separated the system independent portion of
+			lib/isc/unix/entropy.c into lib/isc/entropy.c
+			and added lib/isc/win32/entropy.c.
+
+ 905.	[bug]		Configuring a forward "zone" for the root domain
+			did not work. [RT #1418]
+
+ 904.	[bug]		The server would leak memory if attempting to use
+			an expired TSIG key. [RT #1406]
+
+ 903.	[bug]		dig should not crash when receiving a TCP packet
+			of length 0.
+
+ 902.	[bug]		The -d option was ignored if both -t and -g were also
+			specified.
+
+ 901.	[placeholder]
+
+ 900.	[bug]		A config.guess update changed the system identification
+			string of FreeBSD systems; configure and
+			bin/tests/system/ifconfig.sh now recognize the new
+			string.
+
+	--- 9.2.0a2 released ---
+
+ 899.	[bug]		lib/dns/soa.c failed to compile on many platforms
+			due to inappropriate use of a void value.
+			[RT #1372, #1373, #1386, #1387, #1395]
+
+ 898.	[bug]		"dig" failed to set a nonzero exit status
+			on UDP query timeout. [RT #1323]
+
+ 897.	[bug]		A config.guess update changed the system identification
+			string of UnixWare systems; configure now recognizes
+			the new string.
+
+ 896.	[bug]		If a configuration file is set on named's command line
+			and it has a relative pathname, the current directory
+			(after any possible jailing resulting from named -t)
+			will be prepended to it so that reloading works
+			properly even when a directory option is present.
+
+ 895.	[func]		New function, isc_dir_current(), akin to POSIX's
+			getcwd().
+
+ 894.	[bug]		When using the DNSSEC tools, a message intended to warn
+			when the keyboard was being used because of the lack
+			of a suitable random device was not being printed.
+
+ 893.	[func]		Removed isc_file_test() and added isc_file_exists()
+			for the basic functionality that was being added
+			with isc_file_test().
+
+ 892.	[placeholder]
+
+ 891.	[bug]		Return an error when a SIG(0) signed response to
+			an unsigned query is seen.  This should actually
+			do the verification, but it's not currently
+			possible. [RT #1391]
+
+ 890.	[cleanup]	The man pages no longer require the mandoc macros
+			and should now format cleanly using most versions of
+			nroff, and HTML versions of the man pages have been
+			added.  Both are generated from DocBook source.
+
+ 889.	[port]		Eliminated blank lines before .TH in nroff man
+			pages since they cause problems with some versions
+			of nroff. [RT #1390]
+
+ 888.	[bug]		Don't die when using TKEY to delete a nonexistent
+			TSIG key. [RT #1392]
+
+ 887.	[port]		Detect broken compilers that can't call static
+			functions from inline functions. [RT #1212]
+
+ 866.	[func]		Close debug only file channels when debug is set to
+			zero. [RT #1246]
+
+ 865.	[bug]		The new configuration parser did not allow
+			the optional debug level in a "severity debug"
+			clause of a logging channel to be omitted.
+			This is now allowed and treated as "severity
+			debug 1;" like it does in BIND 8.2.4, not as
+			"severity debug 0;" like it did in BIND 9.1.
+			[RT #1367]
+
+ 864.	[cleanup]	Multi-threading is now enabled by default on
+			OSF1, Solaris 2.7 and newer, AIX, IRIX, and HP-UX.
+
+ 863.	[bug]		If an error occurred while an outgoing zone transfer
+			was starting up, the server could access a domain
+			name that had already been freed when logging a
+			message saying that the transfer was starting.
+			[RT #1383]
+
+ 862.	[bug]		Use after realloc(), non portable pointer arithmetic in
+			grmerge().
+
+ 861.	[port]		Add support for Mac OS X, by making it equivalent
+			to Darwin.  This was derived from the config.guess
+			file shipped with Mac OS X. [RT #1355]
+
+ 860.	[func]		Drop cross class glue in zone transfers.
+
+ 859.	[bug]		Cache cleaning now won't swamp the CPU if there
+			is a persistent overlimit condition.
+
+ 858.	[func]		isc_mem_setwater() no longer requires that when the
+			callback function is non-NULL then its hi_water
+			argument must be greater than its lo_water argument
+			(they can now be equal) or that they be non-zero.
+
+ 857.	[cleanup]	Use ISC_MAGIC() to define all magic numbers for
+			structs, for our friends in EBCDIC-land.
+
+ 856.	[func]		Allow partial rdatasets to be returned in answer and
+			authority sections to help non-TCP capable clients
+			recover from truncation. [RT #1301]
+
+ 855.	[bug]		Stop spurious "using RFC 1035 TTL semantics" warnings.
+
+ 854.	[bug]		The config parser didn't properly handle config
+			options that were specified in units of time other
+			than seconds. [RT #1372]
+
+ 853.	[bug]		configure_view_acl() failed to detach existing acls.
+			[RT #1374]
+
+ 852.	[bug]		Handle responses from servers which do not know
+			about IXFR.
+
+ 851.	[cleanup]	The obsolete support-ixfr option was not properly
+			ignored.
+
+	--- 9.2.0a1 released ---
+
+ 850.	[bug]		dns_rbt_findnode() would not find nodes that were
+			split on a bitstring label somewhere other than in
+			the last label of the node. [RT #1351]
+
+ 849.	[func]		<isc/net.h> will ensure INADDR_LOOPBACK is defined.
+
+ 848.	[func]		A minimum max-cache-size of two megabytes is enforced
+			by the cache cleaner.
+
+ 847.	[func]		Added isc_file_test(), which currently only has
+			some very basic functionality to test for the
+			existence of a file, whether a pathname is absolute,
+			or whether a pathname is the fundamental representation
+			of the current directory.  It is intended that this
+			function can be expanded to test other things a
+			programmer might want to know about a file.
+
+ 846.	[func]		A non-zero 'param' to dst_key_generate() when making an
+			hmac-md5 key means that good entropy is not required.
+
+ 845.	[bug]		The access rights on the public file of a symmetric
+			key are now restricted as soon as the file is opened,
+			rather than after it has been written and closed.
+
+ 844.	[func]		<isc/net.h> will ensure INADDR_LOOPBACK is defined,
+			just as <lwres/net.h> does.
+
+ 843.	[func]		If no controls statement is present in named.conf,
+			or if any inet phrase of a controls statement is
+			lacking a keys clause, then a key will be automatically
+			generated by named and an rndc.conf-style file
+			named named.key will be written that uses it.  rndc
+			will use this file only if its normal configuration
+			file, or one provided on the command line, does not
+			exist.
+
+ 842.	[func]		'rndc flush' now takes an optional view.
+
+ 841.	[bug]		When sdb modules were not declared threadsafe, their
+			create and destroy functions were not serialized.
+
+ 840.	[bug]		The config file parser could print the wrong file
+			name if an error was detected after an included file
+			was parsed. [RT #1353]
+
+ 839.	[func]		Dump packets for which there was no view or that the
+			class could not be determined to category "unmatched".
+
+ 838.	[port]		UnixWare 7.x.x is now suported by
+			bin/tests/system/ifconfig.sh.
+
+ 837.	[cleanup]	Multi-threading is now enabled by default only on
+			OSF1, Solaris 2.7 and newer, and AIX.
+
+ 836.	[func]		Upgraded libtool to 1.4.
+
+ 835.	[bug]		The dispatcher could enter a busy loop if
+			it got an I/O error receiving on a UDP socket.
+			[RT #1293]
+
+ 834.	[func]		Accept (but warn about) master files beginning with
+			an SOA record without an explicit TTL field and
+			lacking a $TTL directive, by using the SOA MINTTL
+			as a default TTL.  This is for backwards compatibility
+			with old versions of BIND 8, which accepted such
+			files without warning although they are illegal
+			according to RFC1035.
+
+ 833.	[cleanup]	Moved dns_soa_*() from <dns/journal.h> to
+			<dns/soa.h>, and extended them to support
+			all the integer-valued fields of the SOA RR.
+
+ 832.	[bug]		The default location for named.conf in named-checkconf
+			should depend on --sysconfdir like it does in named.
+			[RT #1258]
+
+ 831.	[placeholder]
+
+ 830.	[func]		Implement 'rndc status'.
+
+ 829.	[bug]		The DNS_R_ZONECUT result code should only be returned
+			when an ANY query is made with DNS_DBFIND_GLUEOK set.
+			In all other ANY query cases, returning the delegation
+			is better.
+
+ 828.	[bug]		The errno value from recvfrom() could be overwritten
+			by logging code. [RT #1293]
+
+ 827.	[bug]		When an IXFR protocol error occurs, the slave
+			should retry with AXFR.
+
+ 826.	[bug]		Some IXFR protocol errors were not detected.
+
+ 825.	[bug]		zone.c:ns_query() detached from the wrong zone
+			reference. [RT #1264]
+
+ 824.	[bug]		Correct line numbers reported by dns_master_load().
+			[RT #1263]
+
+ 823.	[func]		The output of "dig -h" now goes to stdout so that it
+			can easily be piped through "more". [RT #1254]
+
+ 822.	[bug]		Sending nxrrset prerequisites would crash nsupdate.
+			[RT #1248]
+
+ 821.	[bug]		The program name used when logging to syslog should
+			be stripped of leading path components.
+			[RT #1178, #1232]
+
+ 820.	[bug]		Name server address lookups failed to follow
+			A6 chains into the glue of local authoritative
+			zones.
+
+ 819.	[bug]		In certain cases, the resolver's attempts to
+			restart an address lookup at the root could cause
+			the fetch to deadlock (with itself) instead of
+			restarting. [RT #1225]
+
+ 818.	[bug]		Certain pathological responses to ANY queries could
+			cause an assertion failure. [RT #1218]
+
+ 817.	[func]		Adjust timeouts for dialup zone queries.
+
+ 816.	[bug]		Report potential problems with log file accessibility
+			at configuration time, since such problems can't
+			reliably be reported at the time they actually occur.
+
+ 815.	[bug]		If a log file was specified with a path separator
+			character (i.e. "/") in its name and the directory
+			did not exist, the log file's name was treated as
+			though it were the directory name. [RT #1189]
+
+ 814.	[bug]		Socket objects left over from accept() failures
+			were incorrectly destroyed, causing corruption
+			of socket manager data structures.
+
+ 813.	[bug]		File descriptors exceeding FD_SETSIZE were handled
+			badly. [RT #1192]
+
+ 812.	[bug]		dig sometimes printed incomplete IXFR responses
+			due to an uninitialized variable. [RT #1188]
+
+ 811.	[bug]		Parentheses were not quoted in zone dumps. [RT #1194]
+
+ 810.	[bug]		The signer name in SIG records was not properly
+			downcased when signing/verifying records. [RT #1186]
+
+ 809.	[bug]		Configuring a non-local address as a transfer-source
+			could cause an assertion failure during load.
+
+ 808.	[func]		Add 'rndc flush' to flush the server's cache.
+
+ 807.	[bug]		When setting up TCP connections for incoming zone
+			transfers, the transfer-source port was not
+			ignored like it should be.
+
+ 806.	[bug]		DNS_R_SEENINCLUDE was failing to propagate back up
+			the calling stack to the zone maintence level, causing
+			zones to not reload when an included file was touched
+			but the top-level zone file was not.
+
+ 805.	[bug]		When using "forward only", missing root hints should
+			not cause queries to fail. [RT #1143]
+
+ 804.	[bug]		Attempting to obtain entropy could fail in some
+			situations.  This would be most common on systems
+			with user-space threads. [RT #1131]
+
+ 803.	[bug]		Treat all SIG queries as if they have the CD bit set,
+			otherwise no data will be returned [RT #749]
+
+ 802.	[bug]		DNSSEC key tags were computed incorrectly in almost
+			all cases. [RT #1146]
+
+ 801.	[bug]		nsupdate should treat lines beginning with ';' as
+			comments. [RT #1139]
+
+ 800.	[bug]		dnssec-signzone produced incorrect statistics for
+			large zones. [RT #1133]
+
+ 799.	[bug]		The ADB didn't find AAAA glue in a zone unless A6
+			glue was also present.
+
+ 798.	[bug]		nsupdate should be able to reject bad input lines
+			and continue. [RT #1130]
+
+ 797.	[func]		Issue a warning if the 'directory' option contains
+			a relative path. [RT #269]
+
+ 796.	[func]		When a size limit is associated with a log file,
+			only roll it when the size is reached, not every
+			time the log file is opened. [RT #1096]
+
+ 795.	[func]		Add the +multiline option to dig. [RT #1095]
+
+ 794.	[func]		Implement the "port" and "default-port" statements
+			in rndc.conf.
+
+ 793.	[cleanup]	The DNSSEC tools could create filenames that were
+			illegal or contained shell metacharacters.  They
+			now use a different text encoding of names that
+			doesn't have these problems. [RT #1101]
+
+ 792.	[cleanup]	Replace the OMAPI command channel protocol with a
+			simpler one.
+
+ 791.	[bug]		The command channel now works over IPv6.
+
+ 790.	[bug]		Wildcards created using dynamic update or IXFR
+			could fail to match. [RT #1111]
+
+ 789.	[bug]		The "localhost" and "localnets" ACLs did not match
+			when used as the second element of a two-element
+			sortlist item.
+
+ 788.	[func]		Add the "match-mapped-addresses" option, which
+			causes IPv6 v4mapped addresses to be treated as
+			IPv4 addresses for the purpose of acl matching.
+
+ 787.	[bug]		The DNSSEC tools failed to downcase domain
+			names when mapping them into file names.
+
+ 786.	[bug]		When DNSSEC signing/verifying data, owner names were
+			not properly downcased.
+
+ 785.	[bug]		A race condition in the resolver could cause
+			an assertion failure. [RT #673, #872, #1048]
+
+ 784.	[bug]		nsupdate and other programs would not quit properly
+			if some signals were blocked by the caller. [RT #1081]
+
+ 783.	[bug]		Following CNAMEs could cause an assertion failure
+			when either using an sdb database or under very
+			rare conditions.
+
+ 782.	[func]		Implement the "serial-query-rate" option.
+
+ 781.	[func]		Avoid error packet loops by dropping duplicate FORMERR
+			responses. [RT #1006]
+
+ 780.	[bug]		Error handling code dealing with out of memory or
+			other rare errors could lead to assertion failures
+			by calling functions on unitialized names. [RT #1065]
+
+ 779.	[func]		Added the "minimal-responses" option.
+
+ 778.	[bug]		When starting cache cleaning, cleaning_timer_action()
+			returned without first pausing the iterator, which
+			could cause deadlock. [RT #998]
+
+ 777.	[bug]		An empty forwarders list in a zone failed to override
+			global forwarders. [RT #995]
+
+ 776.	[func]		Improved error reporting in denied messages. [RT #252]
+
+ 775.	[placeholder]
+
+ 774.	[func]		max-cache-size is implemented.
+
+ 773.	[func]		Added isc_rwlock_trylock() to attempt to lock without
+			blocking.
+
+ 772.	[bug]		Owner names could be incorrectly omitted from cache
+			dumps in the presence of negative caching entries.
+			[RT #991]
+
+ 771.	[cleanup]	TSIG errors related to unsynchronized clocks
+			are logged better. [RT #919]
+
+ 770.	[func]		Add the "edns yes_or_no" statement to the server
+			clause. [RT #524]
+
+ 769.	[func]		Improved error reporting when parsing rdata. [RT #740]
+
+ 768.	[bug]		The server did not emit an SOA when a CNAME
+			or DNAME chain ended in NXDOMAIN in an
+			authoritative zone.
+
+ 767.	[placeholder]
+
+ 766.	[bug]		A few cases in query_find() could leak fname.
+			This would trigger the mpctx->allocated == 0
+			assertion when the server exited.
+			[RT #739, #776, #798, #812, #818, #821, #845,
+			#892, #935, #966]
+
+ 765.	[func]		ACL names are once again case insensitive, like
+			in BIND 8. [RT #252]
+
+ 764.	[func]		Configuration files now allow "include" directives
+			in more places, such as inside the "view" statement.
+			[RT #377, #728, #860]
+
+ 763.	[func]		Configuration files no longer have reserved words.
+			[RT #731, #753]
+
+ 762.	[cleanup]	The named.conf and rndc.conf file parsers have
+			been completely rewritten.
+
+ 761.	[bug]		_REENTRANT was still defined when building with
+			--disable-threads.
+
+ 760.	[contrib]	Significant enhancements to the pgsql sdb driver.
+
+ 759.	[bug]		The resolver didn't turn off "avoid fetches" mode
+			when restarting, possibly causing resolution
+			to fail when it should not.  This bug only affected
+			platforms which support both IPv4 and IPv6. [RT #927]
+
+ 758.	[bug]		The "avoid fetches" code did not treat negative
+			cache entries correctly, causing fetches that would
+			be useful to be avoided.  This bug only affected
+			platforms which support both IPv4 and IPv6. [RT #927]
+
+ 757.	[func]		Log zone transfers.
+
+ 756.	[bug]		dns_zone_load() could "return" success when no master
+			file was configured.
+
+ 755.	[bug]		Fix incorrectly formatted log messages in zone.c.
+
+ 754.	[bug]		Certain failure conditions sending UDP packets
+			could cause the server to retry the transmission
+			indefinitely. [RT #902]
+
+ 753.	[bug]		dig, host, and nslookup would fail to contact a
+			remote server if getaddrinfo() returned an IPv6
+			address on a system that doesn't support IPv6.
+			[RT #917]
+
+ 752.	[func]		Correct bad tv_usec elements returned by
+			gettimeofday().
+
+ 751.	[func]		Log successful zone loads / transfers.  [RT #898]
+
+ 750.	[bug]		A query should not match a DNAME whose trust level
+			is pending. [RT #916]
+
+ 749.	[bug]		When a query matched a DNAME in a secure zone, the
+			server did not return the signature of the DNAME.
+			[RT #915]
+
+ 748.	[doc]		List supported RFCs in doc/misc/rfc-compliance.
+			[RT #781]
+
+ 747.	[bug]		The code to determine whether an IXFR was possible
+			did not properly check for a database that could
+			not have a journal. [RT #865, #908]
+
+ 746.	[bug]		The sdb didn't clone rdatasets properly, causing
+			a crash when the server followed delegations. [RT #905]
+
+ 745.	[func]		Report the owner name of records that fail
+			semantic checks while loading.
+
+ 744.	[bug]		When returning DNS_R_CNAME or DNS_R_DNAME as the
+			result of an ANY or SIG query, the resolver failed
+			to setup the return event's rdatasets, causing an
+			assertion failure in the query code. [RT #881]
+
+ 743.	[bug]		Receiving a large number of certain malformed
+			answers could cause named to stop responding.
+			[RT #861]
+
+ 742.	[placeholder]
+
+ 741.	[port]		Support openssl-engine. [RT #709]
+
+ 740.	[port]		Handle openssl library mismatches slightly better.
+
+ 739.	[port]		Look for /dev/random in configure, rather than
+			assuming it will be there for only a predefined
+			set of OSes.
+
+ 738.	[bug]		If a non-threadsafe sdb driver supported AXFR and
+			received an AXFR request, it would deadlock or die
+			with an assertion failure. [RT #852]
+
+ 737.	[port]		stdtime.c failed to compile on certain platforms.
+
+ 736.	[func]		New functions isc_task_{begin,end}exclusive().
+
+ 735.	[doc]		Add BIND 4 migration notes.
+
+ 734.	[bug]		An attempt to re-lock the zone lock could occur if
+			the server was shutdown during a zone tranfer.
+			[RT #830]
+
+ 733.	[bug]		Reference counts of dns_acl_t objects need to be
+			locked but were not. [RT #801, #821]
+
+ 732.	[bug]		Glue with 0 TTL could also cause SERVFAIL. [RT #828]
+
+ 731.	[bug]		Certain zone errors could cause named-checkzone to
+			fail ungracefully. [RT #819]
+
+ 730.	[bug]		lwres_getaddrinfo() returns the correct result when
+			it fails to contact a server. [RT #768]
+
+ 729.	[port]		pthread_setconcurrency() needs to be called on Solaris.
+
+ 728.	[bug]		Fix comment processing on master file directives.
+			[RT# 757]
+
+ 727.	[port]		Work around OS bug where accept() succeeds but
+			fails to fill in the peer address of the accepted
+			connection, by treating it as an error rather than
+			an assertion failure. [RT #809]
+
+ 726.	[func]		Implement the "trace" and "notrace" commands in rndc.
+
+ 725.	[bug]		Installing man pages could fail.
+
+ 724.	[func]		New libisc functions isc_netaddr_any(),
+			isc_netaddr_any6().
+
+ 723.	[bug]		Referrals whose NS RRs had a 0 TTL caused the resolver
+			to return DNS_R_SERVFAIL. [RT #783]
+
+ 722.	[func]		Allow incremental loads to be canceled.
+
+ 721.	[cleanup]	Load manager and dns_master_loadfilequota() are no
+			more.
+
+ 720.	[bug]		Server could enter infinite loop in
+			dispatch.c:do_cancel(). [RT #733]
+
+ 719.	[bug]		Rapid reloads could trigger an assertion failure.
+			[RT #743, #763]
+
+ 718.	[cleanup]	"internal" is no longer a reserved word in named.conf.
+			[RT #753, #731]
+
+ 717.	[bug]		Certain TKEY processing failure modes could
+			reference an uninitialized variable, causing the
+			server to crash. [RT #750]
+
+ 716.	[bug]		The first line of a $INCLUDE master file was lost if
+			an origin was specified. [RT #744]
+
+ 715.	[bug]		Resolving some A6 chains could cause an assertion
+			failure in adb.c. [RT #738]
+
+ 714.	[bug]		Preserve interval timers across reloads unless changed.
+			[RT# 729]
+
+ 713.	[func]		named-checkconf takes '-t directory' similar to named.
+			[RT #726]
+
+ 712.	[bug]		Sending a large signed update message caused an
+			assertion failure. [RT #718]
+
+ 711.	[bug]		The libisc and liblwres implementations of
+			inet_ntop contained an off by one error.
+
+ 710.	[func]		The forwarders statement now takes an optional
+			port. [RT #418]
+
+ 709.	[bug]		ANY or SIG queries for data with a TTL of 0
+			would return SERVFAIL. [RT #620]
+
+ 708.	[bug]		When building with --with-openssl, the openssl headers
+			included with BIND 9 should not be used. [RT #702]
+
+ 707.	[func]		The "filename" argument to named-checkzone is no
+			longer optional, to reduce confusion. [RT #612]
+
+ 706.	[bug]		Zones with an explicit "allow-update { none; };"
+			were considered dynamic and therefore not reloaded
+			on SIGHUP or "rndc reload".
+
+ 705.	[port]		Work out resource limit type for use where rlim_t is
+			not available. [RT #695]
+
+ 704.	[port]		RLIMIT_NOFILE is not available on all platforms.
+			[RT #695]
+
+ 703.	[port]		sys/select.h is needed on older platforms. [RT #695]
+
+ 702.	[func]		If the address 0.0.0.0 is seen in resolv.conf,
+			use 127.0.0.1 instead. [RT #693]
+
+ 701.	[func]		Root hints are now fully optional.  Class IN
+			views use compiled-in hints by default, as
+			before.  Non-IN views with no root hints now
+			provide authoritative service but not recursion.
+			A warning is logged if a view has neither root
+			hints nor authoritative data for the root. [RT #696]
+
+ 700.	[bug]		$GENERATE range check was wrong. [RT #688]
+
+ 699.	[bug]		The lexer mishandled empty quoted strings. [RT #694]
+
+ 698.	[bug]		Aborting nsupdate with ^C would lead to several
+			race conditions.
+
+ 697.	[bug]		nsupdate was not compatible with the undocumented
+			BIND 8 behavior of ignoring TTLs in "update delete"
+			commands. [RT #693]
+
+ 696.	[bug]		lwresd would die with an assertion failure when passed
+			a zero-length name. [RT #692]
+
+ 695.	[bug]		If the resolver attempted to query a blackholed or
+			bogus server, the resolution would fail immediately.
+
+ 694.	[bug]		$GENERATE did not produce the last entry.
+			[RT #682, #683]
+
+ 693.	[bug]		An empty lwres statement in named.conf caused
+			the server to crash while loading.
+
+ 692.	[bug]		Deal with systems that have getaddrinfo() but not
+			gai_strerror(). [RT #679]
+
+ 691.	[bug]		Configuring per-view forwarders caused an assertion
+			failure. [RT #675, #734]
+
+ 690.	[func]		$GENERATE now supports DNAME. [RT #654]
+
+ 689.	[doc]		man pages are now installed. [RT #210]
+
+ 688.	[func]		"make tags" now works on systems with the
+			"Exuberant Ctags" etags.
+
+ 687.	[bug]		Only say we have IPv6, with sufficent functionality,
+			if it has actually been tested. [RT #586]
+
+ 686.	[bug]		dig and nslookup can now be properly aborted during
+			blocking operations. [RT #568]
+
+ 685.	[bug]		nslookup should use the search list/domain options
+			from resolv.conf by default. [RT #405, #630]
+
+ 684.	[bug]		Memory leak with view forwarders. [RT #656]
+
+ 683.	[bug]		File descriptor leak in isc_lex_openfile().
+
+ 682.	[bug]		nslookup displayed SOA records incorrectly. [RT #665]
+
+ 681.	[bug]		$GENERATE specifying output format was broken. [RT #653]
+
+ 680.	[bug]		dns_rdata_fromstruct() mishandled options bigger
+			than 255 octets.
+
+ 679.	[bug]		$INCLUDE could leak memory and file descriptors on
+			reload. [RT #639]
+
+ 678.	[bug]		"transfer-format one-answer;" could trigger an assertion
+			failure. [RT #646]
+
+ 677.	[bug]		dnssec-signzone would occasionally use the wrong ttl
+			for database operations and fail. [RT #643]
+
+ 676.	[bug]		Log messages about lame servers to category
+			'lame-servers' rather than 'resolver', so as not
+			to be gratuitously incompatible with BIND 8.
+
+ 675.	[bug]		TKEY queries could cause the server to leak
+			memory.
+
+ 674.	[func]		Allow messages to be TSIG signed / verified using
+			a offset from the current time.
+
+ 673.	[func]		The server can now convert RFC1886-style recursive
+			lookup requests into RFC2874-style lookups, when
+			enabled using the new option "allow-v6-synthesis".
+
+ 672.	[bug]		The wrong time was in the "time signed" field when
+			replying with BADTIME error.
+
+ 671.	[bug]		The message code was failing to parse a message with
+			no question section and a TSIG record. [RT #628]
+
+ 670.	[bug]		The lwres replacements for getaddrinfo and
+			getipnodebyname didn't properly check for the
+			existence of the sockaddr sa_len field.
+
+ 669.	[bug]		dnssec-keygen now makes the public key file
+			non-world-readable for symmetric keys. [RT #403]
+
+ 668.	[func]		named-checkzone now reports multiple errors in master
+			files.
+
+ 667.	[bug]		On Linux, running named with the -u option and a
+			non-world-readable configuration file didn't work.
+			[RT #626]
+
+ 666.	[bug]		If a request sent by dig is longer than 512 bytes,
+			use TCP.
+
+ 665.	[bug]		Signed responses were not sent when the size of the
+			TSIG + question exceeded the maximum message size.
+			[RT #628]
+
+ 664.	[bug]		The t_tasks and t_timers module tests are now skipped
+			when building without threads, since they require
+			threads.
+
+ 663.	[func]		Accept a size_spec, not just an integer, in the
+			(unimplemented and ignored) max-ixfr-log-size option
+			for compatibility with recent versions of BIND 8.
+			[RT #613]
+
+ 662.	[bug]		dns_rdata_fromtext() failed to log certain errors.
+
+ 661.	[bug]		Certain UDP IXFR requests caused an assertion failure
+			(mpctx->allocated == 0). [RT #355, #394, #623]
+
+ 660.	[port]		Detect multiple CPUs on HP-UX and IRIX.
+
+ 659.	[performance]	Rewrite the name compression code to be much faster.
+
+ 658.	[cleanup]	Remove all vestiges of 16 bit global compression.
+
+ 657.	[bug]		When a listen-on statement in an lwres block does not
+			specify a port, use 921, not 53.  Also update the
+			listen-on documentation. [RT #616]
+
+ 656.	[func]		Treat an unescaped newline in a quoted string as
+			an error.  This means that TXT records with missing
+			close quotes should have meaningful errors printed.
+
+ 655.	[bug]		Improve error reporting on unexpected eof when loading
+			zones. [RT #611]
+
+ 654.	[bug]		Origin was being forgotten in TCP retries in dig.
+			[RT #574]
+
+ 653.	[bug]		+defname option in dig was reversed in sense.
+			[RT #549]
+
+ 652.	[bug]		zone_saveunique() did not report the new name.
+
+ 651.	[func]		The AD bit in responses now has the meaning
+			specified in <draft-ietf-dnsext-ad-is-secure>.
+
+ 650.	[bug]		SIG(0) records were being generated and verified
+			incorrectly. [RT #606]
+
+ 649.	[bug]		It was possible to join to an already running fctx
+			after it had "cloned" its events, but before it sent
+			them.  In this case, the event of the newly joined
+			fetch would not contain the answer, and would
+			trigger the INSIST() in fctx_sendevents().  In
+			BIND 9.0, this bug did not trigger an INSIST(), but
+			caused the fetch to fail with a SERVFAIL result.
+			[RT #588, #597, #605, #607]
+
+ 648.	[port]		Add support for pre-RFC2133 IPv6 implementations.
+
+ 647.	[bug]		Resolver queries sent after following multiple
+			referrals had excessively long retransmission
+			timeouts due to incorrectly counting the referrals
+			as "restarts".
+
+ 646.	[bug]		The UnixWare ISC_PLATFORM_FIXIN6INADDR fix in isc/net.h
+			didn't _cleanly_ fix the problem it was trying to fix.
+
+ 645.	[port]		BSD/OS 3.0 needs pthread_init(). [RT #603]
+
+ 644.	[bug]		#622 needed more work. [RT #562]
+
+ 643.	[bug]		xfrin error messages made more verbose, added class
+			of the zone. [RT# 599]
+
+ 642.	[bug]		Break the exit_check() race in the zone module.
+			[RT #598]
+
+	--- 9.1.0b2 released ---
+
+ 641.	[bug]		$GENERATE caused a uninitialized link to be used.
+			[RT #595]
+
+ 640.	[bug]		Memory leak in error path could cause
+			"mpctx->allocated == 0" failure. [RT #584]
+
+ 639.	[bug]		Reading entropy from the keyboard would sometimes fail.
+			[RT #591]
+
+ 638.	[port]		lib/isc/random.c needed to explicitly include time.h
+			to get a prototype for time() when pthreads was not
+			being used. [RT #592]
+
+ 637.	[port]		Use isc_u?int64_t instead of (unsigned) long long in
+			lib/isc/print.c.  Also allow lib/isc/print.c to
+			be compiled even if the platform does not need it.
+			[RT #592]
+
+ 636.	[port]		Shut up MSVC++ about a possible loss of precision
+			in the ISC__BUFFER_PUTUINT*() macros. [RT #592]
+
+ 635.	[bug]		Reloading a server with a configured blackhole list
+			would cause an assertion. [RT #590]
+
+ 634.	[bug]		A log file will completely stop being written when
+			it reaches the maximum size in all cases, not just
+			when versioning is also enabled. [RT #570]
+
+ 633.	[port]		Cope with rlim_t missing on BSD/OS systems. [RT #575]
+
+ 632.	[bug]		The index array of the journal file was
+			corrupted as it was written to disk.
+
+ 631.	[port]		Build without thread support on systems without
+			pthreads.
+
+ 630.	[bug]		Locking failure in zone code. [RT #582]
+
+ 629.	[bug]		9.1.0b1 dereferenced a null pointer and crashed
+			when responding to a UDP IXFR request.
+
+ 628.	[bug]		If the root hints contained only AAAA addresses,
+			named would be unable to perform resolution.
+
+ 627.	[bug]		The EDNS0 blackhole detection code of change 324
+			waited for three retransmissions to each server,
+			which takes much too long when a domain has many
+			name servers and all of them drop EDNS0 queries.
+			Now we retry without EDNS0 after three consecutive
+			timeouts, even if they are all from different
+			servers. [RT #143]
+
+ 626.	[bug]		The lightweight resolver daemon no longer crashes
+			when asked for a SIG rrset. [RT #558]
+
+ 625.	[func]		Zones now inherit their class from the enclosing view.
+
+ 624.	[bug]		The zone object could get timer events after it had
+			been destroyed, causing a server crash. [RT #571]
+
+ 623.	[func]		Added "named-checkconf" and "named-checkzone" program
+			for syntax checking named.conf files and zone files,
+			respectively.
+
+ 622.	[bug]		A canceled request could be destroyed before
+			dns_request_destroy() was called. [RT #562]
+
+ 621.	[port]		Disable IPv6 at runtime if IPv6 sockets are unusable.
+			This mostly affects Red Hat Linux 7.0, which has
+			conflicts between libc and the kernel.
+
+ 620.	[bug]		dns_master_load*inc() now require 'task' and 'load'
+			to be non-null.  Also 'done' will not be called if
+			dns_master_load*inc() fails immediately. [RT #565]
+
+ 618.	[bug]		Queries to a signed zone could sometimes cause
+			an assertion failure.
+
+ 617.	[bug]		When using dynamic update to add a new RR to an
+			existing RRset with a different TTL, the journal
+			entries generated from the update did not include
+			explicit deletions and re-additions of the existing
+			RRs to update their TTL to the new value.
+
+ 616.	[func]		dnssec-signzone -t output now includes performance
+			statistics.
+
+ 615.	[bug]		dnssec-signzone did not like child keysets signed
+			by multiple keys.
+
+ 614.	[bug]		Checks for uninitialized link fields were prone
+			to false positives, causing assertion failures.
+			The checks are now disabled by default and may
+			be re-enabled by defining ISC_LIST_CHECKINIT.
+
+ 613.	[bug]		"rndc reload zone" now reloads primary zones.
+			It previously only updated slave and stub zones,
+			if an SOA query indicated an out of date serial.
+
+ 612.	[cleanup]	Shutup a ridiculously noisy HP-UX compiler that
+			complains relentlessly about how its treatment
+			of 'const' has changed as well as how casting
+			sometimes tightens alignment constraints.
+
+ 611.	[func]		allow-notify can be used to permit processing of
+			notify messages from hosts other than a slave's
+			masters.
+
+ 610.	[func]		rndc dumpdb is now supported.
+
+ 609.	[bug]		getrrsetbyname() would crash lwresd if the server
+			found more SIGs than answers. [RT #554]
+
+ 608.	[func]		dnssec-signzone now adds a comment to the zone
+			with the time the file was signed.
+
+ 607.	[bug]		nsupdate would fail if it encountered a CNAME or
+			DNAME in a response to an SOA query. [RT #515]
+
+ 606.	[bug]		Compiling with --disable-threads failed due
+			to isc_thread_self() being incorrectly defined
+			as an integer rather than a function.
+
+ 605.	[func]		New function isc_lex_getlasttokentext().
+
+ 604.	[bug]		The named.conf parser could print incorrect line
+			numbers when long comments were present.
+
+ 603.	[bug]		Make dig handle multiple types or classes on the same
+			query more correctly.
+
+ 602.	[func]		Cope automatically with UnixWare's broken
+			IN6_IS_ADDR_* macros. [RT #539]
+
+ 601.	[func]		Return a non-zero exit code if an update fails
+			in nsupdate.
+
+ 600.	[bug]		Reverse lookups sometimes failed in dig, etc...
+
+ 599.	[func]		Added four new functions to the libisc log API to
+			support i18n messages.  isc_log_iwrite(),
+			isc_log_ivwrite(), isc_log_iwrite1() and
+			isc_log_ivwrite1() were added.
+
+ 598.	[bug]		An update-policy statement would cause the server
+			to assert while loading. [RT #536]
+
+ 597.	[func]		dnssec-signzone is now multi-threaded.
+
+ 596.	[bug]		DNS_RDATASLAB_FORCE and DNS_RDATASLAB_EXACT are
+			not mutually exclusive.
+
+ 595.	[port]		On Linux 2.2, socket() returns EINVAL when it
+			should return EAFNOSUPPORT.  Work around this.
+			[RT #531]
+
+ 594.	[func]		sdb drivers are now assumed to not be thread-safe
+			unless the DNS_SDBFLAG_THREADSAFE flag is supplied.
+
+ 593.	[bug]		If a secure zone was missing all its NXTs and
+			a dynamic update was attempted, the server entered
+			an infinite loop.
+
+ 592.	[bug]		The sig-validity-interval option now specifies a
+			number of days, not seconds.  This matches the
+			documentation. [RT #529]
+
+	--- 9.1.0b1 released ---
+
+ 591.	[bug]		Work around non-reentrancy in openssl by disabling
+			precomputation in keys.
+
+ 590.	[doc]		There are now man pages for the lwres library in
+			doc/man/lwres.
+
+ 589.	[bug]		The server could deadlock if a zone was updated
+			while being transferred out.
+
+ 588.	[bug]		ctx->in_use was not being correctly initialized when
+			when pushing a file for $INCLUDE. [RT #523]
+
+ 587.	[func]		A warning is now printed if the "allow-update"
+			option allows updates based on the source IP
+			address, to alert users to the fact that this
+			is insecure and becoming increasingly so as
+			servers capable of update forwarding are being
+			deployed.
+
+ 586.	[bug]		multiple views with the same name were fatal. [RT #516]
+
+ 585.	[func]		dns_db_addrdataset() and and dns_rdataslab_merge()
+			now support 'exact' additions in a similar manner to
+			dns_db_subtractrdataset() and dns_rdataslab_subtract().
+
+ 584.	[func]		You can now say 'notify explicit'; to suppress
+			notification of the servers listed in NS records
+			and notify only those servers listed in the
+			'also-notify' option.
+
+ 583.	[func]		"rndc querylog" will now toggle logging of
+			queries, like "ndc querylog" in BIND 8.
+
+ 582.	[bug]		dns_zone_idetach() failed to lock the zone.
+			[RT #199, #463]
+
+ 581.	[bug]		log severity was not being correctly processed.
+			[RT #485]
+
+ 580.	[func]		Ignore trailing garbage on incoming DNS packets,
+			for interoperability with broken server
+			implementations. [RT #491]
+
+ 579.	[bug]		nsupdate did not take a filename to read update from.
+			[RT #492]
+
+ 578.	[func]		New config option "notify-source", to specify the
+			source address for notify messages.
+
+ 577.	[func]		Log illegal RDATA combinations. e.g. multiple
+			singlton types, cname and other data.
+
+ 576.	[doc]		isc_log_create() description did not match reality.
+
+ 575.	[bug]		isc_log_create() was not setting internal state
+			correctly to reflect the default channels created.
+
+ 574.	[bug]		TSIG signed queries sent by the resolver would fail to
+			have their responses validated and would leak memory.
+
+ 573.	[bug]		The journal files of IXFRed slave zones were
+			inadvertantly discarded on server reload, causing
+			"journal out of sync with zone" errors on subsequent
+			reloads. [RT #482]
+
+ 572.	[bug]		Quoted strings were not accepted as key names in
+			address match lists.
+
+ 571.	[bug]		It was possible to create an rdataset of singleton
+			type which had more than one rdata. [RT #154]
+			[RT #279]
+
+ 570.	[bug]		rbtdb.c allowed zones containing nodes which had
+			both a CNAME and "other data". [RT #154]
+
+ 569.	[func]		The DNSSEC AD bit will not be set on queries which
+			have not requested a DNSSEC response.
+
+ 568.	[func]		Add sample simple database drivers in contrib/sdb.
+
+ 567.	[bug]		Setting the zone transfer timeout to zero caused an
+			assertion failure. [RT #302]
+
+ 566.	[func]		New public function dns_timer_setidle().
+
+ 565.	[func]		Log queries more like BIND 8: query logging is now
+			done to category "queries", level "info". [RT #169]
+
+ 564.	[func]		Add sortlist support to lwresd.
+
+ 563.	[func]		New public functions dns_rdatatype_format() and
+			dns_rdataclass_format(), for convenient formatting
+			of rdata type/class mnemonics in log messages.
+
+ 562.	[cleanup]	Moved lib/dns/*conf.c to bin/named where they belong.
+
+ 561.	[func]		The 'datasize', 'stacksize', 'coresize' and 'files'
+			clauses of the options{} statement are now implemented.
+
+ 560.	[bug]		dns_name_split did not properly the resulting prefix
+			when a maximal length bitstring label was split which
+			was preceded by another bitstring label. [RT #429]
+
+ 559.	[bug]		dns_name_split did not properly create the suffix
+			when splitting within a maximal length bitstring label.
+
+ 558.	[func]		New functions, isc_resource_getlimit and
+			isc_resource_setlimit.
+
+ 557.	[func]		Symbolic constants for libisc integral types.
+
+ 556.	[func]		The DNSSEC OK bit in the EDNS extended flags
+			is now implemented.  Responses to queries without
+			this bit set will not contain any DNSSEC records.
+
+ 555.	[bug]		A slave server attempting a zone transfer could
+			crash with an assertion failure on certain
+			malformed responses from the master. [RT #457]
+
+ 554.	[bug]		In some cases, not all of the dnssec tools were
+			properly installed.
+
+ 553.	[bug]		Incoming zone transfers deferred due to quota
+			were not started when quota was increased but
+			only when a transfer in progress finished. [RT #456]
+
+ 552.	[bug]		We were not correctly detecting the end of all c-style
+			comments. [RT #455]
+
+ 551.	[func]		Implemented the 'sortlist' option.
+
+ 550.	[func]		Support unknown rdata types and classes.
+
+ 549.	[bug]		"make" did not immediately abort the build when a
+			subdirectory make failed [RT #450].
+
+ 548.	[func]		The lexer now ungets tokens more correctly.
+
+ 546.	[func]		Option 'lame-ttl' is now implemented.
+
+ 545.	[func]		Name limit and counting options removed from dig;
+			they didn't work properly, and cannot be correctly
+			implemented without significant changes.
+
+ 544.	[func]		Add statistics option, enable statistics-file option,
+			add RNDC option "dump-statistics" to write out a
+			query statistics file.
+
+ 543.	[doc]		The 'port' option is now documented.
+
+ 542.	[func]		Add support for update forwarding as required for
+			full compliance with RFC2136.  It is turned off
+			by default and can be enabled using the
+			'allow-update-forwarding' option.
+
+ 541.	[func]		Add bogus server support.
+
+ 540.	[func]		Add dialup support.
+
+ 539.	[func]		Support the blackhole option.
+
+ 538.	[bug]		fix buffer overruns by 1 in lwres_getnameinfo().
+
+ 536.	[func]		Use transfer-source{-v6} when sending refresh queries.
+			Transfer-source{-v6} now take a optional port
+			parameter for setting the UDP source port.  The port
+			parameter is ignored for TCP.
+
+ 535.	[func]		Use transfer-source{-v6} when forwarding update
+			requests.
+
+ 534.	[func]		Ancestors have been removed from RBT chains.  Ancestor
+			information can be discerned via node parent pointers.
+
+ 533.	[func]		Incorporated name hashing into the RBT database to
+			improve search speed.
+
+ 532.	[func]		Implement DNS UPDATE pseudo records using
+			DNS_RDATA_UPDATE flag.
+
+ 531.	[func]		Rdata really should be initialized before being assigned
+			to (dns_rdata_fromwire(), dns_rdata_fromtext(),
+			dns_rdata_clone(), dns_rdata_fromregion()),
+			check that it is.
+
+ 530.	[func]		New function dns_rdata_invalidate().
+
+ 529.	[bug]		521 contained a bug which caused zones to always
+			reload.  [RT #410]
+
+ 528.	[func]		The ISC_LIST_XXXX macros now perform sanity checks
+			on their arguments.  ISC_LIST_XXXXUNSAFE can be use
+			to skip the checks however use with caution.
+
+ 527.	[func]		New function dns_rdata_clone().
+
+ 526.	[bug]		nsupdate incorrectly refused to add RRs with a TTL
+			of 0.
+
+ 525.	[func]		New arguments 'options' for dns_db_subtractrdataset(),
+			and 'flags' for dns_rdataslab_subtract() allowing you
+			to request that the RR's must exist prior to deletion.
+			DNS_R_NOTEXACT is returned if the condition is not met.
+
+ 524.	[func]		The 'forward' and 'forwarders' statement in
+			non-forward zones should work now.
+
+ 523.	[doc]		The source to the Administrator Reference Manual is
+			now an XML file using the DocBook DTD, and is included
+			in the distribution.  The plain text version of the
+			ARM is temporarily unavailable while we figure out
+			how to generate readable plain text from the XML.
+
+ 522.	[func]		The lightweight resolver daemon can now use
+			a real configuration file, and its functionality
+			can be provided by a name server.  Also, the -p and -P
+			options to lwresd have been reversed.
+
+ 521.	[bug]		Detect master files which contain $INCLUDE and always
+			reload. [RT #196]
+
+ 520.	[bug]		Upgraded libtool to 1.3.5, which makes shared
+			library builds almost work on AIX (and possibly
+			others).
+
+ 519.	[bug]		dns_name_split() would improperly split some bitstring
+			labels, zeroing a few of the least signficant bits in
+			the prefix part.  When such an improperly created
+			prefix was returned to the RBT database, the bogus
+			label was dutifully stored, corrupting the tree.
+			[RT #369]
+
+ 518.	[bug]		The resolver did not realize that a DNAME which was
+			"the answer" to the client's query was "the answer",
+			and such queries would fail. [RT #399]
+
+ 517.	[bug]		The resolver's DNAME code would trigger an assertion
+			if there was more than one DNAME in the chain.
+			[RT #399]
+
+ 516.	[bug]		Cache lookups which had a NULL node pointer, e.g.
+			those by dns_view_find(), and which would match a
+			DNAME, would trigger an INSIST(!search.need_cleanup)
+			assertion. [RT #399]
+
+ 515.	[bug]		The ssu table was not being attached / detached
+			by dns_zone_[sg]etssutable. [RT#397]
+
+ 514.	[func]		Retry refresh and notify queries if they timeout.
+			[RT #388]
+
+ 513.	[func]		New functionality added to rdnc and server to allow
+			individual zones to be refreshed or reloaded.
+
+ 512.	[bug]		The zone transfer code could throw an execption with
+			an invalid IXFR stream.
+
+ 511.	[bug]		The message code could throw an assertion on an
+			out of memory failure. [RT #392]
+
+ 510.	[bug]		Remove spurious view notify warning. [RT #376]
+
+ 509.	[func]		Add support for write of zone files on shutdown.
+
+ 508.	[func]		dns_message_parse() can now do a best-effort
+			attempt, which should allow dig to print more invalid
+			messages.
+
+ 507.	[func]		New functions dns_zone_flush(), dns_zt_flushanddetach()
+			and dns_view_flushanddetach().
+
+ 506.	[func]		Do not fail to start on errors in zone files.
+
+ 505.	[bug]		nsupdate was printing "unknown result code". [RT #373]
+
+ 504.	[bug]		The zone was not being marked as dirty when updated via
+			IXFR.
+
+ 503.	[bug]		dumptime was not being set along with
+			DNS_ZONEFLG_NEEDDUMP.
+
+ 502.	[func]		On a SERVFAIL reply, DiG will now try the next server
+			in the list, unless the +fail option is specified.
+
+ 501.	[bug]		Incorrect port numbers were being displayed by
+			nslookup. [RT #352]
+
+ 500.	[func]		Nearly useless +details option removed from DiG.
+
+ 499.	[func]		In DiG, specifying a class with -c or type with -t
+			changes command-line parsing so that classes and
+			types are only recognized if following -c or -t.
+			This allows hosts with the same name as a class or
+			type to be looked up.
+
+ 498.	[doc]		There is now a man page for "dig"
+			in doc/man/bin/dig.1.
+
+ 497.	[bug]		The error messages printed when an IP match list
+			contained a network address with a nonzero host
+			part where not sufficiently detailed. [RT #365]
+
+ 496.	[bug]		named didn't sanity check numeric parameters. [RT #361]
+
+ 495.	[bug]		nsupdate was unable to handle large records. [RT #368]
+
+ 494.	[func]		Do not cache NXDOMAIN responses for SOA queries.
+
+ 493.	[func]		Return non-cachable (ttl = 0) NXDOMAIN responses
+			for SOA queries.  This makes it easier to locate
+			the containing zone without polluting intermediate
+			caches.
+
+ 492.	[bug]		attempting to reload a zone caused the server fail
+			to shutdown cleanly. [RT #360]
+
+ 491.	[bug]		nsupdate would segfault when sending certain
+			prerequisites with empty RDATA. [RT #356]
+
+ 490.	[func]		When a slave/stub zone has not yet successfully
+			obtained an SOA containing the zone's configured
+			retry time, perform the SOA query retries using
+			exponential backoff. [RT #337]
+
+ 489.	[func]		The zone manager now has a "i/o" queue.
+
+ 488.	[bug]		Locks weren't properly destroyed in some cases.
+
+ 487.	[port]		flockfile() is not defined on all systems.
+
+ 486.	[bug]		nslookup: "set all" and "server" commands showed
+			the incorrect port number if a port other than 53
+			was specified. [RT #352]
+
+ 485.	[func]		When dig had more than one server to query, it would
+			send all of the messages at the same time.  Add
+			rate limiting of the transmitted messages.
+
+ 484.	[bug]		When the server was reloaded after removing addresses
+			from the named.conf "listen-on" statement, sockets
+			were still listening on the removed addresses due
+			to reference count loops. [RT #325]
+
+ 483.	[bug]		nslookup: "set all" showed a "search" option but it
+			was not settable.
+
+ 482.	[bug]		nslookup: a plain "server" or "lserver" should be
+			treated as a lookup.
+
+ 481.	[bug]		nslookup:get_next_command() stack size could exceed
+			per thread limit.
+
+ 480.	[bug]		strtok() is not thread safe. [RT #349]
+
+ 479.	[func]		The test suite can now be run by typing "make check"
+			or "make test" at the top level.
+
+ 478.	[bug]		"make install" failed if the directory specified with
+			--prefix did not already exist.
+
+ 477.	[bug]		The the isc-config.sh script could be installed before
+			its directory was created. [RT #324]
+
+ 476.	[bug]		A zone could expire while a zone transfer was in
+			progress triggering a INSIST failure. [RT #329]
+
+ 475.	[bug]		query_getzonedb() sometimes returned a non-null version
+			on failure.  This caused assertion failures when
+			generating query responses where names subject to
+			additional section processing pointed to a zone
+			to which access had been denied by means of the
+			allow-query option. [RT #336]
+
+ 474.	[bug]		The mnemonic of the CHAOS class is CH according to
+			RFC1035, but it was printed and read only as CHAOS.
+			We now accept both forms as input, and print it
+			as CH. [RT #305]
+
+ 473.	[bug]		nsupdate overran the end of the list of name servers
+			when no servers could be reached, typically causing
+			it to print the error message "dns_request_create:
+			not implemented".
+
+ 472.	[bug]		Off-by-one error caused isc_time_add() to sometimes
+			produce invalid time values.
+
+ 471.	[bug]		nsupdate didn't compile on HP/UX 10.20
+
+ 470.	[func]		$GENERATE is now supported.  See also
+			doc/misc/migration.
+
+ 469.	[bug]		"query-source address * port 53;" now works.
+
+ 468.	[bug]		dns_master_load*() failed to report file and line
+			number in certain error conditions.
+
+ 467.	[bug]		dns_master_load*() failed to log an error if
+			pushfile() failed.
+
+ 466.	[bug]		dns_master_load*() could return success when it failed.
+
+ 465.	[cleanup]	Allow 0 to be set as an omapi_value_t value by
+			omapi_value_storeint().
+
+ 464.	[cleanup]	Build with openssl's RSA code instead of dnssafe.
+
+ 463.	[bug]		nsupdate sent malformed SOA queries to the second
+			and subsequent name servers in resolv.conf if the
+			query sent to the first one failed.
+
+ 462.	[bug]		--disable-ipv6 should work now.
+
+ 461.	[bug]		Specifying an unknown key in the "keys" clause of the
+			"controls" statement caused a NULL pointer dereference.
+			[RT #316]
+
+ 460.	[bug]		Much of the DNSSEC code only worked with class IN.
+
+ 459.	[bug]		Nslookup processed the "set" command incorrectly.
+
+ 458.	[bug]		Nslookup didn't properly check class and type values.
+			[RT #305]
+
+ 457.	[bug]		Dig/host/hslookup didn't properly handle connect
+			timeouts in certain situations, causing an
+			unnecessary warning message to be printed.
+
+ 456.	[bug]		Stub zones were not resetting the refresh and expire
+			counters, loadtime or clearing the DNS_ZONE_REFRESH
+			(refresh in progress) flag upon successful update.
+			This disabled further refreshing of the stub zone,
+			causing it to eventually expire. [RT #300]
+
+ 455.	[doc]		Document IPv4 prefix notation does not require a
+			dotted decimal quad but may be just dotted decimal.
+
+ 454.	[bug]		Enforce dotted decimal and dotted decimal quad where
+			documented as such in named.conf. [RT #304, RT #311]
+
+ 453.	[bug]		Warn if the obsolete option "maintain-ixfr-base"
+			is specified in named.conf. [RT #306]
+
+ 452.	[bug]		Warn if the unimplemented option "statistics-file"
+			is specified in named.conf. [RT #301]
+
+ 451.	[func]		Update forwarding implememted.
+
+ 450.	[func]		New function ns_client_sendraw().
+
+ 449.	[bug]		isc_bitstring_copy() only works correctly if the
+			two bitstrings have the same lsb0 value, but this
+			requirement was not documented, nor was there a
+			REQUIRE for it.
+
+ 448.	[bug]		Host output formatting change, to match v8. [RT #255]
+
+ 447.	[bug]		Dig didn't properly retry in TCP mode after
+			a truncated reply. [RT #277]
+
+ 446.	[bug]		Confusing notify log message. [RT #298]
+
+ 445.	[bug]		Doing a 0 bit isc_bitstring_copy() of an lsb0
+			bitstring triggered a REQUIRE statement.  The REQUIRE
+			statement was incorrect. [RT #297]
+
+ 444.	[func]		"recursion denied" messages are always logged at
+			debug level 1, now, rather than sometimes at ERROR.
+			This silences these warnings in the usual case, where
+			some clients set the RD bit in all queries.
+
+ 443.	[bug]		When loading a master file failed because of an
+			unrecognized RR type name, the error message
+			did not include the file name and line number.
+			[RT #285]
+
+ 442.	[bug]		TSIG signed messages that did not match any view
+			crashed the server. [RT #290]
+
+ 441.	[bug]		Nodes obscured by a DNAME were inaccessible even
+			when DNS_DBFIND_GLUEOK was set.
+
+ 440.	[func]		New function dns_zone_forwardupdate().
+
+ 439.	[func]		New function dns_request_createraw().
+
+ 438.	[func]		New function dns_message_getrawmessage().
+
+ 437.	[func]		Log NOTIFY activity to the notify channel.
+
+ 436.	[bug]		If recvmsg() returned EHOSTUNREACH or ENETUNREACH,
+			which sometimes happens on Linux, named would enter
+			a busy loop.  Also, unexpected socket errors were
+			not logged at a high enough logging level to be
+			useful in diagnosing this situation. [RT #275]
+
+ 435.	[bug]		dns_zone_dump() overwrote existing zone files
+			rather than writing to a temporary file and
+			renaming.  This could lead to empty or partial
+			zone files being left around in certain error
+			conditions involving the initial transfer of a
+			slave zone, interfering with subsequent server
+			startup. [RT #282]
+
+ 434.	[func]		New function isc_file_isabsolute().
+
+ 433.	[func]		isc_base64_decodestring() now accepts newlines
+			within the base64 data.  This makes it possible
+			to break up the key data in a "trusted-keys"
+			statement into multiple lines. [RT #284]
+
+ 432.	[func]		Added refresh/retry jitter.  The actual refresh/
+			retry time is now a random value between 75% and
+			100% of the configured value.
+
+ 431.	[func]		Log at ISC_LOG_INFO when a zone is successfully
+			loaded.
+
+ 430.	[bug]		Rewrote the lightweight resolver client management
+			code to handle shutdown correctly and general
+			cleanup.
+
+ 429.	[bug]		The space reserved for a TSIG record in a response
+			was 2 bytes too short, leading to message
+			generation failures.
+
+ 428.	[bug]		rbtdb.c:find_closest_nxt() erroneously returned
+			DNS_R_BADDB for nodes which had neither NXT nor SIG NXT
+			(e.g. glue).  This could cause SERVFAILs when
+			generating negative responses in a secure zone.
+
+ 427.	[bug]		Avoid going into an infinite loop when the validator
+			gets a negative response to a key query where the
+			records are signed by the missing key.
+
+ 426.	[bug]		Attempting to generate an oversized RSA key could
+			cause dnssec-keygen to dump core.
+
+ 425.	[bug]		Warn about the auth-nxdomain default value change
+			if there is no auth-nxdomain statement in the
+			config file. [RT #287]
+
+ 424.	[bug]		notify_createmessage() could trigger an assertion
+			failure when creating the notify message failed,
+			e.g. due to corrupt zones with multiple SOA records.
+			[RT #279]
+
+ 423.	[bug]		When responding to a recusive query, errors that occur
+			after following a CNAME should cause the query to fail.
+			[RT #274]
+
+ 422.	[func]		get rid of isc_random_t, and make isc_random_get()
+			and isc_random_jitter() use rand() internally
+			instead of local state.  Note that isc_random_*()
+			functions are only for weak, non-critical "randomness"
+			such as timing jitter and such.
+
+ 421.	[bug]		nslookup would exit when given a blank line as input.
+
+ 420.	[bug]		nslookup failed to implement the "exit" command.
+
+ 419.	[bug]		The certificate type PKIX was misspelled as SKIX.
+
+ 418.	[bug]		At debug levels >= 10, getting an unexpected
+			socket receive error would crash the server
+			while trying to log the error message.
+
+ 417.	[func]		Add isc_app_block() and isc_app_unblock(), which
+			allow an application to handle signals while
+			blocking.
+
+ 416.	[bug]		Slave zones with no master file tried to use a
+			NULL pointer for a journal file name when they
+			received an IXFR. [RT #273]
+
+ 415.	[bug]		The logging code leaked file descriptors.
+
+ 414.	[bug]		Server did not shut down until all incoming zone
+			transfers were finished.
+
+ 413.	[bug]		Notify could attempt to use the zone database after
+			it had been unloaded. [RT#267]
+
+ 412.	[bug]		named -v didn't print the version.
+
+ 411.	[bug]		A typo in the HS A code caused an assertion failure.
+
+ 410.	[bug]		lwres_gethostbyname() and company set lwres_h_errno
+			to a random value on success.
+
+ 409.	[bug]		If named was shut down early in the startup
+			process, ns_omapi_shutdown() would attempt to lock
+			an unintialized mutex. [RT #262]
+
+ 408.	[bug]		stub zones could leak memory and reference counts if
+			all the masters were unreachable.
+
+ 407.	[bug]		isc_rwlock_lock() would needlessly block
+			readers when it reached the read quota even
+			if no writers were waiting.
+
+ 406.	[bug]		Log messages were occasionally lost or corrupted
+			due to a race condition in isc_log_doit().
+
+ 405.	[func]		Add support for selective forwarding (forward zones)
+
+ 404.	[bug]		The request library didn't completely work with IPv6.
+
+ 403.	[bug]		"host" did not use the search list.
+
+ 402.	[bug]		Treat undefined acls as errors, rather than
+			warning and then later throwing an assertion.
+			[RT #252]
+
+ 401.	[func]		Added simple database API.
+
+ 400.	[bug]		SIG(0) signing and verifying was done incorrectly.
+			[RT #249]
+
+ 399.	[bug]		When reloading the server with a config file
+			containing a syntax error, it could catch an
+			assertion failure trying to perform zone
+			maintenance on, or sending notifies from,
+			tentatively created zones whose views were
+			never fully configured and lacked an address
+			database and request manager.
+
+ 398.	[bug]		"dig" sometimes caught an assertion failure when
+			using TSIG, depending on the key length.
+
+ 397.	[func]		Added utility functions dns_view_gettsig() and
+			dns_view_getpeertsig().
+
+ 396.	[doc]		There is now a man page for "nsupdate"
+			in doc/man/bin/nsupdate.8.
+
+ 395.	[bug]		nslookup printed incorrect RR type mnemonics
+			for RRs of type >= 21 [RT #237].
+
+ 394.	[bug]		Current name was not propagated via $INCLUDE.
+
+ 393.	[func]		Initial answer while loading (awl) support.
+			Entry points: dns_master_loadfileinc(),
+			dns_master_loadstreaminc(), dns_master_loadbufferinc().
+			Note: calls to dns_master_load*inc() should be rate
+			be rate limited so as to not use up all file
+			descriptors.
+
+ 392.	[func]		Add ISC_R_FAMILYNOSUPPORT.  Returned when OS does
+			not support the given address family requested.
+
+ 391.	[clarity]	ISC_R_FAMILY -> ISC_R_FAMILYMISMATCH.
+
+ 390.	[func]		The function dns_zone_setdbtype() now takes
+			an argc/argv style vector of words and sets
+			both the zone database type and its arguments,
+			making the functions dns_zone_adddbarg()
+			and dns_zone_cleardbargs() unnecessary.
+
+ 389.	[bug]		Attempting to send a reqeust over IPv6 using
+			dns_request_create() on a system without IPv6
+			support caused an assertion failure [RT #235].
+
+ 388.	[func]		dig and host can now do reverse ipv6 lookups.
+
+ 387.	[func]		Add dns_byaddr_createptrname(), which converts
+			an address into the name used by a PTR query.
+
+ 386.	[bug]		Missing strdup() of ACL name caused random
+			ACL matching failures [RT #228].
+
+ 385.	[cleanup]	Removed functions dns_zone_equal(), dns_zone_print(),
+			and dns_zt_print().
+
+ 384.	[bug]		nsupdate was incorrectly limiting TTLs to 65535 instead
+			of 2147483647.
+
+ 383.	[func]		When writing a master file, print the SOA and NS
+			records (and their SIGs) before other records.
+
+ 382.	[bug]		named -u failed on many Linux systems where the
+			libc provided kernel headers do not match
+			the current kernel.
+
+ 381.	[bug]		Check for IPV6_RECVPKTINFO and use it instead of
+			IPV6_PKTINFO if found. [RT #229]
+
+ 380.	[bug]		nsupdate didn't work with IPv6.
+
+ 379.	[func]		New library function isc_sockaddr_anyofpf().
+
+ 378.	[func]		named and lwresd will log the command line arguments
+			they were started with in the "starting ..." message.
+
+ 377.	[bug]		When additional data lookups were refused due to
+			"allow-query", the databases were still being
+			attached causing reference leaks.
+
+ 376.	[bug]		The server should always use good entropy when
+			performing cryptographic functions needing entropy.
+
+ 375.	[bug]		Per-zone "allow-query" did not properly override the
+			view/global one for CNAME targets and additional
+			data [RT #220].
+
+ 374.	[bug]		SOA in authoritative negative responses had wrong TTL.
+
+ 373.	[func]		nslookup is now installed by "make install".
+
+ 372.	[bug]		Deal with Microsoft DNS servers appending two bytes of
+			garbage to zone transfer requests.
+
+ 371.	[bug]		At high debug levels, doing an outgoing zone transfer
+			of a very large RRset could cause an assertion failure
+			during logging.
+
+ 370.	[bug]		The error messages for rollforward failures were
+			overly terse.
+
+ 369.	[func]		Support new named.conf options, view and zone
+			statements:
+
+				max-retry-time, min-retry-time,
+				max-refresh-time, min-refresh-time.
+
+ 368.	[func]		Restructure the internal ".bind" view so that more
+			zones can be added to it.
+
+ 367.	[bug]		Allow proper selection of server on nslookup command
+			line.
+
+ 366.	[func]		Allow use of '-' batch file in dig for stdin.
+
+ 365.	[bug]		nsupdate -k leaked memory.
+
+ 364.	[func]		Added additional-from-{cache,auth}
+
+ 362.	[bug]		rndc no longer aborts if the configuration file is
+			missing an options statement. [RT #209]
+
+ 361.	[func]		When the RBT find or chain functions set the name and
+			origin for a node that stores the root label
+			the name is now set to an empty name, instead of ".",
+			to simplify later use of the name and origin by
+			dns_name_concatenate(), dns_name_totext() or
+			dns_name_format().
+
+ 360.	[func]		dns_name_totext() and dns_name_format() now allow
+			an empty name to be passed, which is formatted as "@".
+
+ 359.	[bug]		dnssec-signzone occasionally signed glue records.
+
+ 358.	[cleanup]	Rename the intermediate files used by the dnssec
+			programs.
+
+ 357.	[bug]		The zone file parser crashed if the argument
+			to $INCLUDE was a quoted string.
+
+ 356.	[cleanup]	isc_task_send no longer requires event->sender to
+			be non-null.
+
+ 355.	[func]		Added isc_dir_createunique(), similar to mkdtemp().
+
+ 354.	[doc]		Man pages for the dnssec tools are now included in
+			the distribution, in doc/man/dnssec.
+
+ 353.	[bug]		double increment in lwres/gethost.c:copytobuf().
+			[RT# 187]
+
+ 352.	[bug]		Race condition in dns_client_t startup could cause
+			an assertion failure.
+
+ 351.	[bug]		Constructing a response with rcode SERVFAIL to a TSIG
+			signed query could crash the server.
+
+ 350.	[bug]		Also-notify lists specified in the global options
+			block were not correctly reference counted, causing
+			a memory leak.
+
+ 349.	[bug]		Processing a query with the CD bit set now works
+			as expected.
+
+ 348.	[func]		New boolean named.conf options 'additional-from-auth'
+			and 'additional-from-cache' now supported in view and
+			global options statement.
+
+ 347.	[bug]		Don't crash if an argument is left off options in dig.
+
+ 346.	[func]		Add support for .digrc config file, in the
+			user's current directory.
+
+ 345.	[bug]		Large-scale changes/cleanups to dig:
+			* Significantly improve structure handling
+			* Don't pre-load entire batch files
+			* Add name/rr counting/limiting
+			* Fix SIGINT handling
+			* Shorten timeouts to match v8's behavior
+
+ 344.	[bug]		When shutting down, lwresd sometimes tried
+			to shut down its client tasks twice,
+			triggering an assertion.
+
+ 343.	[bug]		Although zone maintenance SOA queries and
+			notify requests were signed with TSIG keys
+			when configured for the server in case,
+			the TSIG was not verified on the response.
+
+ 342.	[bug]		The wrong name was being passed to
+			dns_name_dup() when generating a TSIG
+			key using TKEY.
+
+ 341.	[func]		Support 'key' clause in named.conf zone masters
+			statement to allow authentication via TSIG keys:
+
+				masters {
+					10.0.0.1 port 5353 key "foo";
+					10.0.0.2 ;
+				};
+
+ 340.	[bug]		The top-level COPYRIGHT file was missing from
+			the distribution.
+
+ 339.	[bug]		DNSSEC validation of the response to an ANY
+			query at a name with a CNAME RR in a secure
+			zone triggered an assertion failure.
+
+ 338.	[bug]		lwresd logged to syslog as named, not lwresd.
+
+ 337.	[bug]		"dig" did not recognize "nsap-ptr" as an RR type
+			on the command line.
+
+ 336.	[bug]		"dig -f" used 64 k of memory for each line in
+			the file.  It now uses much less, though still
+			proportionally to the file size.
+
+ 335.	[bug]		named would occasionally attempt recursion when
+			it was disallowed or undesired.
+
+ 334.	[func]		Added hmac-md5 to libisc.
+
+ 333.	[bug]		The resolver incorrectly accepted referrals to
+			domains that were not parents of the query name,
+			causing assertion failures.
+
+ 332.	[func]		New function dns_name_reset().
+
+ 331.	[bug]		Only log "recursion denied" if RD is set. [RT #178]
+
+ 330.	[bug]		Many debugging messages were partially formatted
+			even when debugging was turned off, causing a
+			significant decrease in query performance.
+
+ 329.	[func]		omapi_auth_register() now takes a size_t argument for
+			the length of a key's secret data.  Previously
+			OMAPI only stored secrets up to the first NUL byte.
+
+ 328.	[func]		Added isc_base64_decodestring().
+
+ 327.	[bug]		rndc.conf parser wasn't correctly recognising an IP
+			address where a host specification was required.
+
+ 326.	[func]		'keys' in an 'inet' control statement is now
+			required and must have at least one item in it.
+			A "not supported" warning is now issued if a 'unix'
+			control channel is defined.
+
+ 325.	[bug]		isc_lex_gettoken was processing octal strings when
+			ISC_LEXOPT_CNUMBER was not set.
+
+ 324.	[func]		In the resolver, turn EDNS0 off if there is no
+			response after a number of retransmissions.
+			This is to allow queries some chance of succeeding
+			even if all the authoritative servers of a zone
+			silently discard EDNS0 requests instead of
+			sending an error response like they ought to.
+
+ 323.	[bug]		dns_rbt_findname() did not ignore empty rbt nodes.
+			Because of this, servers authoritative for a parent
+			and grandchild zone but not authoritative for the
+			intervening child zone did not correctly issue
+			referrals to the servers of the child zone.
+
+ 322.	[bug]		Queries for KEY RRs are now sent to the parent
+			server before the authoritative one, making
+			DNSSEC insecurity proofs work in many cases
+			where they previously didn't.
+
+ 321.	[bug]		When synthesizing a CNAME RR for a DNAME
+			response, query_addcname() failed to intitialize
+			the type and class of the CNAME dns_rdata_t,
+			causing random failures.
+
+ 320.	[func]		Multiple rndc changes: parses an rndc.conf file,
+			uses authentication to talk to named, command
+			line syntax changed.  This will all be described
+			in the ARM.
+
+ 319.	[func]		The named.conf "controls" statement is now used
+			to configure the OMAPI command channel.
+
+ 318.	[func]		dns_c_ndcctx_destroy() could never return anything
+			except ISC_R_SUCCESS; made it have void return instead.
+
+ 317.	[func]		Use callbacks from libomapi to determine if a
+			new connection is valid, and if a key requested
+			to be used with that connection is valid.
+
+ 316.	[bug]		Generate a warning if we detect an unexpected <eof>
+			but treat as <eol><eof>.
+
+ 315.	[bug]		Handle non-empty blanks lines. [RT #163]
+
+ 314.	[func]		The named.conf controls statement can now have
+			more than one key specified for the inet clause.
+
+ 313.	[bug]		When parsing resolv.conf, don't terminate on an
+			error.  Instead, parse as much as possible, but
+			still return an error if one was found.
+
+ 312.	[bug]		Increase the number of allowed elements in the
+			resolv.conf search path from 6 to 8.  If there
+			are more than this, ignore the remainder rather
+			than returning a failure in lwres_conf_parse.
+
+ 311.	[bug]		lwres_conf_parse failed when the first line of
+			resolv.conf was empty or a comment.
+
+ 310.	[func]		Changes to named.conf "controls" statement (inet
+			subtype only)
+
+			  - support "keys" clause
+
+				controls {
+				   inet * port 1024
+					allow { any; } keys { "foo"; }
+				}
+
+			  - allow "port xxx" to be left out of statement,
+			    in which case it defaults to omapi's default port
+			    of 953.
+
+ 309.	[bug]		When sending a referral, the server did not look
+			for name server addresses as glue in the zone
+			holding the NS RRset in the case where this zone
+			was not the same as the one where it looked for
+			name server addresses as authoritative data.
+
+ 308.	[bug]		Treat a SOA record not at top of zone as an error
+			when loading a zone. [RT #154]
+
+ 307.	[bug]		When canceling a query, the resolver didn't check for
+			isc_socket_sendto() calls that did not yet have their
+			completion events posted, so it could (rarely) end up
+			destroying the query context and then want to use
+			it again when the send event posted, triggering an
+			assertion as it tried to cancel an already-canceled
+			query.  [RT #77]
+
+ 306.	[bug]		Reading HMAC-MD5 private key files didn't work.
+
+ 305.	[bug]		When reloading the server with a config file
+			containing a syntax error, it could catch an
+			assertion failure trying to perform zone
+			maintenance on tentatively created zones whose
+			views were never fully configured and lacked
+			an address database.
+
+ 304.	[bug]		If more than LWRES_CONFMAXNAMESERVERS servers
+			are listed in resolv.conf, silently ignore them
+			instead of returning failure.
+
+ 303.	[bug]		Add additional sanity checks to differentiate a AXFR
+			response vs a IXFR response. [RT #157]
+
+ 302.	[bug]		In dig, host, and nslookup, MXNAME should be large
+			enough to hold any legal domain name in presentation
+			format + terminating NULL.
+
+ 301.	[bug]		Uninitialized pointer in host:printmessage(). [RT #159]
+
+ 300.	[bug]		Using both <isc/net.h> and <lwres/net.h> didn't work
+			on platforms lacking IPv6 because each included their
+			own ipv6 header file for the missing definitions.  Now
+			each library's ipv6.h defines the wrapper symbol of
+			the other (ISC_IPV6_H and LWRES_IPV6_H).
+
+ 299.	[cleanup]	Get the user and group information before changing the
+			root directory, so the administrator does not need to
+			keep a copy of the user and group databases in the
+			chroot'ed environment.  Suggested by Hakan Olsson.
+
+ 298.	[bug]		A mutex deadlock occurred during shutdown of the
+			interface manager under certain conditions.
+			Digital Unix systems were the most affected.
+
+ 297.	[bug]		Specifying a key name that wasn't fully qualified
+			in certain parts of the config file could cause
+			an assertion failure.
+
+ 296.	[bug]		"make install" from a separate build directory
+			failed unless configure had been run in the source
+			directory, too.
+
+ 295.	[bug]		When invoked with type==CNAME and a message
+			not constructed by dns_message_parse(),
+			dns_message_findname() failed to find anything
+			due to checking for attribute bits that are set
+			only in dns_message_parse().  This caused an
+			infinite loop when constructing the response to
+			an ANY query at a CNAME in a secure zone.
+
+ 294.	[bug]		If we run out of space in while processing glue
+			when reading a master file and commit "current name"
+			reverts to "name_current" instead of staying as
+			"name_glue".
+
+ 293.	[port]		Add support for FreeBSD 4.0 system tests.
+
+ 292.	[bug]		Due to problems with the way some operating systems
+			handle simultaneous listening on IPv4 and IPv6
+			addresses, the server no longer listens on IPv6
+			addresses by default.  To revert to the previous
+			behavior, specify "listen-on-v6 { any; };" in
+			the config file.
+
+ 291.	[func]		Caching servers no longer send outgoing queries
+			over TCP just because the incoming recursive query
+			was a TCP one.
+
+ 290.	[cleanup]	+twiddle option to dig (for testing only) removed.
+
+ 289.	[cleanup]	dig is now installed in $bindir instead of $sbindir.
+			host is now installed in $bindir.  (Be sure to remove
+			any $sbindir/dig from a previous release.)
+
+ 288.	[func]		rndc is now installed by "make install" into $sbindir.
+
+ 287.	[bug]		rndc now works again as "rndc 127.1 reload" (for
+			only that task).  Parsing its configuration file and
+			using digital signatures for authentication has been
+			disabled until named supports the "controls" statement,
+			post-9.0.0.
+
+ 286.	[bug]		On Solaris 2, when named inherited a signal state
+			where SIGHUP had the SIG_IGN action, SIGHUP would
+			be ignored rather than causing the server to reload
+			its configuration.
+
+ 285.	[bug]		A change made to the dst API for beta4 inadvertently
+			broke OMAPI's creation of a dst key from an incoming
+			message, causing an assertion to be triggered.  Fixed.
+
+ 284.	[func]		The DNSSEC key generation and signing tools now
+			generate randomness from keyboard input on systems
+			that lack /dev/random.
+
+ 283.	[cleanup]	The 'lwresd' program is now a link to 'named'.
+
+ 282.	[bug]		The lexer now returns ISC_R_RANGE if parsed integer is
+			too big for an unsigned long.
+
+ 281.	[bug]		Fixed list of recognized config file category names.
+
+ 280.	[func]		Add isc-config.sh, which can be used to more
+			easily build applications that link with
+			our libraries.
+
+ 279.	[bug]		Private omapi function symbols shared between
+			two or more files in libomapi.a were not namespace
+			protected using the ISC convention of starting with
+			the library name and two underscores ("omapi__"...)
+
+ 278.	[bug]		bin/named/logconf.c:category_fromconf() didn't take
+			note of when isc_log_categorybyname() wasn't able
+			to find the category name and would then apply the
+			channel list of the unknown category to all categories.
+
+ 277.	[bug]		isc_log_categorybyname() and isc_log_modulebyname()
+			would fail to find the first member of any category
+			or module array apart from the internal defaults.
+			Thus, for example, the "notify" category was improperly
+			configured by named.
+
+ 276.	[bug]		dig now supports maximum sized TCP messages.
+
+ 275.	[bug]		The definition of lwres_gai_strerror() was missing
+			the lwres_ prefix.
+
+ 274.	[bug]		TSIG AXFR verify failed when talking to a BIND 8
+			server.
+
+ 273.	[func]		The default for the 'transfer-format' option is
+			now 'many-answers'.  This will break zone transfers
+			to BIND 4.9.5 and older unless there is an explicit
+			'one-answer' configuration.
+
+ 272.	[bug]		The sending of large TCP responses was canceled
+			in mid-transmission due to a race condition
+			caused by the failure to set the client object's
+			"newstate" variable correctly when transitioning
+			to the "working" state.
+
+ 271.	[func]		Attempt to probe the number of cpus in named
+			if unspecified rather than defaulting to 1.
+
+ 270.	[func]		Allow maximum sized TCP answers.
+
+ 269.	[bug]		Failed DNSSEC validations could cause an assertion
+			failure by causing clone_results() to be called with
+			with hevent->node == NULL.
+
+ 268.	[doc]		A plain text version of the Administrator
+			Reference Manual is now included in the distribution,
+			as doc/arm/Bv9ARM.txt.
+
+ 267.	[func]		Nsupdate is now provided in the distribution.
+
+ 266.	[bug]		zone.c:save_nsrrset() node was not initialized.
+
+ 265.	[bug]		dns_request_create() now works for TCP.
+
+ 264.	[func]		Dispatch can not take TCP sockets in connecting
+			state.  Set DNS_DISPATCHATTR_CONNECTED when calling
+			dns_dispatch_createtcp() for connected TCP sockets
+			or call dns_dispatch_starttcp() when the socket is
+			connected.
+
+ 263.	[func]		New logging channel type 'stderr'
+
+				channel some-name {
+					stderr;
+					severity error;
+				}
+
+ 262.	[bug]		'master' was not initialized in zone.c:stub_callback().
+
+ 261.	[func]		Add dns_zone_markdirty().
+
+ 260.	[bug]		Running named as a non-root user failed on Linux
+			kernels new enough to support retaining capabilities
+			after setuid().
+
+ 259.	[func]		New random-device and random-seed-file statements
+			for global options block of named.conf. Both accept
+			a single string argument.
+
+ 258.	[bug]		Fixed printing of lwres_addr_t.address field.
+
+ 257.	[bug]		The server detached the last zone manager reference
+			too early, while it could still be in use by queries.
+			This manifested itself as assertion failures during the
+			shutdown process for busy name servers. [RT #133]
+
+ 256.	[func]		isc_ratelimiter_t now has attach/detach semantics, and
+			isc_ratelimiter_shutdown guarantees that the rate
+			limiter is detached from its task.
+
+ 255.	[func]		New function dns_zonemgr_attach().
+
+ 254.	[bug]		Suppress "query denied" messages on additional data
+			lookups.
+
+	--- 9.0.0b4 released ---
+
+ 253.	[func]		resolv.conf parser now recognises ';' and '#' as
+			comments (anywhere in line, not just as the beginning).
+
+ 252.	[bug]		resolv.conf parser mishandled masks on sortlists.
+			It also aborted when an unrecognized keyword was seen,
+			now it silently ignores the entire line.
+
+ 251.	[bug]		lwresd caught an assertion failure on startup.
+
+ 250.	[bug]		fixed handling of size+unit when value would be too
+			large for internal representation.
+
+ 249.	[cleanup]	max-cache-size config option now takes a size-spec
+			like 'datasize', except 'default' is not allowed.
+
+ 248.	[bug]		global lame-ttl option was not being printed when
+			config structures were written out.
+
+ 247.	[cleanup]	Rename cache-size config option to max-cache-size.
+
+ 246.	[func]		Rename global option cachesize to cache-size and
+			add corresponding option to view statement.
+
+ 245.	[bug]		If an uncompressed name will take more than 255
+			bytes and the buffer is sufficiently long,
+			dns_name_fromwire should return DNS_R_FORMERR,
+			not ISC_R_NOSPACE.  This bug caused cause the
+			server to catch an assertion failure when it
+			received a query for a name longer than 255
+			bytes.
+
+ 244.	[bug]		empty named.conf file and empty options statement are
+			now parsed properly.
+
+ 243.	[func]		new cachesize option for named.conf
+
+ 242.	[cleanup]	fixed incorrect warning about auth-nxdomain usage.
+
+ 241.	[cleanup]	nscount and soacount have been removed from the
+			dns_master_*() argument lists.
+
+ 240.	[func]		databases now come in three flavours: zone, cache
+			and stub.
+
+ 239.	[func]		If ISC_MEM_DEBUG is enabled, the variable
+			isc_mem_debugging controls whether messages
+			are printed or not.
+
+ 238.	[cleanup]	A few more compilation warnings have been quieted:
+			+ missing sigwait prototype on BSD/OS 4.0/4.0.1.
+			+ PTHREAD_ONCE_INIT unbraced initializer warnings on
+				Solaris 2.8.
+			+ IN6ADDR_ANY_INIT unbraced initializer warnings on
+				BSD/OS 4.*, Linux and Solaris 2.8.
+
+ 237.	[bug]		If connect() returned ENOBUFS when the resolver was
+			initiating a TCP query, the socket didn't get
+			destroyed, and the server did not shut down cleanly.
+
+ 236.	[func]		Added new listen-on-v6 config file statement.
+
+ 235.	[func]		Consider it a config file error if a listen-on
+			statement has an IPv6 address in it, or a
+			listen-on-v6 statement has an IPv4 address in it.
+
+ 234.	[bug]		Allow a trusted-key's first field (domain-name) be
+			either a quoted or an unquoted string, instead of
+			requiring a quoted string.
+
+ 233.	[cleanup]	Convert all config structure integer values to unsigned
+			integer (isc_uint32_t) to match grammer.
+
+ 232.	[bug]		Allow slave zones to not have a file.
+
+ 231.	[func]		Support new 'port' clause in config file options
+			section. Causes 'listen-on', 'masters' and
+			'also-notify' statements to use its value instead of
+			default (53).
+
+ 230.	[func]		Replace the dst sign/verify API with a cleaner one.
+
+ 229.	[func]		Support config file sig-validity-interval statement
+			in options, views and zone statements (master
+			zones only).
+
+ 228.	[cleanup]	Logging messages in config module stripped of
+			trailing period.
+
+ 227.	[cleanup]	The enumerated identifiers dns_rdataclass_*,
+			dns_rcode_*, dns_opcode_*, and dns_trust_* are
+			also now cast to their appropriate types, as with
+			dns_rdatatype_* in item number 225 below.
+
+ 226.	[func]		dns_name_totext() now always prints the root name as
+			'.', even when omit_final_dot is true.
+
+ 225.	[cleanup]	The enumerated dns_rdatatype_* identifiers are now
+			cast to dns_rdatatype_t via macros of their same name
+			so that they are of the proper integral type wherever
+			a dns_rdatatype_t is needed.
+
+ 224.	[cleanup]	The entire project builds cleanly with gcc's
+			-Wcast-qual and -Wwrite-strings warnings enabled,
+			which is now the default when using gcc.  (Warnings
+			from confparser.c, because of yacc's code, are
+			unfortunately to be expected.)
+
+ 223.	[func]		Several functions were reprototyped to qualify one
+			or more of their arguments with "const".  Similarly,
+			several functions that return pointers now have
+			those pointers qualified with const.
+
+ 222.	[bug]		The global 'also-notify' option was ignored.
+
+ 221.	[bug]		An uninitialized variable was sometimes passed to
+			dns_rdata_freestruct() when loading a zone, causing
+			an assertion failure.
+
+ 220.	[cleanup]	Set the default outgoing port in the view, and
+			set it in sockaddrs returned from the ADB.
+			[31-May-2000 explorer]
+
+ 219.	[bug]		Signed truncated messages more correctly follow
+			the respective specs.
+
+ 218.	[func]		When an rdataset is signed, its ttl is normalized
+			based on the signature validity period.
+
+ 217.	[func]		Also-notify and trusted-keys can now be used in
+			the 'view' statement.
+
+ 216.	[func]		The 'max-cache-ttl' and 'max-ncache-ttl' options
+			now work.
+
+ 215.	[bug]		Failures at certain points in request processing
+			could cause the assertion INSIST(client->lockview
+			== NULL) to be triggered.
+
+ 214.	[func]		New public function isc_netaddr_format(), for
+			formatting network addresses in log messages.
+
+ 213.	[bug]		Don't leak memory when reloading the zone if
+			an update-policy clause was present in the old zone.
+
+ 212.	[func]		Added dns_message_get/settsigkey, to make TSIG
+			key management reasonable.
+
+ 211.	[func]		The 'key' and 'server' statements can now occur
+			inside 'view' statements.
+
+ 210.	[bug]		The 'allow-transfer' option was ignored for slave
+			zones, and the 'transfers-per-ns' option was
+			was ignored for all zones.
+
+ 209.	[cleanup]	Upgraded openssl files to new version 0.9.5a
+
+ 208.	[func]		Added ISC_OFFSET_MAXIMUM for the maximum value
+			of an isc_offset_t.
+
+ 207.	[func]		The dnssec tools properly use the logging subsystem.
+
+ 206.	[cleanup]	dst now stores the key name as a dns_name_t, not
+			a char *.
+
+ 205.	[cleanup]	On IRIX, turn off the mostly harmless warnings 1692
+			("prototyped function redeclared without prototype")
+			and 1552 ("variable ... set but not used") when
+			compiling in the lib/dns/sec/{dnssafe,openssl}
+			directories, which contain code imported from outside
+			sources.
+
+ 204.	[cleanup]	On HP/UX, pass +vnocompatwarnings to the linker
+			to quiet the warnings that "The linked output may not
+			run on a PA 1.x system."
+
+ 203.	[func]		notify and zone soa queries are now tsig signed when
+			appropriate.
+
+ 202.	[func]		isc_lex_getsourceline() changed from returning int
+			to returning unsigned long, the type of its underlying
+			counter.
+
+ 201.	[cleanup]	Removed the test/sdig program, it has been
+			replaced by bin/dig/dig.
+
+
+	--- 9.0.0b3 released ---
+
+ 200.	[bug]		Failures in sending query responses to clients
+			(e.g., running out of network buffers) were
+			not logged.
+
+ 199.	[bug]		isc_heap_delete() sometimes violated the heap
+			invariant, causing timer events not to be posted
+			when due.
+
+ 198.	[func]		Dispatch managers hold memory pools which
+			any managed dispatcher may use.  This allows
+			us to avoid dipping into the memory context for
+			most allocations. [19-May-2000 explorer]
+
+ 197.	[bug]		When an incoming AXFR or IXFR completes, the
+			zone's internal state is refreshed from the
+			SOA data. [19-May-2000 explorer]
+
+ 196.	[func]		Dispatchers can be shared easily between views
+			and/or interfaces. [19-May-2000 explorer]
+
+ 195.	[bug]		Including the NXT record of the root domain
+			in a negative response caused an assertion
+			failure.
+
+ 194.	[doc]		The PDF version of the Administrator's Reference
+			Manual is no longer included in the ISC BIND9
+			distribution.
+
+ 193.	[func]		changed dst_key_free() prototype.
+
+ 192.	[bug]		Zone configuration validation is now done at end
+			of config file parsing, and before loading
+			callbacks.
+
+ 191.	[func]		Patched to compile on UnixWare 7.x.  This platform
+			is not directly supported by the ISC.
+
+ 190.	[cleanup]	The DNSSEC tools have been moved to a separate
+			directory dnssec/ and given the following new,
+			more descriptive names:
+
+			      dnssec-keygen
+			      dnssec-signzone
+			      dnssec-signkey
+			      dnssec-makekeyset
+
+			Their command line arguments have also been changed to
+			be more consistent.  dnssec-keygen now prints the
+			name of the generated key files (sans extension)
+			on standard output to simplify its use in automated
+			scripts.
+
+ 189.	[func]		isc_time_secondsastimet(), a new function, will ensure
+			that the number of seconds in an isc_time_t does not
+			exceed the range of a time_t, or return ISC_R_RANGE.
+			Similarly, isc_time_now(), isc_time_nowplusinterval(),
+			isc_time_add() and isc_time_subtract() now check the
+			range for overflow/underflow.  In the case of
+			isc_time_subtract, this changed a calling requirement
+			(ie, something that could generate an assertion)
+			into merely a condition that returns an error result.
+			isc_time_add() and isc_time_subtract() were void-
+			valued before but now return isc_result_t.
+
+ 188.	[func]		Log a warning message when an incoming zone transfer
+			contains out-of-zone data.
+
+ 187.	[func]		isc_ratelimter_enqueue() has an additional argument
+			'task'.
+
+ 186.	[func]		dns_request_getresponse() has an additional argument
+			'preserve_order'.
+
+ 185.	[bug]		Fixed up handling of ISC_MEMCLUSTER_LEGACY.  Several
+			public functions did not have an isc__ prefix, and
+			referred to functions that had previously been
+			renamed.
+
+ 184.	[cleanup]	Variables/functions which began with two leading
+			underscores were made to conform to the ANSI/ISO
+			standard, which says that such names are reserved.
+
+ 183.	[func]		ISC_LOG_PRINTTAG option for log channels.  Useful
+			for logging the program name or other identifier.
+
+ 182.	[cleanup]	New commandline parameters for dnssec tools
+
+ 181.	[func]		Added dst_key_buildfilename and dst_key_parsefilename
+
+ 180.	[func]		New isc_result_t ISC_R_RANGE.  Supersedes DNS_R_RANGE.
+
+ 179.	[func]		options named.conf statement *must* now come
+			before any zone or view statements.
+
+ 178.	[func]		Post-load of named.conf check verifies a slave zone
+			has non-empty list of masters defined.
+
+ 177.	[func]		New per-zone boolean:
+
+				enable-zone yes | no ;
+
+			intended to let a zone be disabled without having
+			to comment out the entire zone statement.
+
+ 176.	[func]		New global and per-view option:
+
+				max-cache-ttl number
+
+ 175.	[func]		New global and per-view option:
+
+				additional-data internal | minimal | maximal;
+
+ 174.	[func]		New public function isc_sockaddr_format(), for
+			formatting socket addresses in log messages.
+
+ 173.	[func]		Keep a queue of zones waiting for zone transfer
+			quota so that a new transfer can be dispatched
+			immediately whenever quota becomes available.
+
+ 172.	[bug]		$TTL directive was sometimes missing from dumped
+			master files because totext_ctx_init() failed to
+			initialize ctx->current_ttl_valid.
+
+ 171.	[cleanup]	On NetBSD systems, the mit-pthreads or
+			unproven-pthreads library is now always used
+			unless --with-ptl2 is explicitly specified on
+			the configure command line.  The
+			--with-mit-pthreads option is no longer needed
+			and has been removed.
+
+ 170.	[cleanup]	Remove inter server consistancy checks from zone,
+			these should return as a seperate module in 9.1.
+			dns_zone_checkservers(), dns_zone_checkparents(),
+			dns_zone_checkchildren(), dns_zone_checkglue().
+
+			Remove dns_zone_setadb(), dns_zone_setresolver(),
+			dns_zone_setrequestmgr() these should now be found
+			via the view.
+
+ 169.	[func]		ratelimiter can now process N events per interval.
+
+ 168.	[bug]		include statements in named.conf caused syntax errors
+			due to not consuming the semicolon ending the include
+			statement before switching input streams.
+
+ 167.	[bug]		Make lack of masters for a slave zone a soft error.
+
+ 166.	[bug]		Keygen was overwriting existing keys if key_id
+			conflicted, now it will retry, and non-null keys
+			with key_id == 0 are not generated anymore.  Key
+			was not able to generate NOAUTHCONF DSA key,
+			increased RSA key size to 2048 bits.
+
+ 165.	[cleanup]	Silence "end-of-loop condition not reached" warnings
+			from Solaris compiler.
+
+ 164.	[func]		Added functions isc_stdio_open(), isc_stdio_close(),
+			isc_stdio_seek(), isc_stdio_read(), isc_stdio_write(),
+			isc_stdio_flush(), isc_stdio_sync(), isc_file_remove()
+			to encapsulate nonportable usage of errno and sync.
+
+ 163.	[func]		Added result codes ISC_R_FILENOTFOUND and
+			ISC_R_FILEEXISTS.
+
+ 162.	[bug]		Ensure proper range for arguments to ctype.h functions.
+
+ 161.	[cleanup]	error in yyparse prototype that only HPUX caught.
+
+ 160.	[cleanup]	getnet*() are not going to be implemented at this
+			stage.
+
+ 159.	[func]		Redefinition of config file elements is now an
+			error (instead of a warning).
+
+ 158.	[bug]		Log channel and category list copy routines
+			weren't assigning properly to output parameter.
+
+ 157.	[port]		Fix missing prototype for getopt().
+
+ 156.	[func]		Support new 'database' statement in zone.
+
+				database "quoted-string";
+
+ 155.	[bug]		ns_notify_start() was not detaching the found zone.
+
+ 154.	[func]		The signer now logs libdns warnings to stderr even when
+			not verbose, and in a nicer format.
+
+ 153.	[func]		dns_rdata_tostruct() 'mctx' is now optional.  If 'mctx'
+			is NULL then you need to preserve the 'rdata' until
+			you have finished using the structure as there may be
+			references to the associated memory.  If 'mctx' is
+			non-NULL it is guaranteed that there are no references
+			to memory associated with 'rdata'.
+
+			dns_rdata_freestruct() must be called if 'mctx' was
+			non-NULL and may safely be called if 'mctx' was NULL.
+
+ 152.	[bug]		keygen dumped core if domain name argument was omitted
+			from command line.
+
+ 151.	[func]		Support 'disabled' statement in zone config (causes
+			zone to be parsed and then ignored). Currently must
+			come after the 'type' clause.
+
+ 150.	[func]		Support optional ports in masters and also-notify
+			statements:
+
+				masters [ port xxx ] { y.y.y.y [ port zzz ] ; }
+
+ 149.	[cleanup]	Removed usused argument 'olist' from
+			dns_c_view_unsetordering().
+
+ 148.	[cleanup]	Stop issuing some warnings about some configuration
+			file statements that were not implemented, but now are.
+
+ 147.	[bug]		Changed yacc union size to be smaller for yaccs that
+			put yacc-stack on the real stack.
+
+ 146.	[cleanup]	More general redundant header file cleanup.  Rather
+			than continuing to itemize every header which changed,
+			this changelog entry just notes that if a header file
+			did not need another header file that it was including
+			in order to provide its advertized functionality, the
+			inclusion of the other header file was removed.  See
+			util/check-includes for how this was tested.
+
+ 145.	[cleanup]	Added <isc/lang.h> and ISC_LANG_BEGINDECLS/
+			ISC_LANG_ENDDECLS to header files that had function
+			prototypes, and removed it from those that did not.
+
+ 144.	[cleanup]	libdns header files too numerous to name were made
+			to conform to the same style for multiple inclusion
+			protection.
+
+ 143.	[func]		Added function dns_rdatatype_isknown().
+
+ 142.	[cleanup]	<isc/stdtime.h> does not need <time.h> or
+			<isc/result.h>.
+
+ 141.	[bug]		Corrupt requests with multiple questions could
+			cause an assertion failure.
+
+ 140.	[cleanup]	<isc/time.h> does not need <time.h> or <isc/result.h>.
+
+ 139.	[cleanup]	<isc/net.h> now includes <isc/types.h> instead of
+			<isc/int.h> and <isc/result.h>.
+
+ 138.	[cleanup]	isc_strtouq moved from str.[ch] to string.[ch] and
+			renamed isc_string_touint64.  isc_strsep moved from
+			strsep.c to string.c and renamed isc_string_separate.
+
+ 137.	[cleanup]	<isc/commandline.h>, <isc/mem.h>, <isc/print.h>
+			<isc/serial.h>, <isc/string.h> and <isc/offset.h>
+			made to conform to the same style for multiple
+			inclusion protection.
+
+ 136.	[cleanup]	<isc/commandline.h>, <isc/interfaceiter.h>,
+			<isc/net.h> and Win32's <isc/thread.h> needed
+			ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS.
+
+ 135.	[cleanup]	Win32's <isc/condition.h> did not need <isc/result.h>
+			or <isc/boolean.h>, now uses <isc/types.h> in place
+			of <isc/time.h>, and needed ISC_LANG_BEGINDECLS
+			and ISC_LANG_ENDDECLS.
+
+ 134.	[cleanup]	<isc/dir.h> does not need <limits.h>.
+
+ 133.	[cleanup]	<isc/ipv6.h> needs <isc/platform.h>.
+
+ 132.	[cleanup]	<isc/app.h> does not need <isc/task.h>, but does
+			need <isc/eventclass.h>.
+
+ 131.	[cleanup]	<isc/mutex.h> and <isc/util.h> need <isc/result.h>
+			for ISC_R_* codes used in macros.
+
+ 130.	[cleanup]	<isc/condition.h> does not need <pthread.h> or
+			<isc/boolean.h>, and now includes <isc/types.h>
+			instead of <isc/time.h>.
+
+ 129.	[bug]		The 'default_debug' log channel was not set up when
+			'category default' was present in the config file
+
+ 128.	[cleanup]	<isc/dir.h> had ISC_LANG_BEGINDECLS instead of
+			ISC_LANG_ENDDECLS at end of header.
+
+ 127.	[cleanup]	The contracts for the comparision routines
+			dns_name_fullcompare(), dns_name_compare(),
+			dns_name_rdatacompare(), and dns_rdata_compare() now
+			specify that the order value returned is < 0, 0, or > 0
+			instead of -1, 0, or 1.
+
+ 126.	[cleanup]	<isc/quota.h> and <isc/taskpool.h> need <isc/lang.h>.
+
+ 125.	[cleanup]	<isc/eventclass.h>, <isc/ipv6.h>, <isc/magic.h>,
+			<isc/mutex.h>, <isc/once.h>, <isc/region.h>, and
+			<isc/resultclass.h> do not need <isc/lang.h>.
+
+ 124.	[func]		signer now imports parent's zone key signature
+			and creates null keys/sets zone status bit for
+			children when necessary
+
+ 123.	[cleanup]	<isc/event.h> does not need <stddef.h>.
+
+ 122.	[cleanup]	<isc/task.h> does not need <isc/mem.h> or
+			<isc/result.h>.
+
+ 121.	[cleanup]	<isc/symtab.h> does not need <isc/mem.h> or
+			<isc/result.h>.  Multiple inclusion protection
+			symbol fixed from ISC_SYMBOL_H to ISC_SYMTAB_H.
+			isc_symtab_t moved to <isc/types.h>.
+
+ 120.	[cleanup]	<isc/socket.h> does not need <isc/boolean.h>,
+			<isc/bufferlist.h>, <isc/task.h>, <isc/mem.h> or
+			<isc/net.h>.
+
+ 119.	[cleanup]	structure definitions for generic rdata stuctures do
+			not have _generic_ in their names.
+
+ 118.	[cleanup]	libdns.a is now namespace-clean, on NetBSD, excepting
+			YACC crust (yyparse, etc) [2000-apr-27 explorer]
+
+ 117.	[cleanup]	libdns.a changes:
+			dns_zone_clearnotify() and dns_zone_addnotify()
+			are replaced by dns_zone_setnotifyalso().
+			dns_zone_clearmasters() and dns_zone_addmaster()
+			are replaced by dns_zone_setmasters().
+
+ 116.	[func]		Added <isc/offset.h> for isc_offset_t (aka off_t
+			on Unix systems).
+
+ 115.	[port]		Shut up the -Wmissing-declarations warning about
+			<stdio.h>'s __sputaux on BSD/OS pre-4.1.
+
+ 114.	[cleanup]	<isc/sockaddr.h> does not need <isc/buffer.h> or
+			<isc/list.h>.
+
+ 113.	[func]		Utility programs dig and host added.
+
+ 112.	[cleanup]	<isc/serial.h> does not need <isc/boolean.h>.
+
+ 111.	[cleanup]	<isc/rwlock.h> does not need <isc/result.h> or
+			<isc/mutex.h>.
+
+ 110.	[cleanup]	<isc/result.h> does not need <isc/boolean.h> or
+			<isc/list.h>.
+
+ 109.	[bug]		"make depend" did nothing for
+			bin/tests/{db,mem,sockaddr,tasks,timers}/.
+
+ 108.	[cleanup]	DNS_SETBIT/DNS_GETBIT/DNS_CLEARBIT moved from
+			<dns/types.h> to <dns/bit.h> and renamed to
+			DNS_BIT_SET/DNS_BIT_GET/DNS_BIT_CLEAR.
+
+ 107.	[func]		Add keysigner and keysettool.
+
+ 106.	[func]		Allow dnssec verifications to ignore the validity
+			period.  Used by several of the dnssec tools.
+
+ 105.	[doc]		doc/dev/coding.html expanded with other
+			implicit conventions the developers have used.
+
+ 104.	[bug]		Made compress_add and compress_find static to
+			lib/dns/compress.c.
+
+ 103.	[func]		libisc buffer API changes for <isc/buffer.h>:
+			Added:
+				isc_buffer_base(b)          (pointer)
+				isc_buffer_current(b)       (pointer)
+				isc_buffer_active(b)        (pointer)
+				isc_buffer_used(b)          (pointer)
+				isc_buffer_length(b)            (int)
+				isc_buffer_usedlength(b)        (int)
+				isc_buffer_consumedlength(b)    (int)
+				isc_buffer_remaininglength(b)   (int)
+				isc_buffer_activelength(b)      (int)
+				isc_buffer_availablelength(b)   (int)
+			Removed:
+				ISC_BUFFER_USEDCOUNT(b)
+				ISC_BUFFER_AVAILABLECOUNT(b)
+				isc_buffer_type(b)
+			Changed names:
+				isc_buffer_used(b, r) ->
+					isc_buffer_usedregion(b, r)
+				isc_buffer_available(b, r) ->
+					isc_buffer_available_region(b, r)
+				isc_buffer_consumed(b, r) ->
+					isc_buffer_consumedregion(b, r)
+				isc_buffer_active(b, r) ->
+					isc_buffer_activeregion(b, r)
+				isc_buffer_remaining(b, r) ->
+					isc_buffer_remainingregion(b, r)
+
+			Buffer types were removed, so the ISC_BUFFERTYPE_*
+			macros are no more, and the type argument to
+			isc_buffer_init and isc_buffer_allocate were removed.
+			isc_buffer_putstr is now void (instead of isc_result_t)
+			and requires that the caller ensure that there
+			is enough available buffer space for the string.
+
+ 102.	[port]		Correctly detect inet_aton, inet_pton and inet_ptop
+			on BSD/OS 4.1.
+
+ 101.	[cleanup]	Quieted EGCS warnings from lib/isc/print.c.
+
+ 100.	[cleanup]	<isc/random.h> does not need <isc/int.h> or
+			<isc/mutex.h>.  isc_random_t moved to <isc/types.h>.
+
+  99.	[cleanup]	Rate limiter now has separate shutdown() and
+			destroy() functions, and it guarantees that all
+			queued events are delivered even in the shutdown case.
+
+  98.	[cleanup]	<isc/print.h> does not need <stdarg.h> or <stddef.h>
+			unless ISC_PLATFORM_NEEDVSNPRINTF is defined.
+
+  97.	[cleanup]	<isc/ondestroy.h> does not need <stddef.h> or
+			<isc/event.h>.
+
+  96.	[cleanup]	<isc/mutex.h> does not need <isc/result.h>.
+
+  95.	[cleanup]	<isc/mutexblock.h> does not need <isc/result.h>.
+
+  94.	[cleanup]	Some installed header files did not compile as C++.
+
+  93.	[cleanup]	<isc/msgcat.h> does not need <isc/result.h>.
+
+  92.	[cleanup]	<isc/mem.h> does not need <stddef.h>, <isc/boolean.h>,
+			or <isc/result.h>.
+
+  91.	[cleanup]	<isc/log.h> does not need <sys/types.h> or
+			<isc/result.h>.
+
+  90.	[cleanup]	Removed unneeded ISC_LANG_BEGINDECLS/ISC_LANG_ENDDECLS
+			from <named/listenlist.h>.
+
+  89.	[cleanup]	<isc/lex.h> does not need <stddef.h>.
+
+  88.	[cleanup]	<isc/interfaceiter.h> does not need <isc/result.h> or
+			<isc/mem.h>.  isc_interface_t and isc_interfaceiter_t
+			moved to <isc/types.h>.
+
+  87.	[cleanup]	<isc/heap.h> does not need <isc/boolean.h>,
+			<isc/mem.h> or <isc/result.h>.
+
+  86.	[cleanup]	isc_bufferlist_t moved from <isc/bufferlist.h> to
+			<isc/types.h>.
+
+  85.	[cleanup]	<isc/bufferlist.h> does not need <isc/buffer.h>,
+			<isc/list.h>, <isc/mem.h>, <isc/region.h> or
+			<isc/int.h>.
+
+  84.	[func]		allow-query ACL checks now apply to all data
+			added to a response.
+
+  83.	[func]		If the server is authoritative for both a
+			delegating zone and its (nonsecure) delegatee, and
+			a query is made for a KEY RR at the top of the
+			delegatee, then the server will look for a KEY
+			in the delegator if it is not found in the delegatee.
+
+  82.	[cleanup]	<isc/buffer.h> does not need <isc/list.h>.
+
+  81.	[cleanup]	<isc/int.h> and <isc/boolean.h> do not need
+			<isc/lang.h>.
+
+  80.	[cleanup]	<isc/print.h> does not need <stdio.h> or <stdlib.h>.
+
+  79.	[cleanup]	<dns/callbacks.h> does not need <stdio.h>.
+
+  78.	[cleanup]	lwres_conftest renamed to lwresconf_test for
+			consistency with other *_test programs.
+
+  77.	[cleanup]	typedef of isc_time_t and isc_interval_t moved from
+			<isc/time.h> to <isc/types.h>.
+
+  76.	[cleanup]	Rewrote keygen.
+
+  75.	[func]		Don't load a zone if its database file is older
+			than the last time the zone was loaded.
+
+  74.	[cleanup]	Removed mktemplate.o and ufile.o from libisc.a,
+			subsumed by file.o.
+
+  73.	[func]		New "file" API in libisc, including new function
+			isc_file_getmodtime, isc_mktemplate renamed to
+			isc_file_mktemplate and isc_ufile renamed to
+			isc_file_openunique.  By no means an exhaustive API,
+			it is just what's needed for now.
+
+  72.	[func]		DNS_RBTFIND_NOPREDECESSOR and DNS_RBTFIND_NOOPTIONS
+			added for dns_rbt_findnode, the former to disable the
+			setting of the chain to the predecessor, and the
+			latter to make clear when no options are set.
+
+  71.	[cleanup]	Made explicit the implicit REQUIREs of
+			isc_time_seconds, isc_time_nanoseconds, and
+			isc_time_subtract.
+
+  70.	[func]		isc_time_set() added.
+
+  69.	[bug]		The zone object's master and also-notify lists grew
+			longer with each server reload.
+
+  68.	[func]		Partial support for SIG(0) on incoming messages.
+
+  67.	[performance]	Allow use of alternate (compile-time supplied)
+			OpenSSL libraries/headers.
+
+  66.	[func]		Data in authoritative zones should have a trust level
+			beyond secure.
+
+  65.	[cleanup]	Removed obsolete typedef of dns_zone_callbackarg_t
+			from <dns/types.h>.
+
+  64.	[func]		The RBT, DB, and zone table APIs now allow the
+			caller find the most-enclosing superdomain of
+			a name.
+
+  63.	[func]		Generate NOTIFY messages.
+
+  62.	[func]		Add UDP refresh support.
+
+  61.	[cleanup]	Use single quotes consistently in log messages.
+
+  60.	[func]		Catch and disallow singleton types on message
+			parse.
+
+  59.	[bug]		Cause net/host unreachable to be a hard error
+			when sending and receiving.
+
+  58.	[bug]		bin/named/query.c could sometimes trigger the
+			(client->query.attributes & NS_QUERYATTR_NAMEBUFUSED)
+			== 0 assertion in query_newname().
+
+  57.	[func]		Added dns_nxt_typepresent()
+
+  56.	[bug]		SIG records were not properly returned in cached
+			negative answers.
+
+  55.	[bug]		Responses containing multiple names in the authority
+			section were not negatively cached.
+
+  54.	[bug]		If a fetch with sigrdataset==NULL joined one with
+			sigrdataset!=NULL or vice versa, the resolver
+			could catch an assertion or lose signature data,
+			respectively.
+
+  53.	[port]		freebsd 4.0: lib/isc/unix/socket.c requires
+			<sys/param.h>.
+
+  52.	[bug]		rndc: taskmgr and socketmgr were not initialized
+			to NULL.
+
+  51.	[cleanup]	dns/compress.h and dns/zt.h did not need to include
+			dns/rbt.h; it was needed only by compress.c and zt.c.
+
+  50.	[func]		RBT deletion no longer requires a valid chain to work,
+			and dns_rbt_deletenode was added.
+
+  49.	[func]		Each cache now has its own mctx.
+
+  48.	[func]		isc_task_create() no longer takes an mctx.
+			isc_task_mem() has been eliminated.
+
+  47.	[func]		A number of modules now use memory context reference
+			counting.
+
+  46.	[func]		Memory contexts are now reference counted.
+			Added isc_mem_inuse() and isc_mem_preallocate().
+			Renamed isc_mem_destroy_check() to
+			isc_mem_setdestroycheck().
+
+  45.	[bug]		The trusted-key statement incorrectly loaded keys.
+
+  44.	[bug]		Don't include authority data if it would force us
+			to unset the AD bit in the message.
+
+  43.	[bug]		DNSSEC verification of cached rdatasets was failing.
+
+  42.	[cleanup]	Simplified logging of messages with embedded domain
+			names by introducing a new convenience function
+			dns_name_format().
+
+  41.	[func]		Use PR_SET_KEEPCAPS on Linux 2.3.99-pre3 and later
+			to allow 'named' to run as a non-root user while
+			retaining the ability to bind() to privileged
+			ports.
+
+  40.	[func]		Introduced new logging category "dnssec" and
+			logging module "dns/validator".
+
+  39.	[cleanup]	Moved the typedefs for isc_region_t, isc_textregion_t,
+			and isc_lex_t to <isc/types.h>.
+
+  38.	[bug]		TSIG signed incoming zone transfers work now.
+
+  37.	[bug]		If the first RR in an incoming zone transfer was
+			not an SOA, the server died with an assertion failure
+			instead of just reporting an error.
+
+  36.	[cleanup]	Change DNS_R_SUCCESS (and others) to ISC_R_SUCCESS
+
+  35.	[performance]	Log messages which are of a level too high to be
+			logged by any channel in the logging configuration
+			will not cause the log mutex to be locked.
+
+  34.	[bug]		Recursion was allowed even with 'recursion no'.
+
+  33.	[func]		The RBT now maintains a parent pointer at each node.
+
+  32.	[cleanup]	bin/lwresd/client.c needs <string.h> for memset()
+			prototype.
+
+  31.	[bug]		Use ${LIBTOOL} to compile bin/named/main.@O@.
+
+  30.	[func]		config file grammer change to support optional
+			class type for a view.
+
+  29.	[func]		support new config file view options:
+
+				auth-nxdomain recursion query-source
+				query-source-v6 transfer-source
+				transfer-source-v6 max-transfer-time-out
+				max-transfer-idle-out transfer-format
+				request-ixfr provide-ixfr cleaning-interval
+				fetch-glue notify rfc2308-type1 lame-ttl
+				max-ncache-ttl min-roots
+
+  28.	[func]		support lame-ttl, min-roots and serial-queries
+			config global options.
+
+  27.	[bug]		Only include <netinet6/in6.h> on BSD/OS 4.[01]*.
+			Including it on other platforms (eg, NetBSD) can
+			cause a forced #error from the C preprocessor.
+
+  26.	[func]		new match-clients statement in config file view.
+
+  25.	[bug]		make install failed to install <isc/log.h> and
+			<isc/ondestroy.h>.
+
+  24.	[cleanup]	Eliminate some unnecessary #includes of header
+			files from header files.
+
+  23.	[cleanup]	Provide more context in log messages about client
+			requests, using a new function ns_client_log().
+
+  22.	[bug]		SIGs weren't returned in the answer section when
+			the query resulted in a fetch.
+
+  21.	[port]		Look at STD_CINCLUDES after CINCLUDES during
+			compilation, so additional system include directories
+			can be searched but header files in the bind9 source
+			tree with conflicting names take precedence.  This
+			avoids issues with installed versions of dnssafe and
+			openssl.
+
+  20.	[func]		Configuration file post-load validation of zones
+			failed if there were no zones.
+
+  19.	[bug]		dns_zone_notifyreceive() failed to unlock the zone
+			lock in certain error cases.
+
+  18.	[bug]		Use AC_TRY_LINK rather than AC_TRY_COMPILE in
+			configure.in to check for presence of in6addr_any.
+
+  17.	[func]		Do configuration file post-load validation of zones.
+
+  16.	[bug]		put quotes around key names on config file
+			output to avoid possible keyword clashes.
+
+  15.	[func]		Add dns_name_dupwithoffsets().  This function is
+			improves comparison performance for duped names.
+
+  14.	[bug]		free_rbtdb() could have 'put' unallocated memory in
+			an unlikely error path.
+
+  13.	[bug]		lib/dns/master.c and lib/dns/xfrin.c didn't ignore
+			out-of-zone data.
+
+  12.	[bug]		Fixed possible unitialized variable error.
+
+  11.	[bug]		axfr_rrstream_first() didn't check the result code of
+			db_rr_iterator_first(), possibly causing an assertion
+			to be triggered later.
+
+  10.	[bug]		A bug in the code which makes EDNS0 OPT records in
+			bin/named/client.c and lib/dns/resolver.c could
+			trigger an assertion.
+
+   9.	[cleanup]	replaced bit-setting code in confctx.c and replaced
+			repeated code with macro calls.
+
+   8.	[bug]		Shutdown of incoming zone transfer accessed
+			freed memory.
+
+   7.	[cleanup]	removed 'listen-on' from view statement.
+
+   6.	[bug]		quote RR names when generating config file to
+			prevent possible clash with config file keywords
+			(such as 'key').
+
+   5.	[func]		syntax change to named.conf file: new ssu grant/deny
+			statements must now be enclosed by an 'update-policy'
+			block.
+
+   4.	[port]		bin/named/unix/os.c didn't compile on systems with
+			linux 2.3 kernel includes due to conflicts between
+			C library includes and the kernel includes.  We now
+			get only what we need from <linux/capability.h>, and
+			avoid pulling in other linux kernel .h files.
+
+   3.	[bug]		TKEYs go in the answer section of responses, not
+			the additional section.
+
+   2.	[bug]		Generating cryptographic randomness failed on
+			systems without /dev/random.
+
+   1.	[bug]		The installdirs rule in
+			lib/isc/unix/include/isc/Makefile.in had a typo which
+			prevented the isc directory from being created if it
+			didn't exist.
+
+	--- 9.0.0b2 released ---
+
+# This tells Emacs to use hard tabs in this file.
+# Local Variables:
+# indent-tabs-mode: t
+# End:
diff --git a/contrib/bind9/COPYRIGHT b/contrib/bind9/COPYRIGHT
new file mode 100644
index 000000000000..ee104781f533
--- /dev/null
+++ b/contrib/bind9/COPYRIGHT
@@ -0,0 +1,30 @@
+Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 1996-2003  Internet Software Consortium.
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THIS SOFTWARE.
+
+$Id: COPYRIGHT,v 1.6.2.2.8.2 2004/03/08 04:04:12 marka Exp $
+
+Portions Copyright (C) 1996-2001  Nominum, Inc.
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND NOMINUM DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL NOMINUM BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
diff --git a/contrib/bind9/FAQ b/contrib/bind9/FAQ
new file mode 100644
index 000000000000..25eb00ce38b8
--- /dev/null
+++ b/contrib/bind9/FAQ
@@ -0,0 +1,454 @@
+
+
+
+Frequently Asked Questions about BIND 9
+
+
+Q: Why doesn't -u work on Linux 2.2.x when I build with --enable-threads?
+
+A: Linux threads do not fully implement the Posix threads (pthreads) standard.
+In particular, setuid() operates only on the current thread, not the full
+process.  Because of this limitation, BIND 9 cannot use setuid() on Linux as it
+can on all other supported platforms.  setuid() cannot be called before
+creating threads, since the server does not start listening on reserved ports
+until after threads have started.
+
+  In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability to preserve
+capabilities across a setuid() call is present.  This allows BIND 9 to call
+setuid() early, while retaining the ability to bind reserved ports.  This is
+a Linux-specific hack.
+
+  On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less
+of a security risk than a root process that has not dropped privileges.
+
+  If Linux threads ever work correctly, this restriction will go away.
+
+  Configuring BIND9 with the --disable-threads option (the default) causes a
+non-threaded version to be built, which will allow -u to be used.
+
+
+Q: Why does named log the warning message "no TTL specified - using SOA
+MINTTL instead"?
+
+A: Your zone file is illegal according to RFC1035.  It must either
+have a line like
+
+   $TTL 86400
+
+at the beginning, or the first record in it must have a TTL field,
+like the "84600" in this example:
+
+   example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )
+
+Q: Why do I see 5 (or more) copies of named on Linux?
+
+A: Linux threads each show up as a process under ps.  The approximate
+number of threads running is n+4, where n is the number of CPUs.  Note that
+the amount of memory used is not cumulative; if each process is using 10M of
+memory, only a total of 10M is used.
+
+
+Q: Why does BIND 9 log "permission denied" errors accessing its
+configuration files or zones on my Linux system even though it is running
+as root?
+
+A: On Linux, BIND 9 drops most of its root privileges on startup.
+This including the privilege to open files owned by other users.
+Therefore, if the server is running as root, the configuration files
+and zone files should also be owned by root.
+
+
+Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master file
+bar: ran out of space"
+
+A: This is often caused by TXT records with missing close quotes.  Check that
+all TXT records containing quoted strings have both open and close quotes.
+
+
+Q: How do I produce a usable core file from a multithreaded named on Linux?
+
+A: If the Linux kernel is 2.4.7 or newer, multithreaded core dumps
+are usable (that is, the correct thread is dumped).  Otherwise, if using
+a 2.2 kernel, apply the kernel patch found in contrib/linux/coredump-patch
+and rebuild the kernel.  This patch will cause multithreaded programs to dump
+the correct thread.
+
+
+Q: How do I restrict people from looking up the server version?
+
+A: Put a "version" option containing something other than the real
+version in the "options" section of named.conf.  Note doing this will
+not prevent attacks and may impede people trying to diagnose problems
+with your server.  Also it is possible to "fingerprint" nameservers to
+determine their version.
+
+
+Q: How do I restrict only remote users from looking up the server
+version?
+
+A: The following view statement will intercept lookups as the internal
+view that holds the version information will be matched last.  The
+caveats of the previous answer still apply, of course.
+
+  view "chaos" chaos {
+	  match-clients { <those to be refused>; };
+	  allow-query { none; };
+	  zone "." {
+		  type hint;
+		  file "/dev/null";  // or any empty file
+	  };
+  };
+
+
+Q: What do "no source of entropy found" or "could not open entropy source foo"
+mean?
+
+A: The server requires a source of entropy to perform certain operations,
+mostly DNSSEC related.  These messages indicate that you have no source
+of entropy.  On systems with /dev/random or an equivalent, it is used by
+default.  A source of entropy can also be defined using the random-device
+option in named.conf.
+
+
+Q: I installed BIND 9 and restarted named, but it's still BIND 8.  Why?
+
+A: BIND 9 is installed under /usr/local by default.  BIND 8 is often
+installed under /usr.  Check that the correct named is running.
+
+
+Q: I'm trying to use TSIG to authenticate dynamic updates or zone
+transfers.  I'm sure I have the keys set up correctly, but the server
+is rejecting the TSIG.  Why?
+
+A: This may be a clock skew problem.  Check that the the clocks on
+the client and server are properly synchronized (e.g., using ntp).
+
+
+Q: I'm trying to compile BIND 9, and "make" is failing due to files not
+being found.  Why?
+
+A: Using a parallel or distributed "make" to build BIND 9 is not
+supported, and doesn't work.  If you are using one of these, use
+normal make or gmake instead.
+
+
+Q: I have a BIND 9 master and a BIND 8.2.3 slave, and the master is
+logging error messages like "notify to 10.0.0.1#53 failed: unexpected
+end of input".  What's wrong?
+
+A: This error message is caused by a known bug in BIND 8.2.3 and is fixed
+in BIND 8.2.4.  It can be safely ignored - the notify has been acted on by
+the slave despite the error message.
+
+
+Q: I keep getting log messages like the following.  Why?
+
+   Dec  4 23:47:59 client 10.0.0.1#1355: updating zone 'example.com/IN':
+   update failed: 'RRset exists (value dependent)' prerequisite not
+   satisfied (NXRRSET)
+
+A: DNS updates allow the update request to test to see if certain
+conditions are met prior to proceeding with the update.  The message
+above is saying that conditions were not met and the update is not
+proceeding.  See doc/rfc/rfc2136.txt for more details on prerequisites.
+
+
+Q: I keep getting log messages like the following.  Why?
+
+   Jun 21 12:00:00.000 client 10.0.0.1#1234: update denied
+
+A: Someone is trying to update your DNS data using the RFC2136 Dynamic
+Update protocol.  Windows 2000 machines have a habit of sending dynamic
+update requests to DNS servers without being specifically configured to
+do so.  If the update requests are coming from a Windows 2000 machine,
+see <http://support.microsoft.com/support/kb/articles/q246/8/04.asp>
+for information about how to turn them off.
+
+
+Q: I see a log message like the following.  Why?
+
+   couldn't open pid file '/var/run/named.pid': Permission denied
+
+A: You are most likely running named as a non-root user, and that user
+does not have permission to write in /var/run.  The common ways of
+fixing this are to create a /var/run/named directory owned by the named
+user and set pid-file to "/var/run/named/named.pid", or set
+pid-file to "named.pid", which will put the file in the directory
+specified by the directory option (which, in this case, must be writable
+by the named user).
+
+
+Q: When I do a "dig . ns", many of the A records for the root
+servers are missing.  Why?
+
+A: This is normal and harmless.  It is a somewhat confusing side effect
+of the way BIND 9 does RFC2181 trust ranking and of the efforts BIND 9
+makes to avoid promoting glue into answers.
+
+When BIND 9 first starts up and primes its cache, it receives the root
+server addresses as additional data in an authoritative response from
+a root server, and these records are eligible for inclusion as
+additional data in responses.  Subsequently it receives a subset of
+the root server addresses as additional data in a non-authoritative
+(referral) response from a root server.  This causes the addresses to
+now be considered non-authoritative (glue) data, which is not eligible
+for inclusion in responses.
+
+The server does have a complete set of root server addresses cached
+at all times, it just may not include all of them as additional data,
+depending on whether they were last received as answers or as glue.
+You can always look up the addresses with explicit queries like
+"dig a.root-servers.net A".
+
+
+Q: Zone transfers from my BIND 9 master to my Windows 2000 slave
+fail.  Why?
+
+A: This may be caused by a bug in the Windows 2000 DNS server where
+DNS messages larger than 16K are not handled properly.  This can be
+worked around by setting the option "transfer-format one-answer;".
+Also check whether your zone contains domain names with embedded
+spaces or other special characters, like "John\032Doe\213s\032Computer",
+since such names have been known to cause Windows 2000 slaves to
+incorrectly reject the zone.
+
+
+Q: Why don't my zones reload when I do an "rndc reload" or SIGHUP?
+
+A: A zone can be updated either by editing zone files and reloading
+the server or by dynamic update, but not both.  If you have enabled
+dynamic update for a zone using the "allow-update" option, you are not
+supposed to edit the zone file by hand, and the server will not
+attempt to reload it.
+
+
+Q: I can query the nameserver from the nameserver but not from other
+machines.  Why?
+
+A: This is usually the result of the firewall configuration stopping
+the queries and / or the replies.
+
+
+Q: How can I make a server a slave for both an internal and
+an external view at the same time?  When I tried, both views
+on the slave were transferred from the same view on the master.
+
+A: You will need to give the master and slave multiple IP addresses and
+use those to make sure you reach the correct view on the other machine.
+
+	e.g.
+	Master: 10.0.1.1 (internal), 10.0.1.2 (external, IP alias)
+	    internal:
+		match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
+		notify-source 10.0.1.1;
+		transfer-source 10.0.1.1;
+		query-source address 10.0.1.1;
+	    external:
+		match-clients { any; };
+		recursion no;	// don't offer recursion to the world
+		notify-source 10.0.1.2;
+		transfer-source 10.0.1.2;
+		query-source address 10.0.1.2;
+
+	Slave: 10.0.1.3 (internal), 10.0.1.4 (external, IP alias)
+	    internal:
+		match-clients { !10.0.1.2; !10.0.1.4; 10.0.1/24; };
+		notify-source 10.0.1.3;
+		transfer-source 10.0.1.3;
+		query-source address 10.0.1.3;
+	    external:
+		match-clients { any; };
+		recursion no;	// don't offer recursion to the world
+		notify-source 10.0.1.4;
+		transfer-source 10.0.1.4;
+		query-source address 10.0.1.4;
+
+	You put the external address on the alias so that all the other
+	dns clients on these boxes see the internal view by default.
+
+A: (BIND 9.3 and later) Use TSIG to select the appropriate view.
+
+	Master 10.0.1.1:
+	key "external" {
+		algorithm hmac-md5;
+		secret "xxxxxxxx";
+	};
+	view "internal" {
+		match-clients { !key external; 10.0.1/24; };
+		...
+	};
+	view "external" {
+		match-clients { key external; any; };
+		server 10.0.0.2 { keys external; };
+		recursion no;
+		...
+	};
+
+	Slave 10.0.1.2:
+	key "external" {
+		 algorithm hmac-md5;
+		 secret "xxxxxxxx";
+	};
+	view "internal" {
+		match-clients { !key external; 10.0.1/24; };
+	};
+	view "external" {
+		match-clients { key external; any; };
+		server 10.0.0.1 { keys external; };
+		recursion no;
+		...
+	};
+
+
+Q: I have Freebsd 4.x and "rndc-confgen -a" just sits there.
+
+A: /dev/random is not configured.  Use rndcontrol(8) to tell the kernel
+to use certain interrupts as a source of random events.  You can make this
+permanent by setting rand_irqs in /etc/rc.conf.
+
+e.g.
+	/etc/rc.conf
+	rand_irqs="3 14 15"
+
+See also http://people.freebsd.org/~dougb/randomness.html
+
+
+Q: Why is named listening on UDP port other than 53?
+
+A: Named uses a system selected port to make queries of other nameservers.
+This behaviour can be overridden by using query-source to lock down the
+port and/or address.  See also notify-source and transfer-source.
+
+
+Q: I get error messages like "multiple RRs of singleton type" and
+"CNAME and other data" when transferring a zone.  What does this mean?
+
+A: These indicate a malformed master zone.  You can identify the
+exact records involved by transferring the zone using dig then
+running named-checkzone on it.
+
+	e.g.
+		dig axfr example.com @master-server > tmp
+		named-checkzone example.com tmp
+
+
+Q: I get error messages like "named.conf:99: unexpected end of input" where
+99 is the last line of named.conf.
+
+A: Some text editors (notepad and wordpad) fail to put a line termination
+indication (e.g. CR/LF) on the last line of a text file.  This can be fixed
+by "adding" a blank line to the end of the file.  Named expects to see EOF
+immediately after EOL and treats text files where this is not met as truncated.
+
+
+Q: I get warning messages like "zone example.com/IN: refresh: failure trying master
+1.2.3.4#53: timed out".
+
+A: Check that you can make UDP queries from the slave to the master
+
+	dig +norec example.com soa @1.2.3.4
+
+A: You could be generating queries faster than the slave can cope with.  Lower
+the serial query rate.
+
+	serial-query-rate 5; // default 20
+
+Q: How do I share a dynamic zone between multiple views?
+
+A: You choose one view to be master and the second a slave and transfer
+the zone between views.
+
+	Master 10.0.1.1:
+	key "external" {
+		algorithm hmac-md5;
+		secret "xxxxxxxx";
+	};
+
+	key "mykey" {
+		algorithm hmac-md5;
+		secret "yyyyyyyy";
+	};
+
+	view "internal" {
+		match-clients { !external; 10.0.1/24; };
+		server 10.0.1.1 {
+			/* Deliver notify messages to external view. */
+			keys { external; };
+		};
+		zone "example.com" {
+			type master;
+			file "internal/example.db";
+			allow-update { key mykey; };
+			notify-also { 10.0.1.1; };
+		};
+	};
+
+	view "external" {
+		match-clients { external; any; };
+		zone "example.com" {
+			type slave;
+			file "external/example.db";
+			masters { 10.0.1.1; };
+			transfer-source { 10.0.1.1; };
+			// allow-update-forwarding { any; };
+			// allow-notify { ... };
+		};
+	};
+
+Q: I get a error message like "zone wireless.ietf56.ietf.org/IN: loading master
+file primaries/wireless.ietf56.ietf.org: no owner".
+
+A: This error is produced when a line in the master file contains leading
+white space (tab/space) but the is no current record owner name to inherit
+the name from.  Usually this is the result of putting white space before
+a comment.  Forgeting the "@" for the SOA record or indenting the master
+file.
+
+
+Q: Why are my logs in GMT (UTC).
+
+A: You are running chrooted (-t) and have not supplied local timzone
+information in the chroot area.
+
+	FreeBSD: /etc/localtime
+	Solaris: /etc/TIMEZONE and /usr/share/lib/zoneinfo
+	OSF: /etc/zoneinfo/localtime
+
+	See also tzset(3) and zic(8).
+
+
+Q: I get the error message "named: capset failed: Operation not permitted"
+when starting named.
+
+A: The capset module has not been loaded into the kernel.  See insmod(8).
+
+
+Q: I get "rndc: connect failed: connection refused" when I try to run
+   rndc.
+
+A: This is usually a configuration error.
+
+   First ensure that named is running and no errors are being
+   reported at startup (/var/log/messages or equivalent).  Running
+   "named -g <usual arguements>" from a terminal can help at this
+   point.
+
+   Secondly ensure that named is configured to use rndc either by
+   "rndc-confgen -a", rndc-confgen or manually.  The Administators
+   Reference manual has details on how to do this.
+
+   Old versions of rndc-confgen used localhost rather than 127.0.0.1
+   in /etc/rndc.conf for the default server.  Update /etc/rndc.conf
+   if necessary so that the default server listed in /etc/rndc.conf
+   matches the addresses used in named.conf.  "localhost" has two
+   address (127.0.0.1 and ::1).
+
+   If you use "rndc-confgen -a" and named is running with -t or -u
+   ensure that /etc/rndc.conf has the correct ownership and that
+   a copy is in the chroot area.  You can do this by re-running
+   "rndc-confgen -a" with appropriate -t and -u arguements.
+
+
+Q: I don't get RRSIG's returned when I use "dig +dnssec".
+
+A: You need to ensure DNSSEC is enabled (dnssec-enable yes;).
diff --git a/contrib/bind9/Makefile.in b/contrib/bind9/Makefile.in
new file mode 100644
index 000000000000..a2a06531b878
--- /dev/null
+++ b/contrib/bind9/Makefile.in
@@ -0,0 +1,59 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1998-2002  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.41.2.2.2.2 2004/03/08 04:04:12 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+SUBDIRS =	make lib bin doc @LIBBIND@
+TARGETS =
+
+@BIND9_MAKE_RULES@
+
+distclean::
+	@if [ "X@LIBBIND@" = "X" ] ; then \
+		i=lib/bind; \
+		echo "making $@ in `pwd`/$$i"; \
+		(cd $$i; ${MAKE} ${MAKEDEFS} $@) || exit 1; \
+	fi
+
+distclean::
+	rm -f config.cache config.h config.log config.status TAGS
+	rm -f libtool isc-config.sh configure.lineno
+	rm -f util/conf.sh docutil/docbook2man-wrapper.sh
+
+# XXX we should clean libtool stuff too.  Only do this after we add rules
+# to make it.
+maintainer-clean::
+	rm -f configure
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
+
+install:: isc-config.sh installdirs
+	${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}
+
+tags:
+	rm -f TAGS
+	find lib bin -name "*.[ch]" -print | @ETAGS@ -
+
+check: test
+
+test:
+	(cd bin/tests && ${MAKE} ${MAKEDEFS} test)
diff --git a/contrib/bind9/README b/contrib/bind9/README
new file mode 100644
index 000000000000..73715ce09de4
--- /dev/null
+++ b/contrib/bind9/README
@@ -0,0 +1,344 @@
+BIND 9
+
+	BIND version 9 is a major rewrite of nearly all aspects of the
+	underlying BIND architecture.  Some of the important features of
+	BIND 9 are:
+
+		- DNS Security
+			DNSSEC (signed zones)
+			TSIG (signed DNS requests)
+
+		- IP version 6
+			Answers DNS queries on IPv6 sockets
+			IPv6 resource records (AAAA)
+			Experimental IPv6 Resolver Library
+
+		- DNS Protocol Enhancements
+			IXFR, DDNS, Notify, EDNS0
+			Improved standards conformance
+
+		- Views
+			One server process can provide multiple "views" of
+			the DNS namespace, e.g. an "inside" view to certain
+			clients, and an "outside" view to others.
+
+		- Multiprocessor Support
+
+		- Improved Portability Architecture
+
+
+	BIND version 9 development has been underwritten by the following
+	organizations:
+
+		Sun Microsystems, Inc.
+		Hewlett Packard
+		Compaq Computer Corporation
+		IBM
+		Process Software Corporation
+		Silicon Graphics, Inc.
+		Network Associates, Inc.
+		U.S. Defense Information Systems Agency
+		USENIX Association
+		Stichting NLnet - NLnet Foundation
+		Nominum, Inc.
+
+
+BIND 9.3.0
+
+	BIND 9.3.0 has a number of new features over 9.2,
+	including:
+
+	DNSSEC is now DS based (RFC 3658).
+	See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
+
+	DNSSEC lookaside validation.
+
+	check-names is now implemented.
+	rrset-order in more complete.
+
+	IPv4/IPv6 transition support, dual-stack-servers.
+
+	IXFR deltas can now be generated when loading master files,
+	ixfr-from-differences.
+
+	It is now possible to specify the size of a journal, max-journal-size.
+
+	It is now possible to define a named set of master servers to be
+	used in masters clause, masters.
+
+	The advertised EDNS UDP size can now be set, edns-udp-size.
+
+	allow-v6-synthesis has been obsoleted.
+
+	NOTE:
+	* Zones containing MD and MF will now be rejected.
+	* dig, nslookup name. now report "Not Implemented" as
+	  NOTIMP rather than NOTIMPL.  This will have impact on scripts
+	  that are looking for NOTIMPL.
+
+	libbind: corresponds to that from BIND 8.4.5.
+
+BIND 9.2.0
+
+	BIND 9.2.0 has a number of new features over 9.1,
+	including:
+
+	  - The size of the cache can now be limited using the
+            "max-cache-size" option.
+
+	  - The server can now automatically convert RFC1886-style
+	    recursive lookup requests into RFC2874-style lookups, 
+	    when enabled using the new option "allow-v6-synthesis".
+            This allows stub resolvers that support AAAA records
+            but not A6 record chains or binary labels to perform
+            lookups in domains that make use of these IPv6 DNS
+            features.
+
+	  - Performance has been improved.
+
+	  - The man pages now use the more portable "man" macros
+	    rather than the "mandoc" macros, and are installed
+            by "make install".
+
+          - The named.conf parser has been completely rewritten.
+            It now supports "include" directives in more
+            places such as inside "view" statements, and it no
+            longer has any reserved words.
+
+          - The "rndc status" command is now implemented.
+
+	  - rndc can now be configured automatically.
+
+	  - A BIND 8 compatible stub resolver library is now
+	    included in lib/bind.
+
+	  - OpenSSL has been removed from the distribution.  This
+	    means that to use DNSSEC, OpenSSL must be installed and
+	    the --with-openssl option must be supplied to configure.
+	    This does not apply to the use of TSIG, which does not
+	    require OpenSSL.
+
+	  - The source distribution now builds on Windows NT/2000.
+	    See win32utils/readme1.txt and win32utils/win32-build.txt
+	    for details.
+
+	This distribution also includes a new lightweight stub
+	resolver library and associated resolver daemon that fully
+	support forward and reverse lookups of both IPv4 and IPv6
+	addresses.  This library is considered experimental and
+	is not a complete replacement for the BIND 8 resolver library.
+	Applications that use the BIND 8 res_* functions to perform
+	DNS lookups or dynamic updates still need to be linked against
+	the BIND 8 libraries.  For DNS lookups, they can also use the
+	new "getrrsetbyname()" API.
+
+	BIND 9.2 is capable of acting as an authoritative server
+	for DNSSEC secured zones.  This functionality is believed to
+	be stable and complete except for lacking support for
+	verifications involving wildcard records in secure zones.
+
+	When acting as a caching server, BIND 9.2 can be configured
+	to perform DNSSEC secure resolution on behalf of its clients.
+	This part of the DNSSEC implementation is still considered
+	experimental.  For detailed information about the state of the
+	DNSSEC implementation, see the file doc/misc/dnssec.
+
+	There are a few known bugs:
+
+		On some systems, IPv6 and IPv4 sockets interact in
+		unexpected ways.  For details, see doc/misc/ipv6.
+		To reduce the impact of these problems, the server
+		no longer listens for requests on IPv6 addresses
+		by default.  If you need to accept DNS queries over
+		IPv6, you must specify "listen-on-v6 { any; };"
+		in the named.conf options statement.
+
+		FreeBSD prior to 4.2 (and 4.2 if running as non-root)
+		and OpenBSD prior to 2.8 log messages like
+		"fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
+		This is due to a bug in "/dev/random" and impacts the
+		server's DNSSEC support.
+
+		OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
+		OS X 10.2 (Darwin 6.0) reports errors like
+		"fcntl(3, F_SETFL, 4): Operation not supported by device".
+		This is due to a bug in "/dev/random" and impacts the
+		server's DNSSEC support.
+
+		--with-libtool does not work on AIX.
+
+	A bug in the Windows 2000 DNS server can cause zone transfers
+	from a BIND 9 server to a W2K server to fail.  For details,
+	see the "Zone Transfers" section in doc/misc/migration.
+
+	For a detailed list of user-visible changes from
+	previous releases, see the CHANGES file.
+
+
+Building
+
+	BIND 9 currently requires a UNIX system with an ANSI C compiler,
+	basic POSIX support, and a 64 bit integer type.
+
+	We've had successful builds and tests on the following systems:
+
+		COMPAQ Tru64 UNIX 5.1B
+		FreeBSD 4.10, 5.2.1
+		HP-UX 11.11
+		NetBSD 1.5
+		Slackware Linux 8.1
+		Solaris 8, 9, 9 (x86)
+		Windows NT/2000/XP/2003
+
+	Additionally, we have unverified reports of success building
+	previous versions of BIND 9 from users of the following systems:
+
+		AIX 5L
+		SuSE Linux 7.0
+		Slackware Linux 7.x, 8.0
+	        Red Hat Linux 7.1
+		Debian GNU/Linux 2.2 and 3.0
+		Mandrake 8.1
+		OpenBSD 2.6, 2.8, 2.9
+		UnixWare 7.1.1
+		HP-UX 10.20
+		BSD/OS 4.2
+		Mac OS X 10.1
+
+	To build, just
+
+		./configure
+		make
+
+	Do not use a parallel "make".
+
+	Several environment variables that can be set before running
+	configure will affect compilation:
+
+	    CC
+		The C compiler to use.	configure tries to figure
+		out the right one for supported systems.
+
+	    CFLAGS
+		C compiler flags.  Defaults to include -g and/or -O2
+		as supported by the compiler.  
+
+	    STD_CINCLUDES
+		System header file directories.	 Can be used to specify
+		where add-on thread or IPv6 support is, for example.
+		Defaults to empty string.
+
+	    STD_CDEFINES
+		Any additional preprocessor symbols you want defined.
+		Defaults to empty string.
+
+		Possible settings:
+		Change the default syslog facility of named/lwresd.
+		  -DISC_FACILITY=LOG_LOCAL0	
+		Enable DNSSEC signature chasing support in dig.
+		  -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
+				    -DDIG_SIGCHASE_BU=1)
+
+	    LDFLAGS
+		Linker flags. Defaults to empty string.
+
+	To build shared libraries, specify "--with-libtool" on the
+	configure command line.
+
+	For the server to support DNSSEC, you need to build it
+	with crypto support.  You must have OpenSSL 0.9.5a
+	or newer installed and specify "--with-openssl" on the
+	configure command line.  If OpenSSL is installed under
+	a nonstandard prefix, you can tell configure where to
+	look for it using "--with-openssl=/prefix".
+
+	To build libbind (the BIND 8 resolver library), specify
+	"--enable-libbind" on the configure command line.
+
+	On some platforms, BIND 9 can be built with multithreading
+	support, allowing it to take advantage of multiple CPUs.
+	You can specify whether to build a multithreaded BIND 9 
+	by specifying "--enable-threads" or "--disable-threads"
+	on the configure command line.  The default is operating
+	system dependent.
+
+	If your operating system has integrated support for IPv6, it
+	will be used automatically.  If you have installed KAME IPv6
+	separately, use "--with-kame[=PATH]" to specify its location.
+
+	"make install" will install "named" and the various BIND 9 libraries.
+	By default, installation is into /usr/local, but this can be changed
+	with the "--prefix" option when running "configure".
+
+	You may specify the option "--sysconfdir" to set the directory 
+	where configuration files like "named.conf" go by default,
+	and "--localstatedir" to set the default parent directory
+	of "run/named.pid".   For backwards compatibility with BIND 8,
+	--sysconfdir defaults to "/etc" and --localstatedir defaults to
+	"/var" if no --prefix option is given.  If there is a --prefix
+	option, sysconfdir defaults to "$prefix/etc" and localstatedir
+	defaults to "$prefix/var".
+
+	To see additional configure options, run "configure --help".
+	Note that the help message does not reflect the BIND 8 
+	compatibility defaults for sysconfdir and localstatedir.
+
+	If you're planning on making changes to the BIND 9 source, you
+	should also "make depend".  If you're using Emacs, you might find
+	"make tags" helpful.
+
+	If you need to re-run configure please run "make distclean" first.
+	This will ensure that all the option changes take.
+
+	Building with gcc is not supported, unless gcc is the vendor's usual
+	compiler (e.g. the various BSD systems, Linux).
+	
+	* gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
+	* gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
+
+	A limited test suite can be run with "make test".  Many of
+	the tests require you to configure a set of virtual IP addresses
+	on your system, and some require Perl; see bin/tests/system/README
+	for details.
+
+
+Documentation
+
+	The BIND 9 Administrator Reference Manual is included with the
+	source distribution in DocBook XML and HTML format, in the
+	doc/arm directory.
+
+	Some of the programs in the BIND 9 distribution have man pages
+	in their directories.  In particular, the command line
+	options of "named" are documented in /bin/named/named.8.
+	There is now also a set of man pages for the lwres library.
+
+	If you are upgrading from BIND 8, please read the migration
+	notes in doc/misc/migration.  If you are upgrading from
+	BIND 4, read doc/misc/migration-4to9.
+
+	Frequently asked questions and their answers can be found in
+	FAQ.
+
+
+Bug Reports and Mailing Lists
+
+	Bugs reports should be sent to
+
+		bind9-bugs@isc.org
+
+	To join the BIND Users mailing list, send mail to
+
+		bind-users-request@isc.org
+
+	archives of which can be found via
+
+		http://www.isc.org/ops/lists/
+
+	If you're planning on making changes to the BIND 9 source
+	code, you might want to join the BIND Workers mailing list.
+	Send mail to
+
+		bind-workers-request@isc.org
+
+
diff --git a/contrib/bind9/acconfig.h b/contrib/bind9/acconfig.h
new file mode 100644
index 000000000000..0eacd065ad3e
--- /dev/null
+++ b/contrib/bind9/acconfig.h
@@ -0,0 +1,141 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: acconfig.h,v 1.35.2.4.2.8 2004/05/21 08:24:04 marka Exp $ */
+
+/***
+ *** This file is not to be included by any public header files, because
+ *** it does not get installed.
+ ***/
+@TOP@
+
+/* define to `int' if <sys/types.h> doesn't define.  */
+#undef ssize_t
+
+/* define on DEC OSF to enable 4.4BSD style sa_len support */
+#undef _SOCKADDR_LEN
+
+/* define if your system needs pthread_init() before using pthreads */
+#undef NEED_PTHREAD_INIT
+
+/* define if your system has sigwait() */
+#undef HAVE_SIGWAIT
+
+/* define if sigwait() is the UnixWare flavor */
+#undef HAVE_UNIXWARE_SIGWAIT
+
+/* define on Solaris to get sigwait() to work using pthreads semantics */
+#undef _POSIX_PTHREAD_SEMANTICS
+
+/* define if LinuxThreads is in use */
+#undef HAVE_LINUXTHREADS
+
+/* define if sysconf() is available */
+#undef HAVE_SYSCONF
+
+/* define if sysctlbyname() is available */
+#undef HAVE_SYSCTLBYNAME
+
+/* define if catgets() is available */
+#undef HAVE_CATGETS
+
+/* define if getifaddrs() exists */
+#undef HAVE_GETIFADDRS
+
+/* define if you have the NET_RT_IFLIST sysctl variable and sys/sysctl.h */
+#undef HAVE_IFLIST_SYSCTL
+
+/* define if chroot() is available */
+#undef HAVE_CHROOT
+
+/* define if tzset() is available */
+#undef HAVE_TZSET
+
+/* define if struct addrinfo exists */
+#undef HAVE_ADDRINFO
+
+/* define if getaddrinfo() exists */
+#undef HAVE_GETADDRINFO
+
+/* define if gai_strerror() exists */
+#undef HAVE_GAISTRERROR
+
+/* define if arc4random() exists */
+#undef HAVE_ARC4RANDOM
+
+/* define if pthread_setconcurrency() should be called to tell the
+ * OS how many threads we might want to run.
+ */
+#undef CALL_PTHREAD_SETCONCURRENCY
+
+/* define if IPv6 is not disabled */
+#undef WANT_IPV6
+
+/* define if flockfile() is available */
+#undef HAVE_FLOCKFILE
+
+/* define if getc_unlocked() is available */
+#undef HAVE_GETCUNLOCKED
+
+/* Shut up warnings about sputaux in stdio.h on BSD/OS pre-4.1 */
+#undef SHUTUP_SPUTAUX
+#ifdef SHUTUP_SPUTAUX
+struct __sFILE;
+extern __inline int __sputaux(int _c, struct __sFILE *_p);
+#endif
+
+/* Shut up warnings about missing sigwait prototype on BSD/OS 4.0* */
+#undef SHUTUP_SIGWAIT
+#ifdef SHUTUP_SIGWAIT
+int sigwait(const unsigned int *set, int *sig);
+#endif
+
+/* Shut up warnings from gcc -Wcast-qual on BSD/OS 4.1. */
+#undef SHUTUP_STDARG_CAST
+#if defined(SHUTUP_STDARG_CAST) && defined(__GNUC__)
+#include <stdarg.h>		/* Grr.  Must be included *every time*. */
+/*
+ * The silly continuation line is to keep configure from
+ * commenting out the #undef.
+ */
+#undef \
+	va_start
+#define	va_start(ap, last) \
+	do { \
+		union { const void *konst; long *var; } _u; \
+		_u.konst = &(last); \
+		ap = (va_list)(_u.var + __va_words(__typeof(last))); \
+	} while (0)
+#endif /* SHUTUP_STDARG_CAST && __GNUC__ */
+
+/* define if the system has a random number generating device */
+#undef PATH_RANDOMDEV
+
+/* define if pthread_attr_getstacksize() is available */
+#undef HAVE_PTHREAD_ATTR_GETSTACKSIZE
+
+/* define if pthread_attr_setstacksize() is available */
+#undef HAVE_PTHREAD_ATTR_SETSTACKSIZE
+
+/* define if you have strerror in the C library. */
+#undef HAVE_STRERROR
+
+/* Define if you are running under Compaq TruCluster..  */
+#undef HAVE_TRUCLUSTER
+
+/* Define if OpenSSL includes DSA support */
+#undef HAVE_OPENSSL_DSA
diff --git a/contrib/bind9/bin/Makefile.in b/contrib/bind9/bin/Makefile.in
new file mode 100644
index 000000000000..d8261d7b4c2a
--- /dev/null
+++ b/contrib/bind9/bin/Makefile.in
@@ -0,0 +1,25 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 1998-2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.22.208.1 2004/03/06 10:21:10 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+SUBDIRS =	named rndc dig dnssec tests nsupdate check
+TARGETS =
+
+@BIND9_MAKE_RULES@
diff --git a/contrib/bind9/bin/check/Makefile.in b/contrib/bind9/bin/check/Makefile.in
new file mode 100644
index 000000000000..5fdf4637afe6
--- /dev/null
+++ b/contrib/bind9/bin/check/Makefile.in
@@ -0,0 +1,95 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2000-2003  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.15.2.3.8.6 2004/07/20 07:01:48 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISCCFG_INCLUDES} \
+		${ISC_INCLUDES}
+
+CDEFINES = 	-DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
+CWARNINGS =
+
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+ISCLIBS =	../../lib/isc/libisc.@A@
+BIND9LIBS =	../../lib/bind9/libbind9.@A@
+
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
+
+LIBS =		@LIBS@
+
+SUBDIRS =
+
+# Alphabetically
+TARGETS =	named-checkconf@EXEEXT@ named-checkzone@EXEEXT@
+
+# Alphabetically
+SRCS =		named-checkconf.c named-checkzone.c check-tool.c
+
+MANPAGES =	named-checkconf.8 named-checkzone.8
+
+HTMLPAGES =	named-checkconf.html named-checkzone.html
+
+MANOBJS =	${MANPAGES} ${HTMLPAGES}
+
+@BIND9_MAKE_RULES@
+
+named-checkconf.@O@: named-checkconf.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-c ${srcdir}/named-checkconf.c
+
+named-checkzone.@O@: named-checkzone.c
+	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+		-DVERSION=\"${VERSION}\" \
+		-c ${srcdir}/named-checkzone.c
+
+named-checkconf@EXEEXT@: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \
+		${ISCCFGDEPLIBS} ${BIND9DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	named-checkconf.@O@ check-tool.@O@ ${BIND9LIBS} ${ISCCFGLIBS} \
+	${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	named-checkzone.@O@ check-tool.@O@ ${DNSLIBS} ${ISCLIBS} ${LIBS}
+
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+	rm -f ${MANOBJS}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
+
+install:: named-checkconf@EXEEXT@ named-checkzone@EXEEXT@ installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkconf@EXEEXT@ ${DESTDIR}${sbindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-checkzone@EXEEXT@ ${DESTDIR}${sbindir}
+	for m in ${MANPAGES}; do ${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man8; done
+
+clean distclean::
+	rm -f ${TARGETS} r1.htm
diff --git a/contrib/bind9/bin/check/check-tool.c b/contrib/bind9/bin/check/check-tool.c
new file mode 100644
index 000000000000..cefee82cfe27
--- /dev/null
+++ b/contrib/bind9/bin/check/check-tool.c
@@ -0,0 +1,159 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: check-tool.c,v 1.4.12.5 2004/03/08 04:04:13 marka Exp $ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <string.h>
+
+#include "check-tool.h"
+#include <isc/util.h>
+
+#include <isc/buffer.h>
+#include <isc/log.h>
+#include <isc/region.h>
+#include <isc/stdio.h>
+#include <isc/types.h>
+
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdataclass.h>
+#include <dns/types.h>
+#include <dns/zone.h>
+
+#define CHECK(r) \
+        do { \
+		result = (r); \
+                if (result != ISC_R_SUCCESS) \
+                        goto cleanup; \
+        } while (0)   
+
+static const char *dbtype[] = { "rbt" };
+
+int debug = 0;
+isc_boolean_t nomerge = ISC_TRUE;
+unsigned int zone_options = DNS_ZONEOPT_CHECKNS|DNS_ZONEOPT_MANYERRORS;
+
+isc_result_t
+setup_logging(isc_mem_t *mctx, isc_log_t **logp) {
+	isc_logdestination_t destination;
+	isc_logconfig_t *logconfig = NULL;
+	isc_log_t *log = NULL;
+
+	RUNTIME_CHECK(isc_log_create(mctx, &log, &logconfig) == ISC_R_SUCCESS);
+	isc_log_setcontext(log);
+
+	destination.file.stream = stdout;
+	destination.file.name = NULL;
+	destination.file.versions = ISC_LOG_ROLLNEVER;
+	destination.file.maximum_size = 0;
+	RUNTIME_CHECK(isc_log_createchannel(logconfig, "stderr",
+				       ISC_LOG_TOFILEDESC,
+				       ISC_LOG_DYNAMIC,
+				       &destination, 0) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(isc_log_usechannel(logconfig, "stderr",
+					 NULL, NULL) == ISC_R_SUCCESS);
+
+	*logp = log;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
+	  const char *classname, dns_zone_t **zonep)
+{
+	isc_result_t result;
+	dns_rdataclass_t rdclass;
+	isc_textregion_t region;
+	isc_buffer_t buffer;
+	dns_fixedname_t fixorigin;
+	dns_name_t *origin;
+	dns_zone_t *zone = NULL;
+
+	REQUIRE(zonep == NULL || *zonep == NULL);
+
+	if (debug)
+		fprintf(stderr, "loading \"%s\" from \"%s\" class \"%s\"\n",
+			zonename, filename, classname);
+
+	CHECK(dns_zone_create(&zone, mctx));
+
+	dns_zone_settype(zone, dns_zone_master);
+
+	isc_buffer_init(&buffer, zonename, strlen(zonename));
+	isc_buffer_add(&buffer, strlen(zonename));
+	dns_fixedname_init(&fixorigin);
+	origin = dns_fixedname_name(&fixorigin);
+	CHECK(dns_name_fromtext(origin, &buffer, dns_rootname,
+			        ISC_FALSE, NULL));
+	CHECK(dns_zone_setorigin(zone, origin));
+	CHECK(dns_zone_setdbtype(zone, 1, (const char * const *) dbtype));
+	CHECK(dns_zone_setfile(zone, filename));
+
+	DE_CONST(classname, region.base);
+	region.length = strlen(classname);
+	CHECK(dns_rdataclass_fromtext(&rdclass, &region));
+
+	dns_zone_setclass(zone, rdclass);
+	dns_zone_setoption(zone, zone_options, ISC_TRUE);
+	dns_zone_setoption(zone, DNS_ZONEOPT_NOMERGE, nomerge);
+
+	CHECK(dns_zone_load(zone));
+	if (zonep != NULL){
+		*zonep = zone;
+		zone = NULL;
+	}
+
+ cleanup:
+	if (zone != NULL)
+		dns_zone_detach(&zone);
+	return (result);
+}
+
+isc_result_t
+dump_zone(const char *zonename, dns_zone_t *zone, const char *filename)
+{
+	isc_result_t result;
+	FILE *output = stdout;
+
+	if (debug) {
+		if (filename != NULL)
+			fprintf(stderr, "dumping \"%s\" to \"%s\"\n",
+				zonename, filename);
+		else
+			fprintf(stderr, "dumping \"%s\"\n", zonename);
+	}
+
+	if (filename != NULL) {
+		result = isc_stdio_open(filename, "w+", &output);
+
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "could not open output "
+				"file \"%s\" for writing\n", filename);
+			return (ISC_R_FAILURE);
+		}
+	}
+
+	result = dns_zone_fulldumptostream(zone, output);
+
+	if (filename != NULL)
+		(void)isc_stdio_close(output);
+
+	return (result);
+}
diff --git a/contrib/bind9/bin/check/check-tool.h b/contrib/bind9/bin/check/check-tool.h
new file mode 100644
index 000000000000..105cd258ca3d
--- /dev/null
+++ b/contrib/bind9/bin/check/check-tool.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: check-tool.h,v 1.2.12.5 2004/03/08 04:04:13 marka Exp $ */
+
+#ifndef CHECK_TOOL_H
+#define CHECK_TOOL_H
+
+#include <isc/lang.h>
+
+#include <isc/types.h>
+#include <dns/types.h>
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+setup_logging(isc_mem_t *mctx, isc_log_t **logp);
+
+isc_result_t
+load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
+	  const char *classname, dns_zone_t **zonep);
+
+isc_result_t
+dump_zone(const char *zonename, dns_zone_t *zone, const char *filename);
+
+extern int debug;
+extern isc_boolean_t nomerge;
+extern unsigned int zone_options;
+
+ISC_LANG_ENDDECLS
+
+#endif
diff --git a/contrib/bind9/bin/check/named-checkconf.8 b/contrib/bind9/bin/check/named-checkconf.8
new file mode 100644
index 000000000000..25dbdd86ff15
--- /dev/null
+++ b/contrib/bind9/bin/check/named-checkconf.8
@@ -0,0 +1,59 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: named-checkconf.8,v 1.11.12.4 2004/06/03 05:35:41 marka Exp $
+.\"
+.TH "NAMED-CHECKCONF" "8" "June 14, 2000" "BIND9" ""
+.SH NAME
+named-checkconf \- named configuration file syntax checking tool
+.SH SYNOPSIS
+.sp
+\fBnamed-checkconf\fR [ \fB-v\fR ]  [ \fB-j\fR ]  [ \fB-t \fIdirectory\fB\fR ]  \fBfilename\fR [ \fB-z\fR ] 
+.SH "DESCRIPTION"
+.PP
+\fBnamed-checkconf\fR checks the syntax, but not
+the semantics, of a named configuration file.
+.SH "OPTIONS"
+.TP
+\fB-t \fIdirectory\fB\fR
+chroot to \fIdirectory\fR so that include
+directives in the configuration file are processed as if
+run by a similarly chrooted named.
+.TP
+\fB-v\fR
+Print the version of the \fBnamed-checkconf\fR
+program and exit.
+.TP
+\fB-z\fR
+Perform a check load the master zonefiles found in
+\fInamed.conf\fR.
+.TP
+\fB-j\fR
+When loading a zonefile read the journal if it exists.
+.TP
+\fBfilename\fR
+The name of the configuration file to be checked. If not
+specified, it defaults to \fI/etc/named.conf\fR.
+.SH "RETURN VALUES"
+.PP
+\fBnamed-checkconf\fR returns an exit status of 1 if
+errors were detected and 0 otherwise.
+.SH "SEE ALSO"
+.PP
+\fBnamed\fR(8),
+\fIBIND 9 Administrator Reference Manual\fR.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
diff --git a/contrib/bind9/bin/check/named-checkconf.c b/contrib/bind9/bin/check/named-checkconf.c
new file mode 100644
index 000000000000..88a7299b0168
--- /dev/null
+++ b/contrib/bind9/bin/check/named-checkconf.c
@@ -0,0 +1,286 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named-checkconf.c,v 1.12.12.7 2004/03/08 09:04:14 marka Exp $ */
+
+#include <config.h>
+
+#include <errno.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+#include <isc/commandline.h>
+#include <isc/dir.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <isccfg/namedconf.h>
+
+#include <bind9/check.h>
+
+#include <dns/log.h>
+#include <dns/result.h>
+
+#include "check-tool.h"
+
+isc_log_t *logc = NULL;
+
+#define CHECK(r)\
+	do { \
+		result = (r); \
+		if (result != ISC_R_SUCCESS) \
+			goto cleanup; \
+	} while (0)
+
+static void
+usage(void) {
+        fprintf(stderr, "usage: named-checkconf [-j] [-v] [-z] [-t directory] "
+		"[named.conf]\n");
+        exit(1);
+}
+
+static isc_result_t
+directory_callback(const char *clausename, cfg_obj_t *obj, void *arg) {
+	isc_result_t result;
+	char *directory;
+
+	REQUIRE(strcasecmp("directory", clausename) == 0);
+
+	UNUSED(arg);
+	UNUSED(clausename);
+
+	/*
+	 * Change directory.
+	 */
+	directory = cfg_obj_asstring(obj);
+	result = isc_dir_chdir(directory);
+	if (result != ISC_R_SUCCESS) {
+		cfg_obj_log(obj, logc, ISC_LOG_ERROR,
+			    "change directory to '%s' failed: %s\n",
+			    directory, isc_result_totext(result));
+		return (result);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+configure_zone(const char *vclass, const char *view, cfg_obj_t *zconfig,
+	       isc_mem_t *mctx)
+{
+	isc_result_t result;
+	const char *zclass;
+	const char *zname;
+	const char *zfile;
+	cfg_obj_t *zoptions = NULL;
+	cfg_obj_t *classobj = NULL;
+	cfg_obj_t *typeobj = NULL;
+	cfg_obj_t *fileobj = NULL;
+	cfg_obj_t *dbobj = NULL;
+
+	zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
+	classobj = cfg_tuple_get(zconfig, "class");
+        if (!cfg_obj_isstring(classobj))
+                zclass = vclass;
+        else
+		zclass = cfg_obj_asstring(classobj);
+	zoptions = cfg_tuple_get(zconfig, "options");
+	cfg_map_get(zoptions, "type", &typeobj);
+	if (typeobj == NULL)
+		return (ISC_R_FAILURE);
+	if (strcasecmp(cfg_obj_asstring(typeobj), "master") != 0)
+		return (ISC_R_SUCCESS);
+        cfg_map_get(zoptions, "database", &dbobj);
+        if (dbobj != NULL)
+                return (ISC_R_SUCCESS);
+	cfg_map_get(zoptions, "file", &fileobj);
+	if (fileobj == NULL)
+		return (ISC_R_FAILURE);
+	zfile = cfg_obj_asstring(fileobj);
+	result = load_zone(mctx, zname, zfile, zclass, NULL);
+	if (result != ISC_R_SUCCESS)
+		fprintf(stderr, "%s/%s/%s: %s\n", view, zname, zclass,
+			dns_result_totext(result));
+	return(result);
+}
+
+static isc_result_t
+configure_view(const char *vclass, const char *view, cfg_obj_t *config,
+	       cfg_obj_t *vconfig, isc_mem_t *mctx)
+{
+	cfg_listelt_t *element;
+	cfg_obj_t *voptions;
+	cfg_obj_t *zonelist;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+
+	voptions = NULL;
+	if (vconfig != NULL)
+		voptions = cfg_tuple_get(vconfig, "options");
+
+	zonelist = NULL;
+	if (voptions != NULL)
+		(void)cfg_map_get(voptions, "zone", &zonelist);
+	else
+		(void)cfg_map_get(config, "zone", &zonelist);
+
+	for (element = cfg_list_first(zonelist);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		cfg_obj_t *zconfig = cfg_listelt_value(element);
+		tresult = configure_zone(vclass, view, zconfig, mctx);
+		if (tresult != ISC_R_SUCCESS)
+			result = tresult;
+	}
+	return (result);
+}
+
+
+static isc_result_t
+load_zones_fromconfig(cfg_obj_t *config, isc_mem_t *mctx) {
+	cfg_listelt_t *element;
+	cfg_obj_t *classobj;
+	cfg_obj_t *views;
+	cfg_obj_t *vconfig;
+	const char *vclass;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_result_t tresult;
+
+	views = NULL;
+
+	(void)cfg_map_get(config, "view", &views);
+	for (element = cfg_list_first(views);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		const char *vname;
+
+		vclass = "IN";
+		vconfig = cfg_listelt_value(element);
+		if (vconfig != NULL) {
+			classobj = cfg_tuple_get(vconfig, "class");
+			if (cfg_obj_isstring(classobj))
+				vclass = cfg_obj_asstring(classobj);
+		}
+		vname = cfg_obj_asstring(cfg_tuple_get(vconfig, "name"));
+		tresult = configure_view(vclass, vname, config, vconfig, mctx);
+		if (tresult != ISC_R_SUCCESS)
+			result = tresult;
+	}
+
+	if (views == NULL) {
+		tresult = configure_view("IN", "_default", config, NULL, mctx);
+		if (tresult != ISC_R_SUCCESS)
+			result = tresult;
+	}
+	return (result);
+}
+
+int
+main(int argc, char **argv) {
+	int c;
+	cfg_parser_t *parser = NULL;
+	cfg_obj_t *config = NULL;
+	const char *conffile = NULL;
+	isc_mem_t *mctx = NULL;
+	isc_result_t result;
+	int exit_status = 0;
+	isc_boolean_t load_zones = ISC_FALSE;
+	
+	while ((c = isc_commandline_parse(argc, argv, "djt:vz")) != EOF) {
+		switch (c) {
+		case 'd':
+			debug++;
+			break;
+
+		case 'j':
+			nomerge = ISC_FALSE;
+			break;
+
+		case 't':
+			result = isc_dir_chroot(isc_commandline_argument);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "isc_dir_chroot: %s\n",
+					isc_result_totext(result));
+				exit(1);
+			}
+			result = isc_dir_chdir("/");
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "isc_dir_chdir: %s\n",
+					isc_result_totext(result));
+				exit(1);
+			}
+			break;
+
+		case 'v':
+			printf(VERSION "\n");
+			exit(0);
+
+		case 'z':
+			load_zones = ISC_TRUE;
+			break;
+
+		default:
+			usage();
+		}
+	}
+
+	if (argv[isc_commandline_index] != NULL)
+		conffile = argv[isc_commandline_index];
+	if (conffile == NULL || conffile[0] == '\0')
+		conffile = NAMED_CONFFILE;
+
+	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
+
+	RUNTIME_CHECK(setup_logging(mctx, &logc) == ISC_R_SUCCESS);
+
+	dns_result_register();
+
+	RUNTIME_CHECK(cfg_parser_create(mctx, logc, &parser) == ISC_R_SUCCESS);
+
+	cfg_parser_setcallback(parser, directory_callback, NULL);
+
+	if (cfg_parse_file(parser, conffile, &cfg_type_namedconf, &config) !=
+	    ISC_R_SUCCESS)
+		exit(1);
+
+	result = bind9_check_namedconf(config, logc, mctx);
+	if (result != ISC_R_SUCCESS)
+		exit_status = 1;
+
+	if (result == ISC_R_SUCCESS && load_zones) {
+		dns_log_init(logc);
+                dns_log_setcontext(logc);
+		result = load_zones_fromconfig(config, mctx);
+		if (result != ISC_R_SUCCESS)
+			exit_status = 1;
+	}
+
+	cfg_obj_destroy(parser, &config);
+
+	cfg_parser_destroy(&parser);
+
+	isc_log_destroy(&logc);
+
+	isc_mem_destroy(&mctx);
+
+	return (exit_status);
+}
diff --git a/contrib/bind9/bin/check/named-checkconf.docbook b/contrib/bind9/bin/check/named-checkconf.docbook
new file mode 100644
index 000000000000..d1336cfa537b
--- /dev/null
+++ b/contrib/bind9/bin/check/named-checkconf.docbook
@@ -0,0 +1,146 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2002  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: named-checkconf.docbook,v 1.3.2.1.8.5 2004/06/03 02:24:59 marka Exp $ -->
+
+<refentry>
+  <refentryinfo>
+    <date>June 14, 2000</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>named-checkconf</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>named-checkconf</application></refname>
+    <refpurpose>named configuration file syntax checking tool</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>named-checkconf</command>
+      <arg><option>-v</option></arg>
+      <arg><option>-j</option></arg>
+      <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg choice="req">filename</arg>
+      <arg><option>-z</option></arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para>
+        <command>named-checkconf</command> checks the syntax, but not
+	the semantics, of a named configuration file.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>OPTIONS</title>
+
+    <variablelist>
+      <varlistentry>
+        <term>-t <replaceable class="parameter">directory</replaceable></term>
+	<listitem>
+	  <para>
+	      chroot to <filename>directory</filename> so that include
+	      directives in the configuration file are processed as if
+	      run by a similarly chrooted named.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-v</term>
+	<listitem>
+	  <para>
+	      Print the version of the <command>named-checkconf</command>
+	      program and exit.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-z</term>
+	<listitem>
+	  <para>
+	      Perform a check load the master zonefiles found in
+	      <filename>named.conf</filename>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-j</term>
+	<listitem>
+	  <para>
+	      When loading a zonefile read the journal if it exists.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>filename</term>
+	<listitem>
+	  <para>
+	       The name of the configuration file to be checked.  If not
+	       specified, it defaults to <filename>/etc/named.conf</filename>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+    </variablelist>
+
+  </refsect1>
+
+  <refsect1>
+    <title>RETURN VALUES</title>
+    <para>
+        <command>named-checkconf</command> returns an exit status of 1 if
+	errors were detected and 0 otherwise.
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>named</refentrytitle>
+	<manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>AUTHOR</title>
+    <para>
+        <corpauthor>Internet Systems Consortium</corpauthor>
+    </para>
+  </refsect1>
+
+</refentry>
+
+<!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
+
diff --git a/contrib/bind9/bin/check/named-checkconf.html b/contrib/bind9/bin/check/named-checkconf.html
new file mode 100644
index 000000000000..8d5f38e99c51
--- /dev/null
+++ b/contrib/bind9/bin/check/named-checkconf.html
@@ -0,0 +1,216 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2002  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: named-checkconf.html,v 1.5.2.1.4.5 2004/08/22 23:38:57 marka Exp $ -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>named-checkconf</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+></A
+><SPAN
+CLASS="APPLICATION"
+>named-checkconf</SPAN
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><SPAN
+CLASS="APPLICATION"
+>named-checkconf</SPAN
+>&nbsp;--&nbsp;named configuration file syntax checking tool</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>named-checkconf</B
+>  [<VAR
+CLASS="OPTION"
+>-v</VAR
+>] [<VAR
+CLASS="OPTION"
+>-j</VAR
+>] [<VAR
+CLASS="OPTION"
+>-t <VAR
+CLASS="REPLACEABLE"
+>directory</VAR
+></VAR
+>] {filename} [<VAR
+CLASS="OPTION"
+>-z</VAR
+>]</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN26"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>        <B
+CLASS="COMMAND"
+>named-checkconf</B
+> checks the syntax, but not
+	the semantics, of a named configuration file.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN30"
+></A
+><H2
+>OPTIONS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-t <VAR
+CLASS="REPLACEABLE"
+>directory</VAR
+></DT
+><DD
+><P
+>	      chroot to <TT
+CLASS="FILENAME"
+>directory</TT
+> so that include
+	      directives in the configuration file are processed as if
+	      run by a similarly chrooted named.
+	  </P
+></DD
+><DT
+>-v</DT
+><DD
+><P
+>	      Print the version of the <B
+CLASS="COMMAND"
+>named-checkconf</B
+>
+	      program and exit.
+	  </P
+></DD
+><DT
+>-z</DT
+><DD
+><P
+>	      Perform a check load the master zonefiles found in
+	      <TT
+CLASS="FILENAME"
+>named.conf</TT
+>.
+	  </P
+></DD
+><DT
+>-j</DT
+><DD
+><P
+>	      When loading a zonefile read the journal if it exists.
+	  </P
+></DD
+><DT
+>filename</DT
+><DD
+><P
+>	       The name of the configuration file to be checked.  If not
+	       specified, it defaults to <TT
+CLASS="FILENAME"
+>/etc/named.conf</TT
+>.
+	  </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN58"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+>        <B
+CLASS="COMMAND"
+>named-checkconf</B
+> returns an exit status of 1 if
+	errors were detected and 0 otherwise.
+  </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN62"
+></A
+><H2
+>SEE ALSO</H2
+><P
+>      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>named</SPAN
+>(8)</SPAN
+>,
+      <I
+CLASS="CITETITLE"
+>BIND 9 Administrator Reference Manual</I
+>.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN69"
+></A
+><H2
+>AUTHOR</H2
+><P
+>        Internet Systems Consortium
+    </P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/bin/check/named-checkzone.8 b/contrib/bind9/bin/check/named-checkzone.8
new file mode 100644
index 000000000000..efa600c8e087
--- /dev/null
+++ b/contrib/bind9/bin/check/named-checkzone.8
@@ -0,0 +1,94 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2002  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: named-checkzone.8,v 1.11.2.1.8.4 2004/06/03 05:35:42 marka Exp $
+.\"
+.TH "NAMED-CHECKZONE" "8" "June 13, 2000" "BIND9" ""
+.SH NAME
+named-checkzone \- zone file validity checking tool
+.SH SYNOPSIS
+.sp
+\fBnamed-checkzone\fR [ \fB-d\fR ]  [ \fB-j\fR ]  [ \fB-q\fR ]  [ \fB-v\fR ]  [ \fB-c \fIclass\fB\fR ]  [ \fB-k \fImode\fB\fR ]  [ \fB-n \fImode\fB\fR ]  [ \fB-o \fIfilename\fB\fR ]  [ \fB-t \fIdirectory\fB\fR ]  [ \fB-w \fIdirectory\fB\fR ]  [ \fB-D\fR ]  \fBzonename\fR \fBfilename\fR
+.SH "DESCRIPTION"
+.PP
+\fBnamed-checkzone\fR checks the syntax and integrity of
+a zone file. It performs the same checks as \fBnamed\fR
+does when loading a zone. This makes
+\fBnamed-checkzone\fR useful for checking zone
+files before configuring them into a name server.
+.SH "OPTIONS"
+.TP
+\fB-d\fR
+Enable debugging.
+.TP
+\fB-q\fR
+Quiet mode - exit code only.
+.TP
+\fB-v\fR
+Print the version of the \fBnamed-checkzone\fR
+program and exit.
+.TP
+\fB-j\fR
+When loading the zone file read the journal if it exists.
+.TP
+\fB-c \fIclass\fB\fR
+Specify the class of the zone. If not specified "IN" is assumed.
+.TP
+\fB-k \fImode\fB\fR
+Perform \fB"check-name"\fR checks with the specified failure mode.
+Possible modes are \fB"fail"\fR,
+\fB"warn"\fR (default) and
+\fB"ignore"\fR.
+.TP
+\fB-n \fImode\fB\fR
+Specify whether NS records should be checked to see if they
+are addresses. Possible modes are \fB"fail"\fR,
+\fB"warn"\fR (default) and
+\fB"ignore"\fR.
+.TP
+\fB-o \fIfilename\fB\fR
+Write zone output to \fIdirectory\fR.
+.TP
+\fB-t \fIdirectory\fB\fR
+chroot to \fIdirectory\fR so that include
+directives in the configuration file are processed as if
+run by a similarly chrooted named.
+.TP
+\fB-w \fIdirectory\fB\fR
+chdir to \fIdirectory\fR so that relative
+filenames in master file $INCLUDE directives work. This
+is similar to the directory clause in
+\fInamed.conf\fR.
+.TP
+\fB-D\fR
+Dump zone file in canonical format.
+.TP
+\fBzonename\fR
+The domain name of the zone being checked.
+.TP
+\fBfilename\fR
+The name of the zone file.
+.SH "RETURN VALUES"
+.PP
+\fBnamed-checkzone\fR returns an exit status of 1 if
+errors were detected and 0 otherwise.
+.SH "SEE ALSO"
+.PP
+\fBnamed\fR(8),
+\fIRFC 1035\fR,
+\fIBIND 9 Administrator Reference Manual\fR.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
diff --git a/contrib/bind9/bin/check/named-checkzone.c b/contrib/bind9/bin/check/named-checkzone.c
new file mode 100644
index 000000000000..d023bd685774
--- /dev/null
+++ b/contrib/bind9/bin/check/named-checkzone.c
@@ -0,0 +1,200 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named-checkzone.c,v 1.13.2.3.8.9 2004/03/06 10:21:11 marka Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+#include <isc/app.h>
+#include <isc/commandline.h>
+#include <isc/dir.h>
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/socket.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/timer.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/rdataclass.h>
+#include <dns/rdataset.h>
+#include <dns/result.h>
+#include <dns/zone.h>
+
+#include "check-tool.h"
+
+static int quiet = 0;
+static isc_mem_t *mctx = NULL;
+dns_zone_t *zone = NULL;
+dns_zonetype_t zonetype = dns_zone_master;
+static int dumpzone = 0;
+static const char *output_filename;
+
+#define ERRRET(result, function) \
+	do { \
+		if (result != ISC_R_SUCCESS) { \
+			if (!quiet) \
+				fprintf(stderr, "%s() returned %s\n", \
+					function, dns_result_totext(result)); \
+			return (result); \
+		} \
+	} while (0)
+
+static void
+usage(void) {
+	fprintf(stderr,
+		"usage: named-checkzone [-djqvD] [-c class] [-o output] "
+		"[-t directory] [-w directory] [-k option] zonename filename\n");
+	exit(1);
+}
+
+static void
+destroy(void) {
+	if (zone != NULL)
+		dns_zone_detach(&zone);
+}
+
+int
+main(int argc, char **argv) {
+	int c;
+	char *origin = NULL;
+	char *filename = NULL;
+	isc_log_t *lctx = NULL;
+	isc_result_t result;
+	char classname_in[] = "IN";
+	char *classname = classname_in;
+	const char *workdir = NULL;
+
+	while ((c = isc_commandline_parse(argc, argv, "c:dijk:n:qst:o:vw:D")) != EOF) {
+		switch (c) {
+		case 'c':
+			classname = isc_commandline_argument;
+			break;
+
+		case 'd':
+			debug++;
+			break;
+
+		case 'j':
+			nomerge = ISC_FALSE;
+			break;
+
+		case 'n':
+			if (!strcmp(isc_commandline_argument, "ignore"))
+				zone_options &= ~(DNS_ZONEOPT_CHECKNS|
+						  DNS_ZONEOPT_FATALNS);
+			else if (!strcmp(isc_commandline_argument, "warn")) {
+				zone_options |= DNS_ZONEOPT_CHECKNS;
+				zone_options &= ~DNS_ZONEOPT_FATALNS;
+			} else if (!strcmp(isc_commandline_argument, "fail"))
+				zone_options |= DNS_ZONEOPT_CHECKNS|
+					        DNS_ZONEOPT_FATALNS;
+			break;
+
+		case 'k':
+			if (!strcmp(isc_commandline_argument, "check-names")) {
+				zone_options |= DNS_ZONEOPT_CHECKNAMES;
+			} else if (!strcmp(isc_commandline_argument,
+					   "check-names-fail")) {
+				zone_options |= DNS_ZONEOPT_CHECKNAMES |
+						DNS_ZONEOPT_CHECKNAMESFAIL;
+			}
+			break;
+
+		case 'q':
+			quiet++;
+			break;
+
+		case 't':
+			result = isc_dir_chroot(isc_commandline_argument);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "isc_dir_chroot: %s: %s\n",
+					isc_commandline_argument,
+					isc_result_totext(result));
+				exit(1);
+			}
+			result = isc_dir_chdir("/");
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "isc_dir_chdir: %s\n",
+					isc_result_totext(result));
+				exit(1);
+			}
+			break;
+
+		case 'o':
+			output_filename = isc_commandline_argument;
+			break;
+
+		case 'v':
+			printf(VERSION "\n");
+			exit(0);
+
+		case 'w':
+			workdir = isc_commandline_argument;
+			break;
+
+		case 'D':
+			dumpzone++;
+			break;
+
+		default:
+			usage();
+		}
+	}
+
+	if (workdir != NULL) {
+		result = isc_dir_chdir(workdir);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "isc_dir_chdir: %s: %s\n",
+				workdir, isc_result_totext(result));
+			exit(1);
+		}
+	}
+
+	if (isc_commandline_index + 2 > argc)
+		usage();
+
+	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
+	if (!quiet) {
+		RUNTIME_CHECK(setup_logging(mctx, &lctx) == ISC_R_SUCCESS);
+		dns_log_init(lctx);
+		dns_log_setcontext(lctx);
+	}
+
+	dns_result_register();
+
+	origin = argv[isc_commandline_index++];
+	filename = argv[isc_commandline_index++];
+	result = load_zone(mctx, origin, filename, classname, &zone);
+
+	if (result == ISC_R_SUCCESS && dumpzone) {
+		result = dump_zone(origin, zone, output_filename);
+	}
+
+	if (!quiet && result == ISC_R_SUCCESS)
+		fprintf(stdout, "OK\n");
+	destroy();
+	if (lctx != NULL)
+		isc_log_destroy(&lctx);
+	isc_mem_destroy(&mctx);
+	return ((result == ISC_R_SUCCESS) ? 0 : 1);
+}
diff --git a/contrib/bind9/bin/check/named-checkzone.docbook b/contrib/bind9/bin/check/named-checkzone.docbook
new file mode 100644
index 000000000000..68b0baeeba44
--- /dev/null
+++ b/contrib/bind9/bin/check/named-checkzone.docbook
@@ -0,0 +1,236 @@
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2002  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: named-checkzone.docbook,v 1.3.2.2.8.7 2004/06/03 02:25:00 marka Exp $ -->
+
+<refentry>
+  <refentryinfo>
+    <date>June 13, 2000</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>named-checkzone</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>named-checkzone</application></refname>
+    <refpurpose>zone file validity checking tool</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>named-checkzone</command>
+      <arg><option>-d</option></arg>
+      <arg><option>-j</option></arg>
+      <arg><option>-q</option></arg>
+      <arg><option>-v</option></arg>
+      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg><option>-k <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg><option>-n <replaceable class="parameter">mode</replaceable></option></arg>
+      <arg><option>-o <replaceable class="parameter">filename</replaceable></option></arg>
+      <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg><option>-w <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg><option>-D</option></arg>
+      <arg choice="req">zonename</arg>
+      <arg choice="req">filename</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para>
+        <command>named-checkzone</command> checks the syntax and integrity of
+	a zone file.  It performs the same checks as <command>named</command>
+	does when loading a zone.  This makes
+	<command>named-checkzone</command> useful for checking zone
+	files before configuring them into a name server.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>OPTIONS</title>
+
+    <variablelist>
+      <varlistentry>
+        <term>-d</term>
+	<listitem>
+	  <para>
+	      Enable debugging.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-q</term>
+	<listitem>
+	  <para>
+	      Quiet mode - exit code only.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-v</term>
+	<listitem>
+	  <para>
+	      Print the version of the <command>named-checkzone</command>
+	      program and exit.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-j</term>
+        <listitem>
+          <para>
+              When loading the zone file read the journal if it exists.
+          </para>   
+        </listitem>
+
+      <varlistentry>
+        <term>-c <replaceable class="parameter">class</replaceable></term>
+	<listitem>
+	  <para>
+	      Specify the class of the zone.  If not specified "IN" is assumed.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-k <replaceable class="parameter">mode</replaceable></term>
+	<listitem>
+	  <para>
+	      Perform <command>"check-name"</command> checks with the specified failure mode.
+	      Possible modes are <command>"fail"</command>,
+	      <command>"warn"</command> (default) and
+	      <command>"ignore"</command>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-n <replaceable class="parameter">mode</replaceable></term>
+	<listitem>
+	  <para>
+	      Specify whether NS records should be checked to see if they
+	      are addresses.  Possible modes are <command>"fail"</command>,
+	      <command>"warn"</command> (default) and
+	      <command>"ignore"</command>.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-o <replaceable class="parameter">filename</replaceable></term>
+        <listitem>
+          <para>
+	      Write zone output to <filename>directory</filename>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-t <replaceable class="parameter">directory</replaceable></term>
+        <listitem>
+          <para>
+              chroot to <filename>directory</filename> so that include
+              directives in the configuration file are processed as if
+              run by a similarly chrooted named.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-w <replaceable class="parameter">directory</replaceable></term>
+        <listitem>
+          <para>
+              chdir to <filename>directory</filename> so that relative
+	      filenames in master file $INCLUDE directives work.  This
+	      is similar to the directory clause in
+	      <filename>named.conf</filename>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-D</term>
+	<listitem>
+	  <para>
+	      Dump zone file in canonical format.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>zonename</term>
+	<listitem>
+	  <para>
+	       The domain name of the zone being checked.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>filename</term>
+	<listitem>
+	  <para>
+	       The name of the zone file.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+    </variablelist>
+
+  </refsect1>
+
+  <refsect1>
+    <title>RETURN VALUES</title>
+    <para>
+        <command>named-checkzone</command> returns an exit status of 1 if
+	errors were detected and 0 otherwise.
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+        <refentrytitle>named</refentrytitle>
+	<manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>RFC 1035</citetitle>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>AUTHOR</title>
+    <para>
+        <corpauthor>Internet Systems Consortium</corpauthor>
+    </para>
+  </refsect1>
+
+</refentry>
+
+<!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
+
diff --git a/contrib/bind9/bin/check/named-checkzone.html b/contrib/bind9/bin/check/named-checkzone.html
new file mode 100644
index 000000000000..dd14c1f8fd73
--- /dev/null
+++ b/contrib/bind9/bin/check/named-checkzone.html
@@ -0,0 +1,367 @@
+<!--
+ - Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2002  Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: named-checkzone.html,v 1.5.2.2.4.5 2004/08/22 23:38:57 marka Exp $ -->
+
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<HTML
+><HEAD
+><TITLE
+>named-checkzone</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+></A
+><SPAN
+CLASS="APPLICATION"
+>named-checkzone</SPAN
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><SPAN
+CLASS="APPLICATION"
+>named-checkzone</SPAN
+>&nbsp;--&nbsp;zone file validity checking tool</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>named-checkzone</B
+>  [<VAR
+CLASS="OPTION"
+>-d</VAR
+>] [<VAR
+CLASS="OPTION"
+>-j</VAR
+>] [<VAR
+CLASS="OPTION"
+>-q</VAR
+>] [<VAR
+CLASS="OPTION"
+>-v</VAR
+>] [<VAR
+CLASS="OPTION"
+>-c <VAR
+CLASS="REPLACEABLE"
+>class</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-k <VAR
+CLASS="REPLACEABLE"
+>mode</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-n <VAR
+CLASS="REPLACEABLE"
+>mode</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-o <VAR
+CLASS="REPLACEABLE"
+>filename</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-t <VAR
+CLASS="REPLACEABLE"
+>directory</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-w <VAR
+CLASS="REPLACEABLE"
+>directory</VAR
+></VAR
+>] [<VAR
+CLASS="OPTION"
+>-D</VAR
+>] {zonename} {filename}</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN46"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+>        <B
+CLASS="COMMAND"
+>named-checkzone</B
+> checks the syntax and integrity of
+	a zone file.  It performs the same checks as <B
+CLASS="COMMAND"
+>named</B
+>
+	does when loading a zone.  This makes
+	<B
+CLASS="COMMAND"
+>named-checkzone</B
+> useful for checking zone
+	files before configuring them into a name server.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN52"
+></A
+><H2
+>OPTIONS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-d</DT
+><DD
+><P
+>	      Enable debugging.
+	  </P
+></DD
+><DT
+>-q</DT
+><DD
+><P
+>	      Quiet mode - exit code only.
+	  </P
+></DD
+><DT
+>-v</DT
+><DD
+><P
+>	      Print the version of the <B
+CLASS="COMMAND"
+>named-checkzone</B
+>
+	      program and exit.
+	  </P
+></DD
+><DT
+>-j</DT
+><DD
+><P
+>              When loading the zone file read the journal if it exists.
+          </P
+></DD
+><DT
+>-c <VAR
+CLASS="REPLACEABLE"
+>class</VAR
+></DT
+><DD
+><P
+>	      Specify the class of the zone.  If not specified "IN" is assumed.
+	  </P
+></DD
+><DT
+>-k <VAR
+CLASS="REPLACEABLE"
+>mode</VAR
+></DT
+><DD
+><P
+>	      Perform <B
+CLASS="COMMAND"
+>"check-name"</B
+> checks with the specified failure mode.
+	      Possible modes are <B
+CLASS="COMMAND"
+>"fail"</B
+>,
+	      <B
+CLASS="COMMAND"
+>"warn"</B
+> (default) and
+	      <B
+CLASS="COMMAND"
+>"ignore"</B
+>.
+	  </P
+></DD
+><DT
+>-n <VAR
+CLASS="REPLACEABLE"
+>mode</VAR
+></DT
+><DD
+><P
+>	      Specify whether NS records should be checked to see if they
+	      are addresses.  Possible modes are <B
+CLASS="COMMAND"
+>"fail"</B
+>,
+	      <B
+CLASS="COMMAND"
+>"warn"</B
+> (default) and
+	      <B
+CLASS="COMMAND"
+>"ignore"</B
+>.
+	  </P
+></DD
+><DT
+>-o <VAR
+CLASS="REPLACEABLE"
+>filename</VAR
+></DT
+><DD
+><P
+>	      Write zone output to <TT
+CLASS="FILENAME"
+>directory</TT
+>.
+          </P
+></DD
+><DT
+>-t <VAR
+CLASS="REPLACEABLE"
+>directory</VAR
+></DT
+><DD
+><P
+>              chroot to <TT
+CLASS="FILENAME"
+>directory</TT
+> so that include
+              directives in the configuration file are processed as if
+              run by a similarly chrooted named.
+          </P
+></DD
+><DT
+>-w <VAR
+CLASS="REPLACEABLE"
+>directory</VAR
+></DT
+><DD
+><P
+>              chdir to <TT
+CLASS="FILENAME"
+>directory</TT
+> so that relative
+	      filenames in master file $INCLUDE directives work.  This
+	      is similar to the directory clause in
+	      <TT
+CLASS="FILENAME"
+>named.conf</TT
+>.
+          </P
+></DD
+><DT
+>-D</DT
+><DD
+><P
+>	      Dump zone file in canonical format.
+	  </P
+></DD
+><DT
+>zonename</DT
+><DD
+><P
+>	       The domain name of the zone being checked.
+	  </P
+></DD
+><DT
+>filename</DT
+><DD
+><P
+>	       The name of the zone file.
+	  </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN125"
+></A
+><H2
+>RETURN VALUES</H2
+><P
+>        <B
+CLASS="COMMAND"
+>named-checkzone</B
+> returns an exit status of 1 if
+	errors were detected and 0 otherwise.
+  </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN129"
+></A
+><H2
+>SEE ALSO</H2
+><P
+>      <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>named</SPAN
+>(8)</SPAN
+>,
+      <I
+CLASS="CITETITLE"
+>RFC 1035</I
+>,
+      <I
+CLASS="CITETITLE"
+>BIND 9 Administrator Reference Manual</I
+>.
+    </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN137"
+></A
+><H2
+>AUTHOR</H2
+><P
+>        Internet Systems Consortium
+    </P
+></DIV
+></BODY
+></HTML
+>
diff --git a/contrib/bind9/bin/dig/Makefile.in b/contrib/bind9/bin/dig/Makefile.in
new file mode 100644
index 000000000000..65c14ce88222
--- /dev/null
+++ b/contrib/bind9/bin/dig/Makefile.in
@@ -0,0 +1,101 @@
+# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2000-2002  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.25.12.12 2004/08/18 23:25:57 marka Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES =	-I${srcdir}/include ${DNS_INCLUDES} ${BIND9_INCLUDES} \
+		${ISC_INCLUDES} ${LWRES_INCLUDES}
+
+CDEFINES =	-DVERSION=\"${VERSION}\"
+CWARNINGS =
+
+ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
+DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+BIND9LIBS =	../../lib/bind9/libbind9.@A@
+ISCLIBS =	../../lib/isc/libisc.@A@
+LWRESLIBS =	../../lib/lwres/liblwres.@A@
+
+ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@
+DNSDEPLIBS =	../../lib/dns/libdns.@A@
+BIND9DEPLIBS =	../../lib/bind9/libbind9.@A@
+ISCDEPLIBS =	../../lib/isc/libisc.@A@
+LWRESDEPLIBS =	../../lib/lwres/liblwres.@A@
+
+DEPLIBS =	${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS} \
+		${LWRESDEPLIBS}
+
+LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCLIBS} \
+		${ISCCFGLIBS} @LIBS@
+
+SUBDIRS =
+
+TARGETS =	dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@
+
+OBJS =		dig.@O@ dighost.@O@ host.@O@ nslookup.@O@
+
+UOBJS =
+
+SRCS =		dig.c dighost.c host.c nslookup.c
+
+MANPAGES =	dig.1 host.1 nslookup.1
+
+HTMLPAGES =	dig.html host.html nslookup.html
+
+MANOBJS =	${MANPAGES} ${HTMLPAGES}
+
+@BIND9_MAKE_RULES@
+
+dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	dig.@O@ dighost.@O@ ${UOBJS} ${LIBS}
+
+host@EXEEXT@: host.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	host.@O@ dighost.@O@ ${UOBJS} ${LIBS}
+
+nslookup@EXEEXT@: nslookup.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	nslookup.@O@ dighost.@O@ ${UOBJS} ${LIBS}
+
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+	rm -f ${MANOBJS}
+
+clean distclean maintainer-clean::
+	rm -f ${TARGETS}
+
+installdirs:
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir}
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
+
+install:: dig@EXEEXT@ host@EXEEXT@ nslookup@EXEEXT@ installdirs
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
+		dig@EXEEXT@ ${DESTDIR}${bindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
+		host@EXEEXT@ ${DESTDIR}${bindir}
+	${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} \
+		nslookup@EXEEXT@ ${DESTDIR}${bindir}
+	for m in ${MANPAGES}; do \
+		${INSTALL_DATA} ${srcdir}/$$m ${DESTDIR}${mandir}/man1; \
+		done
diff --git a/contrib/bind9/bin/dig/dig.1 b/contrib/bind9/bin/dig/dig.1
new file mode 100644
index 000000000000..f14d9216873b
--- /dev/null
+++ b/contrib/bind9/bin/dig/dig.1
@@ -0,0 +1,401 @@
+.\" Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2000-2003  Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: dig.1,v 1.14.2.4.2.6 2004/06/23 09:11:01 marka Exp $
+.\"
+.TH "DIG" "1" "Jun 30, 2000" "BIND9" ""
+.SH NAME
+dig \- DNS lookup utility
+.SH SYNOPSIS
+.sp
+\fBdig\fR [ \fB@server\fR ]  [ \fB-b \fIaddress\fB\fR ]  [ \fB-c \fIclass\fB\fR ]  [ \fB-f \fIfilename\fB\fR ]  [ \fB-k \fIfilename\fB\fR ]  [ \fB-p \fIport#\fB\fR ]  [ \fB-t \fItype\fB\fR ]  [ \fB-x \fIaddr\fB\fR ]  [ \fB-y \fIname:key\fB\fR ]  [ \fB-4\fR ]  [ \fB-6\fR ]  [ \fBname\fR ]  [ \fBtype\fR ]  [ \fBclass\fR ]  [ \fBqueryopt\fR\fI...\fR ] 
+.sp
+\fBdig\fR [ \fB-h\fR ] 
+.sp
+\fBdig\fR [ \fBglobal-queryopt\fR\fI...\fR ]  [ \fBquery\fR\fI...\fR ] 
+.SH "DESCRIPTION"
+.PP
+\fBdig\fR (domain information groper) is a flexible tool
+for interrogating DNS name servers. It performs DNS lookups and
+displays the answers that are returned from the name server(s) that
+were queried. Most DNS administrators use \fBdig\fR to
+troubleshoot DNS problems because of its flexibility, ease of use and
+clarity of output. Other lookup tools tend to have less functionality
+than \fBdig\fR.
+.PP
+Although \fBdig\fR is normally used with command-line
+arguments, it also has a batch mode of operation for reading lookup
+requests from a file. A brief summary of its command-line arguments
+and options is printed when the \fB-h\fR option is given.
+Unlike earlier versions, the BIND9 implementation of
+\fBdig\fR allows multiple lookups to be issued from the
+command line.
+.PP
+Unless it is told to query a specific name server,
+\fBdig\fR will try each of the servers listed in
+\fI/etc/resolv.conf\fR.
+.PP
+When no command line arguments or options are given, will perform an
+NS query for "." (the root).
+.PP
+It is possible to set per-user defaults for \fBdig\fR via
+\fI${HOME}/.digrc\fR. This file is read and any options in it
+are applied before the command line arguments.
+.SH "SIMPLE USAGE"
+.PP
+A typical invocation of \fBdig\fR looks like:
+.sp
+.nf
+ dig @server name type 
+.sp
+.fi
+where:
+.TP
+\fBserver\fR
+is the name or IP address of the name server to query. This can be an IPv4
+address in dotted-decimal notation or an IPv6
+address in colon-delimited notation. When the supplied
+\fIserver\fR argument is a hostname,
+\fBdig\fR resolves that name before querying that name
+server. If no \fIserver\fR argument is provided,
+\fBdig\fR consults \fI/etc/resolv.conf\fR
+and queries the name servers listed there. The reply from the name
+server that responds is displayed.
+.TP
+\fBname\fR
+is the name of the resource record that is to be looked up.
+.TP
+\fBtype\fR
+indicates what type of query is required \(em
+ANY, A, MX, SIG, etc.
+\fItype\fR can be any valid query type. If no
+\fItype\fR argument is supplied,
+\fBdig\fR will perform a lookup for an A record.
+.SH "OPTIONS"
+.PP
+The \fB-b\fR option sets the source IP address of the query
+to \fIaddress\fR. This must be a valid address on
+one of the host's network interfaces or "0.0.0.0" or "::". An optional port
+may be specified by appending "#<port>"
+.PP
+The default query class (IN for internet) is overridden by the
+\fB-c\fR option. \fIclass\fR is any valid
+class, such as HS for Hesiod records or CH for CHAOSNET records.
+.PP
+The \fB-f\fR option makes \fBdig \fR operate
+in batch mode by reading a list of lookup requests to process from the
+file \fIfilename\fR. The file contains a number of
+queries, one per line. Each entry in the file should be organised in
+the same way they would be presented as queries to
+\fBdig\fR using the command-line interface.
+.PP
+If a non-standard port number is to be queried, the
+\fB-p\fR option is used. \fIport#\fR is
+the port number that \fBdig\fR will send its queries
+instead of the standard DNS port number 53. This option would be used
+to test a name server that has been configured to listen for queries
+on a non-standard port number.
+.PP
+The \fB-4\fR option forces \fBdig\fR to only
+use IPv4 query transport. The \fB-6\fR option forces
+\fBdig\fR to only use IPv6 query transport.
+.PP
+The \fB-t\fR option sets the query type to
+\fItype\fR. It can be any valid query type which is
+supported in BIND9. The default query type "A", unless the
+\fB-x\fR option is supplied to indicate a reverse lookup.
+A zone transfer can be requested by specifying a type of AXFR. When
+an incremental zone transfer (IXFR) is required,
+\fItype\fR is set to ixfr=N.
+The incremental zone transfer will contain the changes made to the zone
+since the serial number in the zone's SOA record was
+\fIN\fR.
+.PP
+Reverse lookups - mapping addresses to names - are simplified by the
+\fB-x\fR option. \fIaddr\fR is an IPv4
+address in dotted-decimal notation, or a colon-delimited IPv6 address.
+When this option is used, there is no need to provide the
+\fIname\fR, \fIclass\fR and
+\fItype\fR arguments. \fBdig\fR
+automatically performs a lookup for a name like
+11.12.13.10.in-addr.arpa and sets the query type and
+class to PTR and IN respectively. By default, IPv6 addresses are
+looked up using nibble format under the IP6.ARPA domain.
+To use the older RFC1886 method using the IP6.INT domain 
+specify the \fB-i\fR option. Bit string labels (RFC2874)
+are now experimental and are not attempted.
+.PP
+To sign the DNS queries sent by \fBdig\fR and their
+responses using transaction signatures (TSIG), specify a TSIG key file
+using the \fB-k\fR option. You can also specify the TSIG
+key itself on the command line using the \fB-y\fR option;
+\fIname\fR is the name of the TSIG key and
+\fIkey\fR is the actual key. The key is a base-64
+encoded string, typically generated by \fBdnssec-keygen\fR(8).
+Caution should be taken when using the \fB-y\fR option on
+multi-user systems as the key can be visible in the output from
+\fBps\fR(1) or in the shell's history file. When
+using TSIG authentication with \fBdig\fR, the name
+server that is queried needs to know the key and algorithm that is
+being used. In BIND, this is done by providing appropriate
+\fBkey\fR and \fBserver\fR statements in
+\fInamed.conf\fR.
+.SH "QUERY OPTIONS"
+.PP
+\fBdig\fR provides a number of query options which affect
+the way in which lookups are made and the results displayed. Some of
+these set or reset flag bits in the query header, some determine which
+sections of the answer get printed, and others determine the timeout
+and retry strategies.
+.PP
+Each query option is identified by a keyword preceded by a plus sign
+(+). Some keywords set or reset an option. These may be preceded
+by the string no to negate the meaning of that keyword. Other
+keywords assign values to options like the timeout interval. They
+have the form \fB+keyword=value\fR.
+The query options are:
+.TP
+\fB+[no]tcp\fR
+Use [do not use] TCP when querying name servers. The default
+behaviour is to use UDP unless an AXFR or IXFR query is requested, in
+which case a TCP connection is used.
+.TP
+\fB+[no]vc\fR
+Use [do not use] TCP when querying name servers. This alternate
+syntax to \fI+[no]tcp\fR is provided for backwards
+compatibility. The "vc" stands for "virtual circuit".
+.TP
+\fB+[no]ignore\fR
+Ignore truncation in UDP responses instead of retrying with TCP. By
+default, TCP retries are performed.
+.TP
+\fB+domain=somename\fR
+Set the search list to contain the single domain
+\fIsomename\fR, as if specified in a
+\fBdomain\fR directive in
+\fI/etc/resolv.conf\fR, and enable search list
+processing as if the \fI+search\fR option were given.
+.TP
+\fB+[no]search\fR
+Use [do not use] the search list defined by the searchlist or domain
+directive in \fIresolv.conf\fR (if any).
+The search list is not used by default.
+.TP
+\fB+[no]defname\fR
+Deprecated, treated as a synonym for \fI+[no]search\fR
+.TP
+\fB+[no]aaonly\fR
+Sets the "aa" flag in the query.
+.TP
+\fB+[no]aaflag\fR
+A synonym for \fI+[no]aaonly\fR.
+.TP
+\fB+[no]adflag\fR
+Set [do not set] the AD (authentic data) bit in the query. The AD bit
+currently has a standard meaning only in responses, not in queries,
+but the ability to set the bit in the query is provided for
+completeness.
+.TP
+\fB+[no]cdflag\fR
+Set [do not set] the CD (checking disabled) bit in the query. This
+requests the server to not perform DNSSEC validation of responses.
+.TP
+\fB+[no]cl\fR
+Display [do not display] the CLASS when printing the record.
+.TP
+\fB+[no]ttlid\fR
+Display [do not display] the TTL when printing the record.
+.TP
+\fB+[no]recurse\fR
+Toggle the setting of the RD (recursion desired) bit in the query.
+This bit is set by default, which means \fBdig\fR
+normally sends recursive queries. Recursion is automatically disabled
+when the \fI+nssearch\fR or
+\fI+trace\fR query options are used.
+.TP
+\fB+[no]nssearch\fR
+When this option is set, \fBdig\fR attempts to find the
+authoritative name servers for the zone containing the name being
+looked up and display the SOA record that each name server has for the
+zone.
+.TP
+\fB+[no]trace\fR
+Toggle tracing of the delegation path from the root name servers for
+the name being looked up. Tracing is disabled by default. When
+tracing is enabled, \fBdig\fR makes iterative queries to
+resolve the name being looked up. It will follow referrals from the
+root servers, showing the answer from each server that was used to
+resolve the lookup.
+.TP
+\fB+[no]cmd\fR
+toggles the printing of the initial comment in the output identifying
+the version of \fBdig\fR and the query options that have
+been applied. This comment is printed by default.
+.TP
+\fB+[no]short\fR
+Provide a terse answer. The default is to print the answer in a
+verbose form.
+.TP
+\fB+[no]identify\fR
+Show [or do not show] the IP address and port number that supplied the
+answer when the \fI+short\fR option is enabled. If
+short form answers are requested, the default is not to show the
+source address and port number of the server that provided the answer.
+.TP
+\fB+[no]comments\fR
+Toggle the display of comment lines in the output. The default is to
+print comments.
+.TP
+\fB+[no]stats\fR
+This query option toggles the printing of statistics: when the query
+was made, the size of the reply and so on. The default behaviour is
+to print the query statistics.
+.TP
+\fB+[no]qr\fR
+Print [do not print] the query as it is sent.
+By default, the query is not printed.
+.TP
+\fB+[no]question\fR
+Print [do not print] the question section of a query when an answer is
+returned. The default is to print the question section as a comment.
+.TP
+\fB+[no]answer\fR
+Display [do not display] the answer section of a reply. The default
+is to display it.
+.TP
+\fB+[no]authority\fR
+Display [do not display] the authority section of a reply. The
+default is to display it.
+.TP
+\fB+[no]additional\fR
+Display [do not display] the additional section of a reply.
+The default is to display it.
+.TP
+\fB+[no]all\fR
+Set or clear all display flags.
+.TP
+\fB+time=T\fR
+Sets the timeout for a query to
+\fIT\fR seconds. The default time out is 5 seconds.
+An attempt to set \fIT\fR to less than 1 will result
+in a query timeout of 1 second being applied.
+.TP
+\fB+tries=T\fR
+Sets the number of times to try UDP queries to server to
+\fIT\fR instead of the default, 3. If
+\fIT\fR is less than or equal to zero, the number of
+tries is silently rounded up to 1.
+.TP
+\fB+retry=T\fR
+Sets the number of times to retry UDP queries to server to
+\fIT\fR instead of the default, 2. Unlike
+\fI+tries\fR, this does not include the initial
+query.
+.TP
+\fB+ndots=D\fR
+Set the number of dots that have to appear in
+\fIname\fR to \fID\fR for it to be
+considered absolute. The default value is that defined using the
+ndots statement in \fI/etc/resolv.conf\fR, or 1 if no
+ndots statement is present. Names with fewer dots are interpreted as
+relative names and will be searched for in the domains listed in the
+\fBsearch\fR or \fBdomain\fR directive in
+\fI/etc/resolv.conf\fR.
+.TP
+\fB+bufsize=B\fR
+Set the UDP message buffer size advertised using EDNS0 to
+\fIB\fR bytes. The maximum and minimum sizes of this
+buffer are 65535 and 0 respectively. Values outside this range are
+rounded up or down appropriately.
+.TP
+\fB+[no]multiline\fR
+Print records like the SOA records in a verbose multi-line
+format with human-readable comments. The default is to print
+each record on a single line, to facilitate machine parsing 
+of the \fBdig\fR output.
+.TP
+\fB+[no]fail\fR
+Do not try the next server if you receive a SERVFAIL. The default is
+to not try the next server which is the reverse of normal stub resolver
+behaviour.
+.TP
+\fB+[no]besteffort\fR
+Attempt to display the contents of messages which are malformed.
+The default is to not display malformed answers.
+.TP
+\fB+[no]dnssec\fR
+Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO)
+in the OPT record in the additional section of the query.
+.TP
+\fB+[no]sigchase\fR
+Chase DNSSEC signature chains. Requires dig be compiled with
+-DDIG_SIGCHASE.
+.TP
+\fB+trusted-key=####\fR
+Specify a trusted key to be used with \fB+sigchase\fR.
+Requires dig be compiled with -DDIG_SIGCHASE.
+.TP
+\fB+[no]topdown\fR
+When chasing DNSSEC signature chains perform a top down validation.
+Requires dig be compiled with -DDIG_SIGCHASE.
+.SH "MULTIPLE QUERIES"
+.PP
+The BIND 9 implementation of \fBdig \fR supports
+specifying multiple queries on the command line (in addition to
+supporting the \fB-f\fR batch file option). Each of those
+queries can be supplied with its own set of flags, options and query
+options.
+.PP
+In this case, each \fIquery\fR argument represent an
+individual query in the command-line syntax described above. Each
+consists of any of the standard options and flags, the name to be
+looked up, an optional query type and class and any query options that
+should be applied to that query.
+.PP
+A global set of query options, which should be applied to all queries,
+can also be supplied. These global query options must precede the
+first tuple of name, class, type, options, flags, and query options
+supplied on the command line. Any global query options (except
+the \fB+[no]cmd\fR option) can be
+overridden by a query-specific set of query options. For example:
+.sp
+.nf
+dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
+.sp
+.fi
+shows how \fBdig\fR could be used from the command line
+to make three lookups: an ANY query for www.isc.org, a
+reverse lookup of 127.0.0.1 and a query for the NS records of
+isc.org.
+A global query option of \fI+qr\fR is applied, so
+that \fBdig\fR shows the initial query it made for each
+lookup. The final query has a local query option of
+\fI+noqr\fR which means that \fBdig\fR
+will not print the initial query when it looks up the NS records for
+isc.org.
+.SH "FILES"
+.PP
+\fI/etc/resolv.conf\fR
+.PP
+\fI${HOME}/.digrc\fR
+.SH "SEE ALSO"
+.PP
+\fBhost\fR(1),
+\fBnamed\fR(8),
+\fBdnssec-keygen\fR(8),
+\fIRFC1035\fR.
+.SH "BUGS"
+.PP
+There are probably too many query options. 
diff --git a/contrib/bind9/bin/dig/dig.c b/contrib/bind9/bin/dig/dig.c
new file mode 100644
index 000000000000..b2c46254d92e
--- /dev/null
+++ b/contrib/bind9/bin/dig/dig.c
@@ -0,0 +1,1671 @@
+/*
+ * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dig.c,v 1.157.2.13.2.20 2004/06/23 04:19:40 marka Exp $ */
+
+#include <config.h>
+#include <stdlib.h>
+#include <time.h>
+#include <ctype.h>
+
+#include <isc/app.h>
+#include <isc/netaddr.h>
+#include <isc/parseint.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+#include <isc/task.h>
+
+#include <dns/byaddr.h>
+#include <dns/fixedname.h>
+#include <dns/masterdump.h>
+#include <dns/message.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataset.h>
+#include <dns/rdatatype.h>
+#include <dns/rdataclass.h>
+#include <dns/result.h>
+
+#include <dig/dig.h>
+
+extern ISC_LIST(dig_lookup_t) lookup_list;
+extern dig_serverlist_t server_list;
+extern ISC_LIST(dig_searchlist_t) search_list;
+
+#define ADD_STRING(b, s) { 				\
+	if (strlen(s) >= isc_buffer_availablelength(b)) \
+ 		return (ISC_R_NOSPACE); 		\
+	else 						\
+		isc_buffer_putstr(b, s); 		\
+}
+
+
+extern isc_boolean_t have_ipv4, have_ipv6, specified_source,
+	usesearch, qr;
+extern in_port_t port;
+extern unsigned int timeout;
+extern isc_mem_t *mctx;
+extern dns_messageid_t id;
+extern int sendcount;
+extern int ndots;
+extern int lookup_counter;
+extern int exitcode;
+extern isc_sockaddr_t bind_address;
+extern char keynametext[MXNAME];
+extern char keyfile[MXNAME];
+extern char keysecret[MXNAME];
+#ifdef DIG_SIGCHASE
+extern char trustedkey[MXNAME];
+#endif
+extern dns_tsigkey_t *key;
+extern isc_boolean_t validated;
+extern isc_taskmgr_t *taskmgr;
+extern isc_task_t *global_task;
+extern isc_boolean_t free_now;
+dig_lookup_t *default_lookup = NULL;
+
+extern isc_boolean_t debugging, memdebugging;
+static char *batchname = NULL;
+static FILE *batchfp = NULL;
+static char *argv0;
+
+static char domainopt[DNS_NAME_MAXTEXT];
+
+static isc_boolean_t short_form = ISC_FALSE, printcmd = ISC_TRUE,
+	ip6_int = ISC_FALSE, plusquest = ISC_FALSE, pluscomm = ISC_FALSE,
+	multiline = ISC_FALSE, nottl = ISC_FALSE, noclass = ISC_FALSE;
+
+static const char *opcodetext[] = {
+	"QUERY",
+	"IQUERY",
+	"STATUS",
+	"RESERVED3",
+	"NOTIFY",
+	"UPDATE",
+	"RESERVED6",
+	"RESERVED7",
+	"RESERVED8",
+	"RESERVED9",
+	"RESERVED10",
+	"RESERVED11",
+	"RESERVED12",
+	"RESERVED13",
+	"RESERVED14",
+	"RESERVED15"
+};
+
+static const char *rcodetext[] = {
+	"NOERROR",
+	"FORMERR",
+	"SERVFAIL",
+	"NXDOMAIN",
+	"NOTIMP",
+	"REFUSED",
+	"YXDOMAIN",
+	"YXRRSET",
+	"NXRRSET",
+	"NOTAUTH",
+	"NOTZONE",
+	"RESERVED11",
+	"RESERVED12",
+	"RESERVED13",
+	"RESERVED14",
+	"RESERVED15",
+	"BADVERS"
+};
+
+extern char *progname;
+
+static void
+print_usage(FILE *fp) {
+	fputs(
+"Usage:  dig [@global-server] [domain] [q-type] [q-class] {q-opt}\n"
+"            {global-d-opt} host [@local-server] {local-d-opt}\n"
+"            [ host [@local-server] {local-d-opt} [...]]\n", fp);
+}
+
+static void
+usage(void) {
+	print_usage(stderr);
+	fputs("\nUse \"dig -h\" (or \"dig -h | more\") "
+	      "for complete list of options\n", stderr);
+	exit(1);
+}
+
+static void
+version(void) {
+	fputs("DiG " VERSION "\n", stderr);
+}
+
+static void
+help(void) {
+	print_usage(stdout);
+	fputs(
+"Where:  domain	  is in the Domain Name System\n"
+"        q-class  is one of (in,hs,ch,...) [default: in]\n"
+"        q-type   is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]\n"
+"                 (Use ixfr=version for type ixfr)\n"
+"        q-opt    is one of:\n"
+"                 -x dot-notation     (shortcut for in-addr lookups)\n"
+"                 -i                  (IP6.INT reverse IPv6 lookups)\n"
+"                 -f filename         (batch mode)\n"
+"                 -b address[#port]   (bind to source address/port)\n"
+"                 -p port             (specify port number)\n"
+"                 -t type             (specify query type)\n"
+"                 -c class            (specify query class)\n"
+"                 -k keyfile          (specify tsig key file)\n"
+"                 -y name:key         (specify named base64 tsig key)\n"
+"                 -4                  (use IPv4 query transport only)\n"
+"                 -6                  (use IPv6 query transport only)\n"
+"        d-opt    is of the form +keyword[=value], where keyword is:\n"
+"                 +[no]vc             (TCP mode)\n"
+"                 +[no]tcp            (TCP mode, alternate syntax)\n"
+"                 +time=###           (Set query timeout) [5]\n"
+"                 +tries=###          (Set number of UDP attempts) [3]\n"
+"                 +retry=###          (Set number of UDP retries) [2]\n"
+"                 +domain=###         (Set default domainname)\n"
+"                 +bufsize=###        (Set EDNS0 Max UDP packet size)\n"
+"                 +ndots=###          (Set NDOTS value)\n"
+"                 +[no]search         (Set whether to use searchlist)\n"
+"                 +[no]defname        (Ditto)\n"
+"                 +[no]recurse        (Recursive mode)\n"
+"                 +[no]ignore         (Don't revert to TCP for TC responses.)"
+"\n"
+"                 +[no]fail           (Don't try next server on SERVFAIL)\n"
+"                 +[no]besteffort     (Try to parse even illegal messages)\n"
+"                 +[no]aaonly         (Set AA flag in query (+[no]aaflag))\n"
+"                 +[no]adflag         (Set AD flag in query)\n"
+"                 +[no]cdflag         (Set CD flag in query)\n"
+"                 +[no]cl             (Control display of class in records)\n"
+"                 +[no]cmd            (Control display of command line)\n"
+"                 +[no]comments       (Control display of comment lines)\n"
+"                 +[no]question       (Control display of question)\n"
+"                 +[no]answer         (Control display of answer)\n"
+"                 +[no]authority      (Control display of authority)\n"
+"                 +[no]additional     (Control display of additional)\n"
+"                 +[no]stats          (Control display of statistics)\n"
+"                 +[no]short          (Disable everything except short\n"
+"                                      form of answer)\n"
+"                 +[no]ttlid          (Control display of ttls in records)\n"
+"                 +[no]all            (Set or clear all display flags)\n"
+"                 +[no]qr             (Print question before sending)\n"
+"                 +[no]nssearch       (Search all authoritative nameservers)\n"
+"                 +[no]identify       (ID responders in short answers)\n"
+"                 +[no]trace          (Trace delegation down from root)\n"
+"                 +[no]dnssec         (Request DNSSEC records)\n"
+#ifdef DIG_SIGCHASE
+"                 +[no]sigchase       (Chase DNSSEC signatures)\n"
+"                 +trusted-key=####   (Trusted Key when chasing DNSSEC sigs)\n"
+#if DIG_SIGCHASE_TD
+"                 +[no]topdown        (Do DNSSEC validation top down mode)\n"
+#endif
+#endif
+"                 +[no]multiline      (Print records in an expanded format)\n"
+"        global d-opts and servers (before host name) affect all queries.\n"
+"        local d-opts and servers (after host name) affect only that lookup.\n"
+"        -h                           (print help and exit)\n"
+"        -v                           (print version and exit)\n",
+	stdout);
+}
+
+/*
+ * Callback from dighost.c to print the received message.
+ */
+void
+received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
+	isc_uint64_t diff;
+	isc_time_t now;
+	time_t tnow;
+	char fromtext[ISC_SOCKADDR_FORMATSIZE];
+
+	isc_sockaddr_format(from, fromtext, sizeof(fromtext));
+
+	TIME_NOW(&now);
+
+	if (query->lookup->stats && !short_form) {
+		diff = isc_time_microdiff(&now, &query->time_sent);
+		printf(";; Query time: %ld msec\n", (long int)diff/1000);
+		printf(";; SERVER: %s(%s)\n", fromtext, query->servname);
+		time(&tnow);
+		printf(";; WHEN: %s", ctime(&tnow));
+		if (query->lookup->doing_xfr) {
+			printf(";; XFR size: %u records (messages %u)\n",
+			       query->rr_count, query->msg_count);
+		} else {
+			printf(";; MSG SIZE  rcvd: %d\n", bytes);
+
+		}
+		if (key != NULL) {
+			if (!validated)
+				puts(";; WARNING -- Some TSIG could not "
+				     "be validated");
+		}
+		if ((key == NULL) && (keysecret[0] != 0)) {
+			puts(";; WARNING -- TSIG key was not used.");
+		}
+		puts("");
+	} else if (query->lookup->identify && !short_form) {
+		diff = isc_time_microdiff(&now, &query->time_sent);
+		printf(";; Received %u bytes from %s(%s) in %d ms\n\n",
+		       bytes, fromtext, query->servname,
+		       (int)diff/1000);
+	}
+}
+
+/*
+ * Callback from dighost.c to print that it is trying a server.
+ * Not used in dig.
+ * XXX print_trying
+ */
+void
+trying(char *frm, dig_lookup_t *lookup) {
+	UNUSED(frm);
+	UNUSED(lookup);
+}
+
+/*
+ * Internal print routine used to print short form replies.
+ */
+static isc_result_t
+say_message(dns_rdata_t *rdata, dig_query_t *query, isc_buffer_t *buf) {
+	isc_result_t result;
+	isc_uint64_t diff;
+	isc_time_t now;
+	char store[sizeof("12345678901234567890")];
+
+	if (query->lookup->trace || query->lookup->ns_search_only) {
+		result = dns_rdatatype_totext(rdata->type, buf);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+		ADD_STRING(buf, " ");
+	}
+	result = dns_rdata_totext(rdata, NULL, buf);
+	check_result(result, "dns_rdata_totext");
+	if (query->lookup->identify) {
+		TIME_NOW(&now);
+		diff = isc_time_microdiff(&now, &query->time_sent);
+		ADD_STRING(buf, " from server ");
+		ADD_STRING(buf, query->servname);
+		snprintf(store, 19, " in %d ms.", (int)diff/1000);
+		ADD_STRING(buf, store);
+	}
+	ADD_STRING(buf, "\n");
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * short_form message print handler.  Calls above say_message()
+ */
+static isc_result_t
+short_answer(dns_message_t *msg, dns_messagetextflag_t flags,
+	     isc_buffer_t *buf, dig_query_t *query)
+{
+	dns_name_t *name;
+	dns_rdataset_t *rdataset;
+	isc_buffer_t target;
+	isc_result_t result, loopresult;
+	dns_name_t empty_name;
+	char t[4096];
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+
+	UNUSED(flags);
+
+	dns_name_init(&empty_name, NULL);
+	result = dns_message_firstname(msg, DNS_SECTION_ANSWER);
+	if (result == ISC_R_NOMORE)
+		return (ISC_R_SUCCESS);
+	else if (result != ISC_R_SUCCESS)
+		return (result);
+
+	for (;;) {
+		name = NULL;
+		dns_message_currentname(msg, DNS_SECTION_ANSWER, &name);
+
+		isc_buffer_init(&target, t, sizeof(t));
+
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+			loopresult = dns_rdataset_first(rdataset);
+			while (loopresult == ISC_R_SUCCESS) {
+				dns_rdataset_current(rdataset, &rdata);
+				result = say_message(&rdata, query,
+						     buf);
+				check_result(result, "say_message");
+				loopresult = dns_rdataset_next(rdataset);
+				dns_rdata_reset(&rdata);
+			}
+		}
+		result = dns_message_nextname(msg, DNS_SECTION_ANSWER);
+		if (result == ISC_R_NOMORE)
+			break;
+		else if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+#ifdef DIG_SIGCHASE
+isc_result_t
+printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
+	      isc_buffer_t *target)
+{
+	isc_result_t result;
+	dns_master_style_t *style = NULL;
+	unsigned int styleflags = 0;
+
+	if (rdataset == NULL || owner_name == NULL || target == NULL)
+		return(ISC_FALSE);
+
+	styleflags |= DNS_STYLEFLAG_REL_OWNER;
+	if (nottl)
+		styleflags |= DNS_STYLEFLAG_NO_TTL;
+	if (noclass)
+		styleflags |= DNS_STYLEFLAG_NO_CLASS;
+	if (multiline) {
+		styleflags |= DNS_STYLEFLAG_OMIT_OWNER;
+		styleflags |= DNS_STYLEFLAG_OMIT_CLASS;
+		styleflags |= DNS_STYLEFLAG_REL_DATA;
+		styleflags |= DNS_STYLEFLAG_OMIT_TTL;
+		styleflags |= DNS_STYLEFLAG_TTL;
+		styleflags |= DNS_STYLEFLAG_MULTILINE;
+		styleflags |= DNS_STYLEFLAG_COMMENT;
+	}
+	if (multiline || (nottl && noclass))
+		result = dns_master_stylecreate(&style, styleflags,
+						24, 24, 24, 32, 80, 8, mctx);
+	else if (nottl || noclass)
+		result = dns_master_stylecreate(&style, styleflags,
+						24, 24, 32, 40, 80, 8, mctx);
+	else 
+		result = dns_master_stylecreate(&style, styleflags,
+						24, 32, 40, 48, 80, 8, mctx);
+	check_result(result, "dns_master_stylecreate");
+
+	result = dns_master_rdatasettotext(own