Author: delphij
Date: Wed Apr  8 17:52:54 2015
New Revision: 281268
URL: https://svnweb.freebsd.org/changeset/base/281268

Log:
  Vendor import of BIND 9.9.7

Added:
  vendor/bind9/dist/doc/arm/Bv9ARM.ch11.html   (contents, props changed)
  vendor/bind9/dist/doc/arm/Bv9ARM.ch12.html   (contents, props changed)
  vendor/bind9/dist/doc/arm/Bv9ARM.ch13.html   (contents, props changed)
  vendor/bind9/dist/doc/arm/notes-wrapper.xml   (contents, props changed)
  vendor/bind9/dist/doc/arm/notes.html   (contents, props changed)
  vendor/bind9/dist/doc/arm/notes.pdf   (contents, props changed)
  vendor/bind9/dist/doc/arm/notes.xml   (contents, props changed)
  vendor/bind9/dist/lib/dns/rdata/generic/openpgpkey_61.c   (contents, props 
changed)
  vendor/bind9/dist/lib/dns/rdata/generic/openpgpkey_61.h   (contents, props 
changed)
Modified:
  vendor/bind9/dist/CHANGES
  vendor/bind9/dist/COPYRIGHT
  vendor/bind9/dist/FAQ.xml
  vendor/bind9/dist/README
  vendor/bind9/dist/bin/check/named-checkconf.c
  vendor/bind9/dist/bin/dig/dig.1
  vendor/bind9/dist/bin/dig/dig.docbook
  vendor/bind9/dist/bin/dig/dig.html
  vendor/bind9/dist/bin/dig/dighost.c
  vendor/bind9/dist/bin/dig/host.c
  vendor/bind9/dist/bin/dig/include/dig/dig.h
  vendor/bind9/dist/bin/dig/nslookup.c
  vendor/bind9/dist/bin/dnssec/dnssec-dsfromkey.c
  vendor/bind9/dist/bin/dnssec/dnssec-importkey.c
  vendor/bind9/dist/bin/dnssec/dnssec-keyfromlabel.c
  vendor/bind9/dist/bin/dnssec/dnssec-keygen.8
  vendor/bind9/dist/bin/dnssec/dnssec-keygen.c
  vendor/bind9/dist/bin/dnssec/dnssec-keygen.docbook
  vendor/bind9/dist/bin/dnssec/dnssec-keygen.html
  vendor/bind9/dist/bin/dnssec/dnssec-settime.8
  vendor/bind9/dist/bin/dnssec/dnssec-settime.c
  vendor/bind9/dist/bin/dnssec/dnssec-settime.docbook
  vendor/bind9/dist/bin/dnssec/dnssec-settime.html
  vendor/bind9/dist/bin/dnssec/dnssec-signzone.c
  vendor/bind9/dist/bin/dnssec/dnssec-verify.c
  vendor/bind9/dist/bin/dnssec/dnssectool.c
  vendor/bind9/dist/bin/dnssec/dnssectool.h
  vendor/bind9/dist/bin/named/client.c
  vendor/bind9/dist/bin/named/config.c
  vendor/bind9/dist/bin/named/include/named/globals.h
  vendor/bind9/dist/bin/named/interfacemgr.c
  vendor/bind9/dist/bin/named/main.c
  vendor/bind9/dist/bin/named/named.html
  vendor/bind9/dist/bin/named/query.c
  vendor/bind9/dist/bin/named/server.c
  vendor/bind9/dist/bin/named/update.c
  vendor/bind9/dist/bin/named/zoneconf.c
  vendor/bind9/dist/bin/nsupdate/nsupdate.c
  vendor/bind9/dist/bin/rndc/rndc.c
  vendor/bind9/dist/config.h.in
  vendor/bind9/dist/configure.in
  vendor/bind9/dist/doc/arm/Bv9ARM-book.xml
  vendor/bind9/dist/doc/arm/Bv9ARM.ch01.html
  vendor/bind9/dist/doc/arm/Bv9ARM.ch02.html
  vendor/bind9/dist/doc/arm/Bv9ARM.ch03.html
  vendor/bind9/dist/doc/arm/Bv9ARM.ch04.html
  vendor/bind9/dist/doc/arm/Bv9ARM.ch05.html
  vendor/bind9/dist/doc/arm/Bv9ARM.ch06.html
  vendor/bind9/dist/doc/arm/Bv9ARM.ch07.html
  vendor/bind9/dist/doc/arm/Bv9ARM.ch08.html
  vendor/bind9/dist/doc/arm/Bv9ARM.ch09.html
  vendor/bind9/dist/doc/arm/Bv9ARM.ch10.html
  vendor/bind9/dist/doc/arm/Bv9ARM.html
  vendor/bind9/dist/doc/arm/Bv9ARM.pdf
  vendor/bind9/dist/doc/arm/Makefile.in
  vendor/bind9/dist/doc/arm/dnssec.xml
  vendor/bind9/dist/doc/arm/man.arpaname.html
  vendor/bind9/dist/doc/arm/man.ddns-confgen.html
  vendor/bind9/dist/doc/arm/man.dig.html
  vendor/bind9/dist/doc/arm/man.dnssec-checkds.html
  vendor/bind9/dist/doc/arm/man.dnssec-coverage.html
  vendor/bind9/dist/doc/arm/man.dnssec-dsfromkey.html
  vendor/bind9/dist/doc/arm/man.dnssec-keyfromlabel.html
  vendor/bind9/dist/doc/arm/man.dnssec-keygen.html
  vendor/bind9/dist/doc/arm/man.dnssec-revoke.html
  vendor/bind9/dist/doc/arm/man.dnssec-settime.html
  vendor/bind9/dist/doc/arm/man.dnssec-signzone.html
  vendor/bind9/dist/doc/arm/man.dnssec-verify.html
  vendor/bind9/dist/doc/arm/man.genrandom.html
  vendor/bind9/dist/doc/arm/man.host.html
  vendor/bind9/dist/doc/arm/man.isc-hmac-fixup.html
  vendor/bind9/dist/doc/arm/man.named-checkconf.html
  vendor/bind9/dist/doc/arm/man.named-checkzone.html
  vendor/bind9/dist/doc/arm/man.named-journalprint.html
  vendor/bind9/dist/doc/arm/man.named.html
  vendor/bind9/dist/doc/arm/man.nsec3hash.html
  vendor/bind9/dist/doc/arm/man.nsupdate.html
  vendor/bind9/dist/doc/arm/man.rndc-confgen.html
  vendor/bind9/dist/doc/arm/man.rndc.conf.html
  vendor/bind9/dist/doc/arm/man.rndc.html
  vendor/bind9/dist/lib/bind9/api
  vendor/bind9/dist/lib/bind9/check.c
  vendor/bind9/dist/lib/bind9/getaddresses.c
  vendor/bind9/dist/lib/dns/adb.c
  vendor/bind9/dist/lib/dns/api
  vendor/bind9/dist/lib/dns/diff.c
  vendor/bind9/dist/lib/dns/dispatch.c
  vendor/bind9/dist/lib/dns/gen.c
  vendor/bind9/dist/lib/dns/include/dns/dispatch.h
  vendor/bind9/dist/lib/dns/include/dns/log.h
  vendor/bind9/dist/lib/dns/include/dns/rbt.h
  vendor/bind9/dist/lib/dns/include/dns/request.h
  vendor/bind9/dist/lib/dns/journal.c
  vendor/bind9/dist/lib/dns/keytable.c
  vendor/bind9/dist/lib/dns/log.c
  vendor/bind9/dist/lib/dns/master.c
  vendor/bind9/dist/lib/dns/masterdump.c
  vendor/bind9/dist/lib/dns/message.c
  vendor/bind9/dist/lib/dns/name.c
  vendor/bind9/dist/lib/dns/nsec3.c
  vendor/bind9/dist/lib/dns/openssldh_link.c
  vendor/bind9/dist/lib/dns/opensslecdsa_link.c
  vendor/bind9/dist/lib/dns/opensslgost_link.c
  vendor/bind9/dist/lib/dns/private.c
  vendor/bind9/dist/lib/dns/rbt.c
  vendor/bind9/dist/lib/dns/rbtdb.c
  vendor/bind9/dist/lib/dns/rdata.c
  vendor/bind9/dist/lib/dns/rdata/generic/cdnskey_60.c
  vendor/bind9/dist/lib/dns/rdata/generic/cds_59.c
  vendor/bind9/dist/lib/dns/rdata/generic/keydata_65533.c
  vendor/bind9/dist/lib/dns/rdata/generic/nsec3_50.c
  vendor/bind9/dist/lib/dns/rdata/generic/opt_41.c
  vendor/bind9/dist/lib/dns/rdata/generic/rrsig_46.c
  vendor/bind9/dist/lib/dns/rdata/generic/sig_24.c
  vendor/bind9/dist/lib/dns/rdata/generic/spf_99.h
  vendor/bind9/dist/lib/dns/rdata/generic/txt_16.c
  vendor/bind9/dist/lib/dns/rdataset.c
  vendor/bind9/dist/lib/dns/request.c
  vendor/bind9/dist/lib/dns/resolver.c
  vendor/bind9/dist/lib/dns/rootns.c
  vendor/bind9/dist/lib/dns/spnego_asn1.c
  vendor/bind9/dist/lib/dns/tkey.c
  vendor/bind9/dist/lib/dns/tsig.c
  vendor/bind9/dist/lib/dns/validator.c
  vendor/bind9/dist/lib/dns/zone.c
  vendor/bind9/dist/lib/dns/zt.c
  vendor/bind9/dist/lib/export/isc/Makefile.in
  vendor/bind9/dist/lib/export/isc/unix/Makefile.in
  vendor/bind9/dist/lib/export/samples/nsprobe.c
  vendor/bind9/dist/lib/export/samples/sample-request.c
  vendor/bind9/dist/lib/export/samples/sample-update.c
  vendor/bind9/dist/lib/irs/getnameinfo.c
  vendor/bind9/dist/lib/isc/api
  vendor/bind9/dist/lib/isc/hash.c
  vendor/bind9/dist/lib/isc/hmacmd5.c
  vendor/bind9/dist/lib/isc/hmacsha.c
  vendor/bind9/dist/lib/isc/httpd.c
  vendor/bind9/dist/lib/isc/include/isc/platform.h.in
  vendor/bind9/dist/lib/isc/include/isc/radix.h
  vendor/bind9/dist/lib/isc/include/isc/ratelimiter.h
  vendor/bind9/dist/lib/isc/md5.c
  vendor/bind9/dist/lib/isc/mem.c
  vendor/bind9/dist/lib/isc/radix.c
  vendor/bind9/dist/lib/isc/ratelimiter.c
  vendor/bind9/dist/lib/isc/result.c
  vendor/bind9/dist/lib/isc/sha1.c
  vendor/bind9/dist/lib/isc/sha2.c
  vendor/bind9/dist/lib/isc/unix/app.c
  vendor/bind9/dist/lib/isc/unix/include/isc/net.h
  vendor/bind9/dist/lib/isc/unix/include/isc/time.h
  vendor/bind9/dist/lib/isc/unix/net.c
  vendor/bind9/dist/lib/isc/unix/socket.c
  vendor/bind9/dist/lib/isc/unix/stdio.c
  vendor/bind9/dist/lib/isc/unix/time.c
  vendor/bind9/dist/lib/isccfg/api
  vendor/bind9/dist/lib/isccfg/parser.c
  vendor/bind9/dist/lib/lwres/api
  vendor/bind9/dist/lib/lwres/compat.c
  vendor/bind9/dist/lib/lwres/gethost.c
  vendor/bind9/dist/lib/lwres/man/lwres.html
  vendor/bind9/dist/lib/lwres/man/lwres_buffer.html
  vendor/bind9/dist/lib/lwres/man/lwres_config.html
  vendor/bind9/dist/lib/lwres/man/lwres_context.html
  vendor/bind9/dist/lib/lwres/man/lwres_gabn.html
  vendor/bind9/dist/lib/lwres/man/lwres_gai_strerror.html
  vendor/bind9/dist/lib/lwres/man/lwres_getaddrinfo.html
  vendor/bind9/dist/lib/lwres/man/lwres_gethostent.html
  vendor/bind9/dist/lib/lwres/man/lwres_getipnode.html
  vendor/bind9/dist/lib/lwres/man/lwres_getnameinfo.html
  vendor/bind9/dist/lib/lwres/man/lwres_getrrsetbyname.html
  vendor/bind9/dist/lib/lwres/man/lwres_gnba.html
  vendor/bind9/dist/lib/lwres/man/lwres_hstrerror.html
  vendor/bind9/dist/lib/lwres/man/lwres_inetntop.html
  vendor/bind9/dist/lib/lwres/man/lwres_noop.html
  vendor/bind9/dist/lib/lwres/man/lwres_packet.html
  vendor/bind9/dist/lib/lwres/man/lwres_resutil.html
  vendor/bind9/dist/version

Modified: vendor/bind9/dist/CHANGES
==============================================================================
--- vendor/bind9/dist/CHANGES   Wed Apr  8 17:52:23 2015        (r281267)
+++ vendor/bind9/dist/CHANGES   Wed Apr  8 17:52:54 2015        (r281268)
@@ -1,11 +1,145 @@
-       --- 9.9.6-P2 released ---
+       --- 9.9.7 released ---
+
+       --- 9.9.7rc2 released ---
+
+4061.  [bug]           Handle timeout in legacy system test. [RT #38573]
+
+4060.  [bug]           dns_rdata_freestruct could be called on a
+                       uninitialised structure when handling a error.
+                       [RT #38568]
+
+4059.  [bug]           Addressed valgrind warnings. [RT #38549]
+
+4058.  [bug]           UDP dispatches could use the wrong pseudorandom
+                       number generator context. [RT #38578]
+
+4056.  [bug]           Fixed several small bugs in automatic trust anchor
+                       management, including a memory leak and a possible
+                       loss of key state information. [RT #38458]
+
+4057.  [bug]           'dnssec-dsfromkey -T 0' failed to add ttl field.
+                       [RT #38565]
 
 4053.  [security]      Revoking a managed trust anchor and supplying
                        an untrusted replacement could cause named
                        to crash with an assertion failure.
                        (CVE-2015-1349) [RT #38344]
 
-       --- 9.9.6-P1 released ---
+4052.  [bug]           Fix a leak of query fetchlock. [RT #38454]
+
+4050.  [bug]           RPZ could send spurious SERVFAILs in response
+                       to duplicate queries. [RT #38510]
+
+4049.  [bug]           CDS and CDNSKEY had the wrong attributes. [RT #38491]
+
+4048.  [bug]           adb hash table was not being grown. [RT #38470]
+
+       --- 9.9.7rc1 released ---
+
+4047.  [cleanup]       "named -V" now reports the current running versions
+                       of OpenSSL and the libxml2 libraries, in addition to
+                       the versions that were in use at build time.
+
+4046.  [bug]           Accounting of "total use" in memory context
+                       statistics was not correct. [RT #38370]
+
+4045.  [bug]           Skip to next master on dns_request_createvia4 failure.
+                       [RT #25185]
+
+4044.  [bug]           Change 3955 was not complete, resulting in an assertion
+                       failure if the timing was just right. [RT #38352]
+
+4039.  [cleanup]       Cleaned up warnings from gcc -Wshadow. [RT #37381]
+
+4038.  [bug]           Add 'rpz' flag to node and use it to determine whether
+                       to call dns_rpz_delete.  This should prevent unbalanced
+                       add / delete calls. [RT #36888]
+
+4037.  [bug]           also-notify was ignoring the tsig key when checking
+                       for duplicates resulting in some expected notify
+                       messages not being sent. [RT #38369]
+
+4035.  [bug]           Close temporary and NZF FILE pointers before moving
+                       the former into the latter's place, as required on
+                       Windows. [RT #38332]
+
+4032.  [bug]           Built-in "empty" zones did not correctly inherit the
+                       "allow-transfer" ACL from the options or view.
+                       [RT #38310]
+
+4031.  [bug]           named-checkconf -z failed to report a missing file
+                       with a hint zone. [RT #38294]
+
+4028.  [bug]           $GENERATE with a zero step was not being caught as a
+                       error.  A $GENERATE with a / but no step was not being
+                       caught as a error. [RT #38262]
+
+3973.  [test]          Added hooks for Google Performance Tools CPU profiler,
+                       including real-time/wall-clock profiling. Use
+                       "configure --with-gperftools-profiler" to enable.
+                       [RT #37339]
+
+       --- 9.9.7b1 released ---
+
+4027.  [port]          Net::DNS 0.81 compatibility. [RT #38165]
+
+4026.  [bug]           Fix RFC 3658 reference in dig +sigchase. [RT #38173]
+
+4025.  [port]          bsdi: failed to build. [RT #38047]
+
+4024.  [bug]           dns_rdata_opt_first, dns_rdata_opt_next,
+                       dns_rdata_opt_current, dns_rdata_txt_first,
+                       dns_rdata_txt_next and dns_rdata_txt_current were
+                       documented but not implemented.  These have now been
+                       implemented.
+
+                       dns_rdata_spf_first, dns_rdata_spf_next and
+                       dns_rdata_spf_current were documented but not
+                       implemented.  The prototypes for these
+                       functions have been removed. [RT #38068]
+
+4023.  [bug]           win32: socket handling with explicit ports and
+                       invoking named with -4 was broken for some
+                       configurations. [RT #38068]
+
+4021.  [bug]           Adjust max-recursion-queries to accommodate
+                       the need for more queries when the cache is
+                       empty. [RT #38104]
+
+4020.  [bug]           Change 3736 broke nsupdate's SOA MNAME discovery
+                       resulting in updates being sent to the wrong server.
+                       [RT #37925]
+
+4019.  [func]          If named is not configured to validate the answer
+                       then allow fallback to plain DNS on timeout even
+                       when we know the server supports EDNS. [RT #37978]
+
+4018.  [bug]           Fall back to plain DNS when EDNS queries are being
+                       dropped was failing. [RT #37965]
+
+4017.  [test]          Add system test to check lookups to legacy servers
+                       with broken DNS behavior. [RT #37965]
+
+4016.  [bug]           Fix a dig segfault due to bad linked list usage.
+                       [RT #37591]
+
+4015.  [bug]           Nameservers that are skipped due to them being
+                       CNAMEs were not being logged. They are now logged
+                       to category 'cname' as per BIND 8. [RT #37935]
+
+4014.  [bug]           When including a master file origin_changed was
+                       not being properly set leading to a potentially
+                       spurious 'inherited owner' warning. [RT #37919]
+
+4012.  [bug]           Check returned status of OpenSSL digest and HMAC
+                       functions when they return one. Note this applies
+                       only to FIPS capable OpenSSL libraries put in
+                       FIPS mode and MD5. [RT #37944]
+
+4011.  [bug]           master's list port inheritance was not properly
+                       implemented. [RT #37792]
+
+4007.  [doc]           Remove acl forward reference restriction. [RT #37772]
 
 4006.  [security]      A flaw in delegation handling could be exploited
                        to put named into an infinite loop.  This has
@@ -19,6 +153,99 @@
                        "max-recursion-depth" option, and the query limit
                        via the "max-recursion-queries" option.  [RT #37580]
 
+4004.  [bug]           When delegations had AAAA glue but not A, a
+                       reference could be leaked causing an assertion
+                       failure on shutdown. [RT #37796]
+
+4000.  [bug]           NXDOMAIN redirection incorrectly handled NXRRSET
+                       from the redirect zone. [RT #37722]
+
+3998.  [bug]           isc_radix_search was returning matches that were
+                       too precise. [RT #37680]
+
+3997.  [protocol]      Add OPENGPGKEY record. [RT# 37671]
+
+3996.  [bug]           Address use after free on out of memory error in
+                       keyring_add. [RT #37639]
+
+3995.  [bug]           receive_secure_serial holds the zone lock for too
+                       long. [RT #37626]
+
+3990.  [testing]       Add tests for unknown DNSSEC algorithm handling.
+                       [RT #37541]
+
+3989.  [cleanup]       Remove redundant dns_db_resigned calls. [RT #35748]
+
+3987.  [func]          Handle future Visual Studio 14 incompatible changes.
+                       [RT #37380]
+
+3986.  [doc]           Add the BIND version number to page footers
+                       in the ARM. [RT #37398]
+
+3985.  [doc]           Describe how +ndots and +search interact in dig.
+                       [RT #37529]
+
+3982.  [doc]           Include release notes in product documentation.
+                       [RT #37272]
+
+3981.  [bug]           Cache DS/NXDOMAIN independently of other query types.
+                       [RT #37467]
+
+3978.  [test]          Added a unit test for Diffie-Hellman key
+                       computation, completing change #3974. [RT #37477]
+
+3976.  [bug]           When refreshing managed-key trust anchors, clear
+                       any cached trust so that they will always be
+                       revalidated with the current set of secure
+                       roots. [RT #37506]
+
+3974.  [bug]           Handle DH_compute_key() failure correctly in
+                       openssldh_link.c. [RT #37477]
+
+3972.  [bug]           Fix host's usage statement. [RT #37397]
+
+3971.  [bug]           Reduce the cascading failures due to a bad $TTL line
+                       in named-checkconf / named-checkzone. [RT #37138]
+
+3970.  [contrib]       Fixed a use after free bug in the SDB LDAP driver.
+                       [RT #37237]
+
+3968.  [bug]           Silence spurious log messages when using 'named -[46]'.
+                       [RT #37308]
+
+3967.  [test]          Add test for inlined signed zone in multiple views
+                       with different DNSKEY sets. [RT #35759]
+
+3966.  [bug]           Missing dns_db_closeversion call in receive_secure_db.
+                       [RT #35746]
+
+3962.  [bug]           'dig +topdown +trace +sigchase' address unhandled error
+                       conditions. [RT #34663]
+
+3961.  [bug]           Forwarding of SIG(0) signed UPDATE messages failed with
+                       BADSIG.  [RT #37216]
+
+3960.  [bug]           'dig +sigchase' could loop forever. [RT #37220]
+
+3959.  [bug]           Updates could be lost if they arrived immediately
+                       after a rndc thaw. [RT #37233]
+
+3958.  [bug]           Detect when writeable files have multiple references
+                       in named.conf. [RT #37172]
+
+3957.  [bug]           "dnssec-keygen -S" failed for ECCGOST, ECDSAP256SHA256
+                       and ECDSAP384SHA384. [RT #37183]
+
+3955.  [bug]           Notify messages due to changes are no longer queued
+                       behind startup notify messages. [RT #24454]
+
+3954.  [bug]           Unchecked mutex init in dlz_dlopen_driver.c [RT #37112]
+
+3953.  [bug]           Don't escape semi-colon in TXT fields. [RT #37159]
+
+3952.  [bug]           dns_name_fullcompare failed to set *nlabelsp when the
+                       two name pointers were the same. [RT #37176]
+
        --- 9.9.6 released ---
 
 3950.  [port]          Changed the bin/python Makefile to work around a
@@ -63,7 +290,7 @@
 
 3922.  [bug]           When resigning, dnssec-signzone was removing
                        all signatures from delegation nodes. It now
-                       retains DS and (if applicable) NSEC signatures.
+                       retains DS and (if applicable) NSEC signatures.
                        [RT #36946]
 
 3921.  [bug]           AD was inappropriately set on RPZ responses. [RT #36833]

Modified: vendor/bind9/dist/COPYRIGHT
==============================================================================
--- vendor/bind9/dist/COPYRIGHT Wed Apr  8 17:52:23 2015        (r281267)
+++ vendor/bind9/dist/COPYRIGHT Wed Apr  8 17:52:54 2015        (r281268)
@@ -1,4 +1,4 @@
-Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
 Copyright (C) 1996-2003  Internet Software Consortium.
 
 Permission to use, copy, modify, and/or distribute this software for any

Modified: vendor/bind9/dist/FAQ.xml
==============================================================================
--- vendor/bind9/dist/FAQ.xml   Wed Apr  8 17:52:23 2015        (r281267)
+++ vendor/bind9/dist/FAQ.xml   Wed Apr  8 17:52:54 2015        (r281268)
@@ -1,7 +1,7 @@
 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
        "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"; []>
 <!--
- - Copyright (C) 2004-2010, 2013  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2010, 2013, 2014  Internet Systems Consortium, Inc. 
("ISC")
  - Copyright (C) 2000-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -31,6 +31,7 @@
       <year>2009</year>
       <year>2010</year>
       <year>2013</year>
+      <year>2014</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>

Modified: vendor/bind9/dist/README
==============================================================================
--- vendor/bind9/dist/README    Wed Apr  8 17:52:23 2015        (r281267)
+++ vendor/bind9/dist/README    Wed Apr  8 17:52:54 2015        (r281268)
@@ -51,14 +51,21 @@ BIND 9
        For up-to-date release notes and errata, see
        http://www.isc.org/software/bind9/releasenotes
 
+
+BIND 9.9.7
+
+       BIND 9.9.7 is a maintenance release and addresses bugs
+       found in BIND 9.9.6 and earlier, as well as the security
+       flaws described in CVE-2014-8500 and CVE-2015-1349.
+
 BIND 9.9.6
 
        BIND 9.9.6 is a maintenance release, and also includes
-        the following new functionality.
+       the following new functionality.
 
         - The former behavior with respect to capitalization of names
-           (prior to BIND 9.9.5) can be restored for specific clients via
-           the new "no-case-compress" ACL.
+          (prior to BIND 9.9.5) can be restored for specific clients via
+          the new "no-case-compress" ACL.
 
 BIND 9.9.5
 
@@ -219,7 +226,7 @@ Building
                                    -DDIG_SIGCHASE_BU=1)
                Disable dropping queries from particular well known ports.
                  -DNS_CLIENT_DROPPORT=0
-               Sibling glue checking in named-checkzone is enabled by default.
+               Sibling glue checking in named-checkzone is enabled by default.
                To disable the default check set.  -DCHECK_SIBLING=0
                named-checkzone checks out-of-zone addresses by default.
                To disable this default set.  -DCHECK_LOCAL=0
@@ -358,7 +365,7 @@ Change Log
           [security]     Fix for a significant security flaw
 
           [experimental] Used for new features when the syntax
-                         or other aspects of the design are still
+                         or other aspects of the design are still
                          in flux and may change
 
           [port]         Portability enhancement
@@ -367,7 +374,7 @@ Change Log
                          server addresses and keys
 
           [tuning]       Changes to built-in configuration defaults
-                         and constants to improve performanceo
+                         and constants to improve performanceo
 
           [protocol]     Updates to the DNS protocol such as new
                          RR types

Modified: vendor/bind9/dist/bin/check/named-checkconf.c
==============================================================================
--- vendor/bind9/dist/bin/check/named-checkconf.c       Wed Apr  8 17:52:23 
2015        (r281267)
+++ vendor/bind9/dist/bin/check/named-checkconf.c       Wed Apr  8 17:52:54 
2015        (r281268)
@@ -488,7 +488,33 @@ main(int argc, char **argv) {
 
        isc_commandline_errprint = ISC_FALSE;
 
-       while ((c = isc_commandline_parse(argc, argv, "dhjt:pvxz")) != EOF) {
+       /*
+        * Process memory debugging argument first.
+        */
+#define CMDLINE_FLAGS "dhjm:t:pvxz"
+       while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
+               switch (c) {
+               case 'm':
+                       if (strcasecmp(isc_commandline_argument, "record") == 0)
+                               isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
+                       if (strcasecmp(isc_commandline_argument, "trace") == 0)
+                               isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
+                       if (strcasecmp(isc_commandline_argument, "usage") == 0)
+                               isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;
+                       if (strcasecmp(isc_commandline_argument, "size") == 0)
+                               isc_mem_debugging |= ISC_MEM_DEBUGSIZE;
+                       if (strcasecmp(isc_commandline_argument, "mctx") == 0)
+                               isc_mem_debugging |= ISC_MEM_DEBUGCTX;
+                       break;
+               default:
+                       break;
+               }
+       }
+       isc_commandline_reset = ISC_TRUE;
+
+       RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
+
+       while ((c = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != EOF) {
                switch (c) {
                case 'd':
                        debug++;
@@ -498,6 +524,9 @@ main(int argc, char **argv) {
                        nomerge = ISC_FALSE;
                        break;
 
+               case 'm':
+                       break;
+
                case 't':
                        result = isc_dir_chroot(isc_commandline_argument);
                        if (result != ISC_R_SUCCESS) {
@@ -557,8 +586,6 @@ main(int argc, char **argv) {
        InitSockets();
 #endif
 
-       RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
-
        RUNTIME_CHECK(setup_logging(mctx, stdout, &logc) == ISC_R_SUCCESS);
 
        RUNTIME_CHECK(isc_entropy_create(mctx, &ectx) == ISC_R_SUCCESS);

Modified: vendor/bind9/dist/bin/dig/dig.1
==============================================================================
--- vendor/bind9/dist/bin/dig/dig.1     Wed Apr  8 17:52:23 2015        
(r281267)
+++ vendor/bind9/dist/bin/dig/dig.1     Wed Apr  8 17:52:54 2015        
(r281268)
@@ -388,7 +388,10 @@ for it to be considered absolute. The de
 or
 \fBdomain\fR
 directive in
-\fI/etc/resolv.conf\fR.
+\fI/etc/resolv.conf\fR
+if
+\fB+search\fR
+is set.
 .RE
 .PP
 \fB+[no]nsid\fR
@@ -447,6 +450,12 @@ Toggle the display of per\-record commen
 Use [do not use] the search list defined by the searchlist or domain directive 
in
 \fIresolv.conf\fR
 (if any). The search list is not used by default.
+.sp
+\'ndots' from
+\fIresolv.conf\fR
+(default 1) which may be overridden by
+\fI+ndots\fR
+determines if the name will be treated as relative or not and hence whether a 
search is eventually performed or not.
 .RE
 .PP
 \fB+[no]short\fR

Modified: vendor/bind9/dist/bin/dig/dig.docbook
==============================================================================
--- vendor/bind9/dist/bin/dig/dig.docbook       Wed Apr  8 17:52:23 2015        
(r281267)
+++ vendor/bind9/dist/bin/dig/dig.docbook       Wed Apr  8 17:52:54 2015        
(r281268)
@@ -624,7 +624,8 @@
              are interpreted as relative names and will be searched
              for in the domains listed in the <option>search</option>
              or <option>domain</option> directive in
-             <filename>/etc/resolv.conf</filename>.
+             <filename>/etc/resolv.conf</filename> if
+             <option>+search</option> is set.
            </para>
          </listitem>
        </varlistentry>
@@ -731,6 +732,13 @@
              <filename>resolv.conf</filename> (if any).  The search
              list is not used by default.
            </para>
+           <para>
+             'ndots' from <filename>resolv.conf</filename> (default 1)
+              which may be overridden by <parameter>+ndots</parameter>
+             determines if the name will be treated as relative
+             or not and hence whether a search is eventually
+             performed or not.
+           </para>
          </listitem>
        </varlistentry>
 

Modified: vendor/bind9/dist/bin/dig/dig.html
==============================================================================
--- vendor/bind9/dist/bin/dig/dig.html  Wed Apr  8 17:52:23 2015        
(r281267)
+++ vendor/bind9/dist/bin/dig/dig.html  Wed Apr  8 17:52:54 2015        
(r281268)
@@ -412,7 +412,8 @@
              are interpreted as relative names and will be searched
              for in the domains listed in the <code 
class="option">search</code>
              or <code class="option">domain</code> directive in
-             <code class="filename">/etc/resolv.conf</code>.
+             <code class="filename">/etc/resolv.conf</code> if
+             <code class="option">+search</code> is set.
            </p></dd>
 <dt><span class="term"><code class="option">+[no]nsid</code></span></dt>
 <dd><p>
@@ -468,12 +469,21 @@
              record comments unless multiline mode is active.
            </p></dd>
 <dt><span class="term"><code class="option">+[no]search</code></span></dt>
-<dd><p>
+<dd>
+<p>
              Use [do not use] the search list defined by the
              searchlist or domain directive in
              <code class="filename">resolv.conf</code> (if any).  The search
              list is not used by default.
-           </p></dd>
+           </p>
+<p>
+             'ndots' from <code class="filename">resolv.conf</code> (default 1)
+              which may be overridden by <em 
class="parameter"><code>+ndots</code></em>
+             determines if the name will be treated as relative
+             or not and hence whether a search is eventually
+             performed or not.
+           </p>
+</dd>
 <dt><span class="term"><code class="option">+[no]short</code></span></dt>
 <dd><p>
              Provide a terse answer.  The default is to print the
@@ -590,7 +600,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545168"></a><h2>MULTIPLE QUERIES</h2>
+<a name="id2545181"></a><h2>MULTIPLE QUERIES</h2>
 <p>
       The BIND 9 implementation of <span><strong class="command">dig 
</strong></span>
       supports
@@ -636,7 +646,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545229"></a><h2>IDN SUPPORT</h2>
+<a name="id2545243"></a><h2>IDN SUPPORT</h2>
 <p>
       If <span><strong class="command">dig</strong></span> has been built with 
IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -650,14 +660,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545252"></a><h2>FILES</h2>
+<a name="id2545266"></a><h2>FILES</h2>
 <p><code class="filename">/etc/resolv.conf</code>
     </p>
 <p><code class="filename">${HOME}/.digrc</code>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545269"></a><h2>SEE ALSO</h2>
+<a name="id2545283"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span 
class="refentrytitle">host</span>(1)</span>,
       <span class="citerefentry"><span 
class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span 
class="refentrytitle">dnssec-keygen</span>(8)</span>,
@@ -665,7 +675,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545306"></a><h2>BUGS</h2>
+<a name="id2545320"></a><h2>BUGS</h2>
 <p>
       There are probably too many query options.
     </p>

Modified: vendor/bind9/dist/bin/dig/dighost.c
==============================================================================
--- vendor/bind9/dist/bin/dig/dighost.c Wed Apr  8 17:52:23 2015        
(r281267)
+++ vendor/bind9/dist/bin/dig/dighost.c Wed Apr  8 17:52:54 2015        
(r281268)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -58,6 +58,7 @@
 #include <dns/log.h>
 #include <dns/message.h>
 #include <dns/name.h>
+#include <dns/rcode.h>
 #include <dns/rdata.h>
 #include <dns/rdataclass.h>
 #include <dns/rdatalist.h>
@@ -1070,10 +1071,9 @@ parse_hmac(const char *hmac) {
  */
 static isc_result_t
 read_confkey(void) {
-       isc_log_t *lctx = NULL;
        cfg_parser_t *pctx = NULL;
        cfg_obj_t *file = NULL;
-       const cfg_obj_t *key = NULL;
+       const cfg_obj_t *keyobj = NULL;
        const cfg_obj_t *secretobj = NULL;
        const cfg_obj_t *algorithmobj = NULL;
        const char *keyname;
@@ -1084,7 +1084,7 @@ read_confkey(void) {
        if (! isc_file_exists(keyfile))
                return (ISC_R_FILENOTFOUND);
 
-       result = cfg_parser_create(mctx, lctx, &pctx);
+       result = cfg_parser_create(mctx, NULL, &pctx);
        if (result != ISC_R_SUCCESS)
                goto cleanup;
 
@@ -1093,16 +1093,16 @@ read_confkey(void) {
        if (result != ISC_R_SUCCESS)
                goto cleanup;
 
-       result = cfg_map_get(file, "key", &key);
+       result = cfg_map_get(file, "key", &keyobj);
        if (result != ISC_R_SUCCESS)
                goto cleanup;
 
-       (void) cfg_map_get(key, "secret", &secretobj);
-       (void) cfg_map_get(key, "algorithm", &algorithmobj);
+       (void) cfg_map_get(keyobj, "secret", &secretobj);
+       (void) cfg_map_get(keyobj, "algorithm", &algorithmobj);
        if (secretobj == NULL || algorithmobj == NULL)
                fatal("key must have algorithm and secret");
 
-       keyname = cfg_obj_asstring(cfg_map_getname(key));
+       keyname = cfg_obj_asstring(cfg_map_getname(keyobj));
        secretstr = cfg_obj_asstring(secretobj);
        algorithm = cfg_obj_asstring(algorithmobj);
 
@@ -2216,7 +2216,6 @@ setup_lookup(dig_lookup_t *lookup) {
                if (result != ISC_R_SUCCESS) {
                        dns_message_puttempname(lookup->sendmsg,
                                                &lookup->name);
-                       isc_buffer_init(&b, store, MXNAME);
                        fatal("'%s' is not a legal name "
                              "(%s)", lookup->textname,
                              isc_result_totext(result));
@@ -2976,7 +2975,8 @@ connect_done(isc_task_t *task, isc_event
                query->waiting_connect = ISC_FALSE;
                isc_event_free(&event);
                l = query->lookup;
-               if (l->current_query != NULL)
+               if ((l->current_query != NULL) &&
+                   (ISC_LINK_LINKED(l->current_query, link)))
                        next = ISC_LIST_NEXT(l->current_query, link);
                else
                        next = NULL;
@@ -3518,7 +3518,7 @@ recv_done(isc_task_t *task, isc_event_t 
 #endif
                                printmessage(query, msg, ISC_TRUE);
                } else if (l->trace) {
-                       int n = 0;
+                       int nl = 0;
                        int count = msg->counts[DNS_SECTION_ANSWER];
 
                        debug("in TRACE code");
@@ -3529,13 +3529,13 @@ recv_done(isc_task_t *task, isc_event_t 
                        if (l->trace_root || (l->ns_search_only && count > 0)) {
                                if (!l->trace_root)
                                        l->rdtype = dns_rdatatype_soa;
-                               n = followup_lookup(msg, query,
-                                                   DNS_SECTION_ANSWER);
+                               nl = followup_lookup(msg, query,
+                                                    DNS_SECTION_ANSWER);
                                l->trace_root = ISC_FALSE;
                        } else if (count == 0)
-                               n = followup_lookup(msg, query,
-                                                   DNS_SECTION_AUTHORITY);
-                       if (n == 0)
+                               nl = followup_lookup(msg, query,
+                                                    DNS_SECTION_AUTHORITY);
+                       if (nl == 0)
                                docancel = ISC_TRUE;
                } else {
                        debug("in NSSEARCH code");
@@ -3544,12 +3544,12 @@ recv_done(isc_task_t *task, isc_event_t 
                                /*
                                 * This is the initial NS query.
                                 */
-                               int n;
+                               int nl;
 
                                l->rdtype = dns_rdatatype_soa;
-                               n = followup_lookup(msg, query,
-                                                   DNS_SECTION_ANSWER);
-                               if (n == 0)
+                               nl = followup_lookup(msg, query,
+                                                    DNS_SECTION_ANSWER);
+                               if (nl == 0)
                                        docancel = ISC_TRUE;
                                l->trace_root = ISC_FALSE;
                                usesearch = ISC_FALSE;
@@ -3679,12 +3679,12 @@ recv_done(isc_task_t *task, isc_event_t 
  * routines, since they may be using a non-DNS system for these lookups.
  */
 isc_result_t
-get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) {
+get_address(char *host, in_port_t myport, isc_sockaddr_t *sockaddr) {
        int count;
        isc_result_t result;
 
        isc_app_block();
-       result = bind9_getaddresses(host, port, sockaddr, 1, &count);
+       result = bind9_getaddresses(host, myport, sockaddr, 1, &count);
        isc_app_unblock();
        if (result != ISC_R_SUCCESS)
                return (result);
@@ -4151,6 +4151,9 @@ chase_scanname_section(dns_message_t *ms
        dns_rdataset_t *rdataset;
        dns_name_t *msg_name = NULL;
 
+       if (msg->counts[section] == 0)
+               return (NULL);
+
        do {
                dns_message_currentname(msg, section, &msg_name);
                if (dns_name_compare(msg_name, name) == 0) {
@@ -4357,8 +4360,8 @@ get_trusted_key(isc_mem_t *mctx)
        dns_rdatacallbacks_init_stdio(&callbacks);
        callbacks.add = insert_trustedkey;
        return (dns_master_loadfile(filename, dns_rootname, dns_rootname,
-                                   current_lookup->rdclass, 0, &callbacks,
-                                   mctx));
+                                   current_lookup->rdclass, DNS_MASTER_NOTTL,
+                                   &callbacks, mctx));
 }
 
 
@@ -4558,36 +4561,36 @@ child_of_zone(dns_name_t * name, dns_nam
 }
 
 isc_result_t
-grandfather_pb_test(dns_name_t *zone_name, dns_rdataset_t  *sigrdataset)
-{
-       isc_result_t result;
-       dns_rdata_t sigrdata = DNS_RDATA_INIT;
+grandfather_pb_test(dns_name_t *zone_name, dns_rdataset_t  *sigrdataset) {
        dns_rdata_sig_t siginfo;
+       dns_rdataset_t mysigrdataset;
+       isc_result_t result;
 
-       result = dns_rdataset_first(sigrdataset);
+       dns_rdataset_init(&mysigrdataset);
+       dns_rdataset_clone(sigrdataset, &mysigrdataset);
+
+       result = dns_rdataset_first(&mysigrdataset);
        check_result(result, "empty RRSIG dataset");
-       dns_rdata_init(&sigrdata);
 
        do {
-               dns_rdataset_current(sigrdataset, &sigrdata);
+               dns_rdata_t sigrdata = DNS_RDATA_INIT;
+
+               dns_rdataset_current(&mysigrdataset, &sigrdata);
 
                result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
                check_result(result, "sigrdata tostruct siginfo");
 
                if (dns_name_compare(&siginfo.signer, zone_name) == 0) {
-                       dns_rdata_freestruct(&siginfo);
-                       dns_rdata_reset(&sigrdata);
-                       return (ISC_R_SUCCESS);
+                       result = ISC_R_SUCCESS;
+                       goto cleanup;
                }
+       } while (dns_rdataset_next(&mysigrdataset) == ISC_R_SUCCESS);
 
-               dns_rdata_freestruct(&siginfo);
-               dns_rdata_reset(&sigrdata);
+       result = ISC_R_FAILURE;
+cleanup:
+       dns_rdataset_disassociate(&mysigrdataset);
 
-       } while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS);
-
-       dns_rdata_reset(&sigrdata);
-
-       return (ISC_R_FAILURE);
+       return (result);
 }
 
 
@@ -4667,26 +4670,30 @@ contains_trusted_key(dns_name_t *name, d
                     dns_rdataset_t *sigrdataset,
                     isc_mem_t *mctx)
 {
-       isc_result_t result;
-       dns_rdata_t rdata = DNS_RDATA_INIT;
+       dns_rdataset_t myrdataset;
        dst_key_t *dnsseckey = NULL;
        int i;
+       isc_result_t result;
 
        if (name == NULL || rdataset == NULL)
                return (ISC_R_FAILURE);
 
-       result = dns_rdataset_first(rdataset);
+       dns_rdataset_init(&myrdataset);
+       dns_rdataset_clone(rdataset, &myrdataset);
+
+       result = dns_rdataset_first(&myrdataset);
        check_result(result, "empty rdataset");
 
        do {
-               dns_rdataset_current(rdataset, &rdata);
+               dns_rdata_t rdata = DNS_RDATA_INIT;
+
+               dns_rdataset_current(&myrdataset, &rdata);
                INSIST(rdata.type == dns_rdatatype_dnskey);
 
                result = dns_dnssec_keyfromrdata(name, &rdata,
                                                 mctx, &dnsseckey);
                check_result(result, "dns_dnssec_keyfromrdata");
 
-
                for (i = 0; i < tk_list.nb_tk; i++) {
                        if (dst_key_compare(tk_list.key[i], dnsseckey)
                            == ISC_TRUE) {
@@ -4695,22 +4702,21 @@ contains_trusted_key(dns_name_t *name, d
                                printf(";; Ok, find a Trusted Key in the "
                                       "DNSKEY RRset: %d\n",
                                       dst_key_id(dnsseckey));
-                               if (sigchase_verify_sig_key(name, rdataset,
-                                                           dnsseckey,
-                                                           sigrdataset,
-                                                           mctx)
-                                   == ISC_R_SUCCESS) {
-                                       dst_key_free(&dnsseckey);
-                                       dnsseckey = NULL;
-                                       return (ISC_R_SUCCESS);
-                               }
+                               result = sigchase_verify_sig_key(name, rdataset,
+                                                                dnsseckey,
+                                                                sigrdataset,
+                                                                mctx);
+                               if (result == ISC_R_SUCCESS)
+                                       goto cleanup;
                        }
                }
+               dst_key_free(&dnsseckey);
+       } while (dns_rdataset_next(&myrdataset) == ISC_R_SUCCESS);
 
-               dns_rdata_reset(&rdata);
-               if (dnsseckey != NULL)
-                       dst_key_free(&dnsseckey);
-       } while (dns_rdataset_next(rdataset) == ISC_R_SUCCESS);
+cleanup:
+       if (dnsseckey != NULL)
+               dst_key_free(&dnsseckey);
+       dns_rdataset_disassociate(&myrdataset);
 
        return (ISC_R_NOTFOUND);
 }
@@ -4721,16 +4727,20 @@ sigchase_verify_sig(dns_name_t *name, dn
                    dns_rdataset_t *sigrdataset,
                    isc_mem_t *mctx)
 {
-       isc_result_t result;
-       dns_rdata_t keyrdata = DNS_RDATA_INIT;
+       dns_rdataset_t mykeyrdataset;
        dst_key_t *dnsseckey = NULL;
+       isc_result_t result;
 
-       result = dns_rdataset_first(keyrdataset);
+       dns_rdataset_init(&mykeyrdataset);
+       dns_rdataset_clone(keyrdataset, &mykeyrdataset);
+
+       result = dns_rdataset_first(&mykeyrdataset);
        check_result(result, "empty DNSKEY dataset");
-       dns_rdata_init(&keyrdata);
 
        do {
-               dns_rdataset_current(keyrdataset, &keyrdata);
+               dns_rdata_t keyrdata = DNS_RDATA_INIT;
+
+               dns_rdataset_current(&mykeyrdataset, &keyrdata);
                INSIST(keyrdata.type == dns_rdatatype_dnskey);
 
                result = dns_dnssec_keyfromrdata(name, &keyrdata,
@@ -4739,18 +4749,19 @@ sigchase_verify_sig(dns_name_t *name, dn
 
                result = sigchase_verify_sig_key(name, rdataset, dnsseckey,
                                                 sigrdataset, mctx);
-               if (result == ISC_R_SUCCESS) {
-                       dns_rdata_reset(&keyrdata);
-                       dst_key_free(&dnsseckey);
-                       return (ISC_R_SUCCESS);
-               }
+               if (result == ISC_R_SUCCESS)
+                       goto cleanup;
                dst_key_free(&dnsseckey);
-               dns_rdata_reset(&keyrdata);
-       } while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS);
+       } while (dns_rdataset_next(&mykeyrdataset) == ISC_R_SUCCESS);
 
-       dns_rdata_reset(&keyrdata);
+       result = ISC_R_NOTFOUND;
 
-       return (ISC_R_NOTFOUND);
+ cleanup:
+       if (dnsseckey != NULL)
+               dst_key_free(&dnsseckey);
+       dns_rdataset_disassociate(&mykeyrdataset);
+
+       return (result);
 }
 
 isc_result_t
@@ -4758,16 +4769,23 @@ sigchase_verify_sig_key(dns_name_t *name
                        dst_key_t *dnsseckey, dns_rdataset_t *sigrdataset,
                        isc_mem_t *mctx)
 {
-       isc_result_t result;
-       dns_rdata_t sigrdata = DNS_RDATA_INIT;
        dns_rdata_sig_t siginfo;
+       dns_rdataset_t myrdataset;
+       dns_rdataset_t mysigrdataset;
+       isc_result_t result;
 
-       result = dns_rdataset_first(sigrdataset);
+       dns_rdataset_init(&myrdataset);
+       dns_rdataset_clone(rdataset, &myrdataset);
+       dns_rdataset_init(&mysigrdataset);
+       dns_rdataset_clone(sigrdataset, &mysigrdataset);
+
+       result = dns_rdataset_first(&mysigrdataset);
        check_result(result, "empty RRSIG dataset");
-       dns_rdata_init(&sigrdata);
 
        do {
-               dns_rdataset_current(sigrdataset, &sigrdata);
+               dns_rdata_t sigrdata = DNS_RDATA_INIT;
+
+               dns_rdataset_current(&mysigrdataset, &sigrdata);
 
                result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
                check_result(result, "sigrdata tostruct siginfo");
@@ -4778,10 +4796,10 @@ sigchase_verify_sig_key(dns_name_t *name
                 */
                if (siginfo.keyid == dst_key_id(dnsseckey)) {
 
-                       result = dns_rdataset_first(rdataset);
+                       result = dns_rdataset_first(&myrdataset);
                        check_result(result, "empty DS dataset");
 
-                       result = dns_dnssec_verify(name, rdataset, dnsseckey,
+                       result = dns_dnssec_verify(name, &myrdataset, dnsseckey,
                                                   ISC_FALSE, mctx, &sigrdata);
 
                        printf(";; VERIFYING ");
@@ -4791,19 +4809,18 @@ sigchase_verify_sig_key(dns_name_t *name
                        printf(" with DNSKEY:%d: %s\n", dst_key_id(dnsseckey),
                               isc_result_totext(result));
 
-                       if (result == ISC_R_SUCCESS) {
-                               dns_rdata_reset(&sigrdata);
-                               return (result);
-                       }
+                       if (result == ISC_R_SUCCESS)
+                               goto cleanup;
                }
-               dns_rdata_freestruct(&siginfo);
-               dns_rdata_reset(&sigrdata);
+       } while (dns_rdataset_next(&mysigrdataset) == ISC_R_SUCCESS);
 
-       } while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS);
+       result = ISC_R_NOTFOUND;
 
-       dns_rdata_reset(&sigrdata);
+ cleanup:
+       dns_rdataset_disassociate(&myrdataset);
+       dns_rdataset_disassociate(&mysigrdataset);
 
-       return (ISC_R_NOTFOUND);
+       return (result);
 }
 
 
@@ -4811,27 +4828,35 @@ isc_result_t
 sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
                   dns_rdataset_t *dsrdataset, isc_mem_t *mctx)
 {
-       isc_result_t result;
-       dns_rdata_t keyrdata = DNS_RDATA_INIT;
-       dns_rdata_t newdsrdata = DNS_RDATA_INIT;
-       dns_rdata_t dsrdata = DNS_RDATA_INIT;
        dns_rdata_ds_t dsinfo;
+       dns_rdataset_t mydsrdataset;
+       dns_rdataset_t mykeyrdataset;
        dst_key_t *dnsseckey = NULL;
+       isc_result_t result;
        unsigned char dsbuf[DNS_DS_BUFFERSIZE];
 
-       result = dns_rdataset_first(dsrdataset);
+       dns_rdataset_init(&mydsrdataset);
+       dns_rdataset_clone(dsrdataset, &mydsrdataset);
+       dns_rdataset_init(&mykeyrdataset);
+       dns_rdataset_clone(keyrdataset, &mykeyrdataset);
+
+       result = dns_rdataset_first(&mydsrdataset);
        check_result(result, "empty DSset dataset");
        do {
-               dns_rdataset_current(dsrdataset, &dsrdata);
+               dns_rdata_t dsrdata = DNS_RDATA_INIT;
+
+               dns_rdataset_current(&mydsrdataset, &dsrdata);
 
                result = dns_rdata_tostruct(&dsrdata, &dsinfo, NULL);
                check_result(result, "dns_rdata_tostruct for DS");
 
-               result = dns_rdataset_first(keyrdataset);
+               result = dns_rdataset_first(&mykeyrdataset);
                check_result(result, "empty KEY dataset");
 
                do {
-                       dns_rdataset_current(keyrdataset, &keyrdata);
+                       dns_rdata_t keyrdata = DNS_RDATA_INIT;
+
+                       dns_rdataset_current(&mykeyrdataset, &keyrdata);
                        INSIST(keyrdata.type == dns_rdatatype_dnskey);
 
                        result = dns_dnssec_keyfromrdata(name, &keyrdata,
@@ -4843,6 +4868,7 @@ sigchase_verify_ds(dns_name_t *name, dns
                         * id of DNSKEY referenced by the DS
                         */
                        if (dsinfo.key_tag == dst_key_id(dnsseckey)) {
+                               dns_rdata_t newdsrdata = DNS_RDATA_INIT;
 
                                result = dns_ds_buildrdata(name, &keyrdata,
                                                           dsinfo.digest_type,
@@ -4850,14 +4876,9 @@ sigchase_verify_ds(dns_name_t *name, dns
                                dns_rdata_freestruct(&dsinfo);
 
                                if (result != ISC_R_SUCCESS) {
-                                       dns_rdata_reset(&keyrdata);
-                                       dns_rdata_reset(&newdsrdata);
-                                       dns_rdata_reset(&dsrdata);
-                                       dst_key_free(&dnsseckey);
-                                       dns_rdata_freestruct(&dsinfo);
                                        printf("Oops: impossible to build"
                                               " new DS rdata\n");

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to