update to 9.10.8-P1, last isc-licensed release

844 files changed, 16892 insertions, 9097 deletions

diff --git a/usr.sbin/bind/CHANGES b/usr.sbin/bind/CHANGES
index 2e957dd5fd9..6af39218c94 100644
--- a/usr.sbin/bind/CHANGES
+++ b/usr.sbin/bind/CHANGES
@@ -1,19 +1,681 @@
-	--- 9.10.5-P3 released ---
+	--- 9.10.8-P1 released ---
+
+4997.	[security]	named could crash during recursive processing
+			of DNAME records when "deny-answer-aliases" was
+			in use. (CVE-2018-5740) [GL #387]
+
+	--- 9.10.8 released ---
+
+	--- 9.10.8rc2 released ---
+
+4984.	[bug]		Improve handling of very large incremental
+			zone transfers to prevent journal corruption. [GL #339]
+
+4981.	[bug]		Fix race in cmsg buffer usage in socket code.
+			[GL #180]
+
+4980.	[bug]		Named-checkconf failed to detect bad in-view targets.
+			[GL #288]
+
+4979.	[bug]		Non-libcap builds were not checking whether all
+			requested capabilities are present in the permitted
+			capability set. [GL #321]
+
+4977.	[func]		When starting up, log the same details that
+			would be reported by 'named -V'. [GL #247]
+
+4975.	[bug]		The server cookie computation for sha1 and sha256 did
+			not match the method described in RFC 7873. [GL #356]
+
+4972.	[func]		Declare the 'rdata' argument for dns_rdata_tostruct()
+			to be const. [GL #341]
+
+4971.	[bug]		dnssec-signzone and dnssec-verify did not treat records
+			below a DNAME as out-of-zone data. [GL #298]
+
+	--- 9.10.8rc1 released ---
+
+4968.	[bug]		If glue records are signed, attempt to validate them.
+			[GL #209]
+
+4965.	[func]		Add support for marking options as deprecated.
+			[GL #322]
+
+4964.	[bug]		Reduce the probabilty of double signature when deleting
+			a DNSKEY by checking if the node is otherwise signed
+			by the algorithm of the key to be deleted. [GL #240]
+
+4963.	[test]		ifconfig.sh now uses "ip" instead of "ifconfig",
+			if available, to configure the test interfaces on
+			linux.  [GL #302]
+
+4962.	[cleanup]	Move 'named -T' processing to its own function.
+			[GL #316]
+
+4960.	[security]	When recursion is enabled, but the "allow-recursion"
+			and "allow-query-cache" ACLs are not specified,
+			they should be limited to local networks,
+			but were inadvertently set to match the default
+			"allow-query", thus allowing remote queries.
+			(CVE-2018-5738) [GL #309]
+
+4958.	[bug]		Remove redundant space from NSEC3 record. [GL #281]
+
+4955.	[cleanup]	Silence cppcheck warnings in lib/dns/master.c.
+			[GL #286]
+
+4951.	[protocol]	Add "HOME.ARPA" to list of built in empty zones as
+			per RFC 8375. [GL #273]
+
+4950.	[bug]		ISC_SOCKEVENTATTR_TRUNC was not be set. [GL #238]
+
+4949.	[bug]		lib/isc/print.c failed to handle floating point
+			output correctly. [GL #261]
+
+4946.	[bug]		Additional glue was not being returned by resolver
+			for unsigned zones since change 4596. [GL #209]
+
+4939.	[test]		Add basic unit tests for update_sigs(). [GL #135]
+
+4933.	[bug]		Not creating signing keys for an inline signed zone
+			prevented changes applied to the raw zone from being
+			reflected in the secure zone until signing keys were
+			made available. [GL #159]
+
+4932.	[bug]		Bumped signed serial of an inline signed zone was
+			logged even when an error occurred while updating
+			signatures. [GL #159]
+
+4926.	[func]		Add root key sentinel support.  To disable, add
+			'root-key-sentinel no;' to named.conf. [GL #37]
+
+4918.	[bug]		Fix double free after keygen error in dnssec-keygen
+			when OpenSSL >= 1.1.0 is used and RSA_generate_key_ex
+			fails. [GL #109]
+
+4913.	[test]		Re-implemented older unit tests in bin/tests as ATF,
+			removed the lib/tests unit testing library. [GL #115]
+
+4910.	[func]		Update util/check-changes to work on release branches.
+			[GL #113]
+
+4909.	[bug]		named-checkconf did not detect in-view zone collisions.
+			[GL #125]
+
+4908.	[test]		Eliminated unnecessary waiting in the allow_query
+			system test. Also changed its name to allow-query.
+			[GL #81]
+
+4907.	[test]		Improved the reliabilty of the 'notify' system
+			test. [GL #59]
+
+4905.	[bug]		irs_resconf_load() ignored resolv.conf syntax errors
+			when "domain" or "search" options were present in that
+			file. [GL #110]
+
+4903.	[bug]		"check-mx fail;" did not prevent MX records containing
+			IP addresses from being added to a zone by a dynamic
+			update. [GL #112]
+
+4902.	[test]		Improved the reliability of the 'ixfr' system
+			test. [GL #66]
+
+4899.	[test]		Convert most of the remaining system tests to be able
+			to run in parallel, continuing the work from change
+			#4895. To take advantage of this, use "make -jN check",
+			where N is the number of processors to use. [GL #91]
+
+4896.	[test]		cacheclean system test was not robust. [GL #82]
+
+4895.	[test]		Allow some system tests to run in parallel.
+			[RT #46602]
+
+4893.	[bug]		Address various issues reported by cppcheck. [GL #51]
+
+4892.	[bug]		named could leak memory when "rndc reload" was invoked
+			before all zone loading actions triggered by a previous
+			"rndc reload" command were completed. [RT #47076]
+
+	--- 9.10.7 released ---
+
+	--- 9.10.7rc2 released ---
+
+4904.	[bug]		Temporarily revert change #4859. [GL #124]
+
+	--- 9.10.7rc1 released ---
+
+4889.	[func]		Warn about the use of old root keys without the new
+			root key being present.  Warn about dlv.isc.org's
+			key being present. Warn about both managed and
+			trusted root keys being present. [RT #43670]
+
+4888.	[test]		Initialize sockets correctly in sample-update so
+			that the nsupdate system test will run on Windows.
+			[RT #47097]
+
+4886.	[doc]		Document dig -u in manpage. [RT #47150]
+
+4885.	[security]	update-policy rules that otherwise ignore the name
+			field now require that it be set to "." to ensure
+			that any type list present is properly interpreted.
+			[RT #47126]
+
+4882.	[bug]		Address potential memory leak in
+			dns_update_signaturesinc. [RT #47084]
+
+4881.	[bug]		Only include dst_openssl.h when OpenSSL is required.
+			[RT #47068]
+
+4879.	[bug]		dns_rdata_caa:value_len field was too small.
+			[RT #47086]
+
+	--- 9.10.7b1 released ---
+
+4876.	[bug]		Address deadlock with accessing a keytable. [RT #47000]
+
+4874.	[bug]		Wrong time display when reporting new keywarntime.
+			[RT #47042]
+
+4872.	[bug]		Don't permit loading meta RR types such as TKEY
+			from master files. [RT #47009]
+
+4871.	[bug]		Fix configure glitch in detecting stdatomic.h
+			support on systems with multiple compilers.
+			[RT #46959]
+
+4870.	[test]		Update included ATF library to atf-0.21 preserving
+			the ATF tool. [RT #46967]
+
+4869.	[bug]		Address some cases where NULL with zero length could
+			be passed to memmove which is undefined behaviour and
+			can lead to bad optimisation. [RT #46888]
+
+4867.	[cleanup]	Normalize rndc on/off commands (validation and
+			querylog) so they accept the same synonyms
+			for on/off (yes/no, true/false, enable/disable).
+			Thanks to Tony Finch. [RT #47022]
+
+4866.	[port]		DST library initialization verifies MD5 (when MD5
+			was not disabled) and SHA-1 hash and HMAC support.
+			[RT #46764]
+
+4863.	[bug]		Fix various other bugs reported by Valgrind's
+			memcheck tool. [RT #46978]
+
+4862.	[bug]		The rdata flags for RRSIG were not being properly set
+			when constructing a rdataslab. [RT #46978]
+
+4861.	[bug]		The isc_crc64 unit test was not endian independent.
+			[RT #46973]
+
+4860.	[bug]		isc_int8_t should be signed char.  [RT #46973]
+
+4859.	[bug]		A loop was possible when attempting to validate
+			unsigned CNAME responses from secure zones;
+			this caused a delay in returning SERVFAIL and
+			also increased the chances of encountering
+			CVE-2017-3145. [RT #46839]
+
+4858.	[security]	Addresses could be referenced after being freed
+			in resolver.c, causing an assertion failure.
+			(CVE-2017-3145) [RT #46839]
+
+4857.	[bug]		Maintain attach/detach semantics for event->db,
+			event->node, event->rdataset and event->sigrdataset
+			in query.c. [RT #46891]
+
+4856.	[bug]		'rndc zonestatus' reported the wrong underlying type
+			for a inline slave zone. [RT #46875]
+
+4852.	[bug]		Add REQUIRE's and INSIST's to isc_time_formattimestamp,
+			isc_time_formathttptimestamp, isc_time_formatISO8601.
+			[RT #46892]
+
+4851.	[port]		Support using kyua as well as atf-run to run the unit
+			tests. [RT #46853]
+
+4846.	[test]		Adjust timing values in runtime system test. Address
+			named.pid removal races in runtime system test.
+			[RT #46800]
+
+4844.	[test]		Address memory leaks in libatf-c. [RT #46798]
+
+4843.	[bug]		dnssec-signzone free hashlist on exit. [RT #46791]
+
+4842.	[bug]		Conditionally compile opensslecdsa_link.c to avoid
+			warnings about unused function. [RT #46790]
+
+4841.	[bug]		Address -fsanitize=undefined warnings. [RT #46786]
+
+4840.	[test]		Add tests to cover fallback to using ZSK on inactive
+			KSK. [RT #46787]
+
+4839.	[bug]		zone.c:zone_sign was not properly determining
+			if there were active KSK and ZSK keys for
+			a algorithm when update-check-ksk is true
+			(default) leaving records unsigned with one or
+			more DNSKEY algorithms. [RT #46774]
+
+4838.	[bug]		zone.c:add_sigs was not properly determining
+			if there were active KSK and ZSK keys for
+			a algorithm when update-check-ksk is true
+			(default) leaving records unsigned with one or
+			more DNSKEY algorithms. [RT #46754]
+
+4837.	[bug]		dns_update_signatures{inc} (add_sigs) was not
+			properly determining if there were active KSK and
+			ZSK keys for a algorithm when update-check-ksk is
+			true (default) leaving records unsigned when there
+			were multiple DNSKEY algorithms for the zone.
+			[RT #46743]
+
+4836.	[bug]		Zones created using "rndc addzone" could
+			temporarily fail to inherit an "allow-transfer"
+			ACL that had been configured in the options
+			statement. [RT #46603]
+
+4833.	[bug]		isc_event_free should check that the event is not
+			linked when called. [RT #46725]
+
+4832.	[bug]		Events were not being removed from zone->rss_events.
+			[RT #46725]
+
+4831.	[bug]		Convert the RRSIG expirytime to 64 bits for
+			comparisions in diff.c:resign. [RT #46710]
+
+4830.	[bug]		Failure to configure ATF when requested did not cause
+			an error in top-level configure script. [RT #46655]
+
+4829.	[bug]		isc_heap_delete did not zero the index value when
+			the heap was created with a callback to do that.
+			[RT #46709]
+
+4827.	[misc]		Add a precommit check script util/checklibs.sh
+			[RT #46215]
+
+4826.	[cleanup]	Prevent potential build failures in bin/confgen/ and
+			bin/named/ when using parallel make. [RT #46648]
+
+4823.	[test]		Refactor reclimit system test to improve its
+			reliability and speed. [RT #46632]
+
+4822.	[bug]		Use resign_sooner in dns_db_setsigningtime. [RT #46473]
+
+4821.	[bug]		When resigning ensure that the SOA's expire time is
+			always later that the resigning time of other records.
+			[RT #46473]
+
+4820.	[bug]		dns_db_subtractrdataset should transfer the resigning
+			information to the new header. [RT #46473]
+
+4819.	[bug]		Fully backout the transaction when adding a RRset
+			to the resigning / removal heaps fails. [RT #46473]
+
+4818.	[test]		The logfileconfig system test could intermittently
+			report false negatives on some platforms. [RT #46615]
+
+4817.	[cleanup]	Use DNS_NAME_INITABSOLUTE and DNS_NAME_INITNONABSOLUTE.
+			[RT #45433]
+
+4816.	[bug]		Don't use a common array for storing EDNS options
+			in DiG as it could fill up. [RT #45611]
+
+4815.	[bug]		rbt_test.c:insert_and_delete needed to call
+			dns_rbt_addnode instead of dns_rbt_addname. [RT #46553]
+
+4814.	[cleanup]	Use AS_HELP_STRING for consistent help text. [RT #46521]
+
+4812.	[bug]		Minor improvements to stability and consistency of code
+			handling managed keys. [RT #46468]
+
+4810.	[test]		The chain system test failed if the IPv6 interfaces
+			were not configured. [RT #46508]
+
+4809.	[port]		Check at configure time whether -latomic is needed
+			for stdatomic.h. [RT #46324]
+
+4805.	[bug]		TCP4Active and TCP6Active weren't being updated
+			correctly. [RT #46454]
+
+4804.	[port]		win32: access() does not work on directories as
+			required by POSIX.  Supply a alternative in
+			isc_file_isdirwritable. [RT #46394]
+
+4803.   [bug]		Backport fix for RT #46055 from RT #46267. [RT #46430]
+
+4792.	[bug]		Fix map file header correctness check. [RT #38418]
+
+4791.	[doc]		Fixed outdated documentation about export libraries.
+			[RT #46341]
+
+4790.	[bug]		nsupdate could trigger a require when sending a
+			update to the second address of the server.
+			[RT #45731]
+
+4788.	[cleanup]	When using "update-policy local", log a warning
+			when an update matching the session key is received
+			from a remote host. [RT #46213]
+
+4787.	[cleanup]	Turn nsec3param_salt_totext() into a public function,
+			dns_nsec3param_salttotext(), and add unit tests for it.
+			[RT #46289]
+
+4783.	[test]		dnssec: 'check that NOTIFY is sent at the end of
+			NSEC3 chain generation failed' required more time
+			on some machines for the IXFR to complete. [RT #46388]
+
+4781.	[maint]		B.ROOT-SERVERS.NET is now 199.9.14.201. [RT #45889]
+
+4780.	[bug]		When answering ANY queries, don't include the NS
+			RRset in the authority section if it was already
+			in the answer section. [RT #44543]
+
+4777.	[cleanup]	Removed a redundant call to configure_view_acl().
+			[RT #46369]
+
+4774.	[bug]		<isc/util.h> was incorrectly included in several
+			header files. [RT #46311]
+
+4773.	[doc]		Fixed generating Doxygen documentation for functions
+			annotated using certain macros.  Miscellaneous
+			Doxygen-related cleanups. [RT #46276]
+
+4771.	[bug]		When sending RFC 5011 refresh queries, disregard
+			cached DNSKEY rrsets. [RT #46251]
+
+4770.	[bug]		Cache additional data from priming queries as glue.
+			Previously they were ignored as unsigned
+			non-answer data from a secure zone, and never
+			actually got added to the cache, causing hints
+			to be used frequently for root-server
+			addresses, which triggered re-priming. [RT #45241]
+
+4769.	[bug]		Enforce the requirement that the managed keys
+			directory (specified by "managed-keys-directory",
+			and defaulting to the working directory if not
+			specified) must be writable. [RT #46077]
+
+4766.	[cleanup]	Addresss Coverity warnings. [RT #46150]
+
+4762.	[func]		"update-policy local" is now restricted to updates
+			from local addresses. (Previously, other addresses
+			were allowed so long as updates were signed by the
+			local session key.) [RT #45492]
+
+4761.	[protocol]	Add support for DOA. [RT #45612]
+
+4759.	[func]		Add logging channel "trust-anchor-telementry" to
+			record trust-anchor-telementry in incoming requests.
+			Both _ta-XXXX.<anchor>/NULL and EDNS KEY-TAG options
+			are logged.  [RT #46124]
+
+4758.	[doc]		Remove documentation of unimplemented "topology".
+			[RT #46161]
+
+4756.	[bug]		Interrupting dig could lead to an INSIST failure after
+			certain errors were encountered while querying a host
+			whose name resolved to more than one address.  Change
+			4537 increased the odds of triggering this issue by
+			causing dig to hang indefinitely when certain error
+			paths were evaluated.  dig now also retries TCP queries
+			(once) if the server gracefully closes the connection
+			before sending a response. [RT #42832, #45159]
+
+4754.	[bug]		dns_zone_setview needs a two stage commit to properly
+			handle errors. [RT #45841]
+
+4753.	[contrib]	Software obtainable from known upstream locations
+			(i.e., zkt, nslint, query-loc) has been removed.
+			Links to these and other packages can be found at
+			https://www.isc.org/community/tools [RT #46182]
+
+4752.	[test]		Add unit test for isc_net_pton. [RT #46171]
+
+4749.	[func]		The ISC DLV service has been shut down, and all
+			DLV records have been removed from dlv.isc.org.
+			- Removed references to ISC DLV in documentation
+			- Removed DLV key from bind.keys
+			- No longer use ISC DLV by default in delv
+			[RT #46155]
+
+4748.	[cleanup]	Sprintf to snprintf coversions. [RT #46132]
+
+4746.	[cleanup]	Add configured prefixes to configure summary
+			output. [RT #46153]
+
+4745.	[test]		Add color-coded pass/fail messages to system
+			tests when running on terminals that support them.
+			[RT #45977]
+
+4744.	[bug]		Suppress trust-anchor-telementry queries if
+			validation is disabled. [RT #46131]
+
+4741.	[bug]		Make isc_refcount_current() atomically read the
+			counter value. [RT #46074]
+
+4739.	[cleanup]	Address clang static analysis warnings. [RT #45952]
+
+4738.	[port]		win32: strftime mishandles %Z. [RT #46039]
+
+4737.	[cleanup]	Address Coverity warnings. [RT #46012]
+
+4736.	[cleanup]	(a) Added comments to NSEC3-related functions in
+			lib/dns/zone.c.  (b) Refactored NSEC3 salt formatting
+			code.  (c) Minor tweaks to lock and result handling.
+			[RT #46053]
+
+4735.	[bug]		Add @ISC_OPENSSL_LIBS@ to isc-config. [RT #46078]
+
+4734.	[contrib]	Added sample configuration for DNS-over-TLS in
+			contrib/dnspriv.
+
+4730.	[bug]		Fix out of bounds access in DHCID totext() method.
+			[RT #46001]
+
+4729.	[bug]		Don't use memset() to wipe memory, as it may be
+			removed by compiler optimizations when the
+			memset() occurs on automatic stack allocation
+			just before function return. [RT #45947]
+
+4728.	[func]		Use C11's stdatomic.h instead of isc_atomic
+			where available. [RT #40668]
+
+4727.	[bug]		Retransferring an inline-signed slave using NSEC3
+			around the time its NSEC3 salt was changed could result
+			in an infinite signing loop. [RT #45080]
+
+4725.	[bug]		Nsupdate: "recvsoa" was incorrectly reported for
+			failures in sending the update message.  The correct
+			location to be reported is "update_completed".
+			[RT #46014]
+
+4722.	[cleanup]	Clean up uses of strcpy() and strcat() in favor of
+			strlcpy() and strlcat() for safety. [RT #45981]
+
+4719.	[bug]		Address PVS static analyzer warnings. [RT #45946]
+
+4717.	[bug]		Treat replies with QCOUNT=0 as truncated if TC=1,
+			FORMERR if TC=0, and log the error correctly.
+			[RT #45836]
+
+4715.	[bug]		TreeMemMax was mis-identified as a second HeapMemMax
+			in the Json cache statistics. [RT #45980]
+
+4714.	[port]		openbsd/libressl: add support for building with
+			--enable-openssl-hash. [RT #45982]
+
+4713.	[cleanup]	Minor revisions to RPZ code to reduce
+			differences with the development branch. [RT #46037]
+
+4712.	[bug]		"dig +domain" and "dig +search" didn't retain the
+			search domain when retrying with TCP. [RT #45547]
+
+4711.	[test]		Some RR types were missing from genzones.sh.
+			[RT #45782]
+
+4709.	[cleanup]	Use dns_name_fullhash() to hash names for RRL.
+			[RT #45435]
+
+4703.	[bug]		BINDInstall.exe was missing some buffer length checks.
+			[RT #45898]
+
+4698.	[port]		Add --with-python-install-dir configure option to allow
+			specifying a nonstandard installation directory for
+			Python modules. [RT #45407]
+
+4696.	[port]		Enable filter-aaaa support by default on Windows
+			builds. [RT #45883]
+
+4692.	[bug]		Fix build failures with libressl introduced in 4676.
+			[RT #45879]
+
+4690.	[bug]		Command line options -4/-6 were handled inconsistently
+			between tools. [RT #45632]
+
+4689.	[cleanup]	Turn on minimal responses for CDNSKEY and CDS in
+			addition to DNSKEY and DS. Thanks to Tony Finch.
+			[RT #45690]
+
+4688.	[protocol]	Check and display EDNS KEY TAG options (RFC 8145) in
+			messages. [RT #44804]
+
+4686.	[bug]		dnssec-settime -p could print a bogus warning about
+			key deletion scheduled before its inactivation when a
+			key had an inactivation date set but no deletion date
+			set. [RT #45807]
+
+4685.	[bug]		dnssec-settime incorrectly calculated publication and
+			activation dates for a successor key. [RT #45806]
+
+4684.	[bug]		delv could send bogus DNS queries when an explicit
+			server address was specified on the command line along
+			with -4/-6. [RT #45804]
+
+4683.	[bug]		Prevent nsupdate from immediately exiting on invalid
+			user input in interactive mode. [RT #28194]
+
+4682.	[bug]		Don't report errors on records below a DNAME.
+			[RT #44880]
+
+4680.	[bug]		Fix failing over to another master server address when
+			nsupdate is used with GSS-API. [RT #45380]
+
+4679.	[cleanup]	Suggest using -o when dnssec-verify finds a SOA record
+			not at top of zone and -o is not used. [RT #45519]
+
+4677.	[cleanup]	Split up the main function in dig to better support
+			the iOS app version. [RT #45508]
+
+4676.	[cleanup]	Allow BIND to be built using OpenSSL 1.0.X with
+			deprecated functions removed. [RT #45706]
+
+4675.	[cleanup]	Don't use C++ keyword class. [RT #45726]
+
+4673.	[port]		Silence GCC 7 warnings. [RT #45592]
+
+4672.	[bug]		Fix a regression introduced by change 3938 (when
+			--enable-fetchlimit is NOT in use), where named
+			as resolver would, upon fetch timeout, repeat
+			fetching from the same nameserver address. This
+			also broke "forward first;" configurations (as
+			forwarders are also treated as nameservers when
+			fetching). [RT #45321]
+
+4671.	[bug]		Fix a race condition that could cause the
+			resolver to crash with assertion failure when
+			chasing DS in specific conditions with a very
+			short RTT to the upstream nameserver. [RT #45168]
+
+4670.	[cleanup]	Ensure that a request MAC is never sent back
+			in an XFR response unless the signature was
+			verified. [RT #45494]
+
+4668.	[bug]		Use localtime_r and gmtime_r for thread safety.
+			[RT #45664]
+
+4667.	[cleanup]	Refactor RDATA unit tests. [RT #45610]
+
+4665.	[protocol]	Added support for ED25519 and ED448 DNSSEC signing
+			algorithms (RFC 8080). (Note: these algorithms
+			depend on code currently in the development branch
+			of OpenSSL which has not yet been released.)
+			[RT #44696]
+
+4663.	[cleanup]	Clarify error message printed by dnssec-dsfromkey.
+			[RT #21731]
+
+4662.	[performance]	Improve cache memory cleanup of zero TTL records
+			by putting them at the tail of LRU header lists.
+			[RT #45274]
+
+4661.	[bug]		A race condition could occur if a zone was reloaded
+			while resigning, triggering a crash in
+			rbtdb.c:closeversion(). [RT #45276]
+
+4660.	[bug]		Remove spurious "peer" from Windows socket log
+			messages. [RT #45617]
+
+4658.	[bug]		Clean up build directory created by "setup.py install"
+			immediately.  [RT #45628]
+
+4657.	[bug]		rrchecker system test result could be improperly
+			determined. [RT #45602]
+
+4655.	[bug]		Lack of seccomp could be falsely reported. [RT #45599]
+
+4654.	[cleanup]	Don't use C++ keywords delete, new and namespace.
+			[RT #45538]
+
+4652.	[bug]		Nsupdate could attempt to use a zeroed address on
+			server timeout. [RT #45417]
+
+4651.	[test]		Silence coverity warnings in tsig_test.c. [RT #45528]
+
+	--- 9.10.6 released ---
+
+	--- 9.10.6rc2 released ---
+
+4653.	[bug]		Reorder includes to move @DST_OPENSSL_INC@ and
+			@ISC_OPENSSL_INC@ after shipped include directories.
+			[RT #45581]
+
+	--- 9.10.6rc1 released ---
 
 4647.	[bug]		Change 4643 broke verification of TSIG signed TCP
 			message sequences where not all the messages contain
 			TSIG records.  These may be used in AXFR and IXFR
 			responses. [RT #45509]
 
-	--- 9.10.5-P2 released ---
+4645.	[bug]		Fix PKCS#11 RSA parsing when MD5 is disabled.
+			[RT #45300]
+
+	--- 9.10.6b1 released ---
 
 4643.	[security]	An error in TSIG handling could permit unauthorized
 			zone transfers or zone updates. (CVE-2017-3142)
 			(CVE-2017-3143) [RT #45383]
 
-4633.	[maint]		Updated AAAA (2001:500:200::b) for B.ROOT-SERVERS.NET.
+4642.	[cleanup]	Add more logging of RFC 5011 events affecting the
+			status of managed keys: newly observed keys,
+			deletion of revoked keys, etc. [RT #45354]
+
+4641.	[cleanup]	Parallel builds (make -j) could fail with --with-atf /
+			--enable-developer. [RT #45373]
 
-	--- 9.10.5-P1 released ---
+4640.	[bug]		If query_findversion failed in query_getdb due to
+			memory failure the error status was incorrectly
+			discarded. [RT #45331]
+
+4636.	[bug]		Normalize rpz policy zone names when checking for
+			existence. [RT #45358]
+
+4635.	[bug]		Fix RPZ NSDNAME logging that was logging
+			failures as NSIP. [RT #45052]
+
+4634.	[contrib]	check5011.pl needs to handle optional space before
+			semi-colon in +multi-line output. [RT #45352]
+
+4633.	[maint]		Updated AAAA (2001:500:200::b) for B.ROOT-SERVERS.NET.
 
 4632.	[security]	The BIND installer on Windows used an unquoted
 			service path, which can enable privilege escalation.
@@ -23,6 +685,117 @@
 			query loop when encountering responses with TTL=0.
 			(CVE-2017-3140) [RT #45181]
 
+4629.	[bug]		dns_client_startupdate could not be called with a
+			running client. [RT #45277]
+
+4628.	[bug]		Fixed a potential reference leak in query_getdb().
+			[RT #45247]
+
+4627.	[func]		Deprecate 'dig +sit', it is replaced by 'dig +cookie'.
+			[RT #45245]
+
+4626.	[test]		Added more tests for handling of different record
+			ordering in CNAME and DNAME responses. [QA #430]
+
+4624.	[bug]		Check isc_mem_strdup results in dns_view_setnewzones.
+			[RT #45210]
+
+4622.	[bug]		Remove unnecessary escaping of semicolon in CAA and
+			URI records. [RT #45216]
+
+4621.	[port]		Force alignment of oid arrays to silence loader
+			warnings. [RT #45131]
+
+4620.	[port]		Handle EPFNOSUPPORT being returned when probing
+			to see if a socket type is supported. [RT #45214]
+
+4617.	[test]		Update rndc system test to be more delay tolerant.
+			[RT #45177]
+
+4615.	[bug]		AD could be set on truncated answer with no records
+			present in the answer and authority sections.
+			[RT #45140]
+
+4614.	[test]		Fixed an error in the sockaddr unit test. [RT #45146]
+
+4612.	[bug]		Silence 'may be use uninitalised' warning and simplify
+			the code in lwres/getaddinfo:process_answer.
+			[RT #45158]
+
+4609.	[cleanup]	Rearrange makefiles to enable parallel execution
+			(i.e. "make -j"). [RT #45078]
+
+4608.	[func]		DiG now warns about .local queries which are reserved
+			for Multicast DNS. [RT #44783]
+
+4606.	[port]		Stop using experimental "Experimental keys on scalar"
+			feature of perl as it has been removed. [RT #45012]
+
+4604.	[bug]		Don't use ERR_load_crypto_strings() when building
+			with OpenSSL 1.1.0. [RT #45117]
+
+4603.	[doc]		Automatically generate named.conf(5) man page
+			from doc/misc/options. Thanks to Tony Finch.
+			[RT #43525]
+
+4602.	[func]		Threads are now set to human-readable
+			names to assist debugging, when supported by
+			the OS. [RT #43234]
+
+4601.	[bug]		Reject incorrect RSA key lengths during key
+			generation and and sign/verify context
+			creation. [RT #45043]
+
+4600.	[bug]		Adjust RPZ trigger counts only when the entry
+			being deleted exists. [RT #43386]
+
+4599.	[bug]		Fix inconsistencies in inline signing time
+			comparison that were introduced with the
+			introduction of rdatasetheader->resign_lsb.
+			[RT #42112]
+
+4597.	[bug]		The validator now ignores SHA-1 DS digest type
+			when a DS record with SHA-384 digest type is
+			present and is a supported digest type.
+			[RT #45017]
+
+4596.	[bug]		Validate glue before adding it to the additional
+			section. This also fixes incorrect TTL capping
+			when the RRSIG expired earlier than the TTL.
+			[RT #45062]
+
+4593.	[doc]		Update README using markdown, remove outdated FAQ
+			file in favor of the knowledge base.
+
+4592.	[bug]		A race condition on shutdown could trigger an
+			assertion failure in dispatch.c. [RT #43822]
+
+4591.	[port]		Addressed some python 3 compatibility issues.
+			Thanks to Ville Skytta. [RT #44955] [RT #44956]
+
+4590.	[bug]		Support for PTHREAD_MUTEX_ADAPTIVE_NP was not being
+			properly detected. [RT #44871]
+
+4589.	[cleanup]	"configure -q" is now silent. [RT #44829]
+
+4588.	[bug]		nsupdate could send queries for TKEY to the wrong
+			server when using GSSAPI. Thanks to Tomas Hozza.
+			[RT #39893]
+
+4587.	[bug]		named-checkzone failed to handle occulted data below
+			DNAMEs correctly. [RT #44877]
+
+4585.	[port]		win32: Set CompileAS value. [RT #42474]
+
+4584.	[bug]		A number of memory usage statistics were not properly
+			reported when they exceeded 4G.  [RT #44750]
+
+4574.	[bug]		Dig leaked memory with multiple +subnet options.
+			[RT #44683]
+
+4555.	[func]		dig +ednsopt: EDNS options can now be specified by
+			name in addition to numeric value. [RT #44461]
+
 	--- 9.10.5 released ---
 
 	--- 9.10.5rc3 released ---
@@ -204,7 +977,7 @@
 
 4503.	[cleanup]	"make uninstall" now removes files installed by
 			BIND. (This currently excludes Python files
-			due to lack of support in setup.py.) [RT #42912]
+			due to lack of support in setup.py.) [RT #42192]
 
 4502.	[func]		Report multiple and experimental options when printing
 			grammar. [RT #43134]
@@ -1287,7 +2060,7 @@
 			conditions causing SERVFAILs when resolving.
 			[RT #35538]
 
-3812.	[func]		Dig now supports sending arbitary EDNS options from
+3812.	[func]		Dig now supports sending arbitrary EDNS options from
 			the command line (+ednsopt=code[:value]). [RT #35584]
 
 	--- 9.10.2 released ---
@@ -1305,13 +2078,13 @@
 4058.	[bug]		UDP dispatches could use the wrong pseudorandom
 			number generator context. [RT #38578]
 
+4057.	[bug]		'dnssec-dsfromkey -T 0' failed to add ttl field.
+			[RT #38565]
+
 4056.	[bug]		Fixed several small bugs in automatic trust anchor
 			management, including a memory leak and a possible
 			loss of key state information. [RT #38458]
 
-4057.	[bug]		'dnssec-dsfromkey -T 0' failed to add ttl field.
-			[RT #38565]
-
 4053.	[security]	Revoking a managed trust anchor and supplying
 			an untrusted replacement could cause named
 			to crash with an assertion failure.
@@ -1425,7 +2198,7 @@
 			not being properly set leading to a potentially
 			spurious 'inherited owner' warning. [RT #37919]
 
-4012.	[bug]		Check returned status of OpenSSL digest and HMAC
+4012.	[cleanup]	Check returned status of OpenSSL digest and HMAC
 			functions when they return one. Note this applies
 			only to FIPS capable OpenSSL libraries put in
 			FIPS mode and MD5. [RT #37944]
@@ -1433,8 +2206,8 @@
 4011.	[bug]		master's list port and dscp inheritance was not
 			properly implemented. [RT #37792]
 
-4010.	[cleanup]	Clear the prefetchable state when initiating a prefetch.
-			[RT #37399]
+4010.	[cleanup]	Clear the prefetchable state when initiating a
+			prefetch. [RT #37399]
 
 4008.	[contrib]	Updated zkt to latest version (1.1.3). [RT #37886]
 
@@ -1490,7 +2263,7 @@
 
 3989.	[cleanup]	Remove redundant dns_db_resigned calls. [RT #35748]
 
-3987.	[func]		Handle future Visual Studio 14 incompatible changes.
+3987.	[port]		Handle future Visual Studio 14 incompatible changes.
 			[RT #37380]
 
 3986.	[doc]		Add the BIND version number to page footers
@@ -1798,7 +2571,7 @@
 			to be made. [RT #36020]
 
 3856.	[bug]		Configuring libjson without also configuring libxml
-			resulting in a REQUIRE assertion when retrieving
+			resulted in a REQUIRE assertion when retrieving
 			statistics using json. [RT #36009]
 
 3855.	[bug]		Limit smoothed round trip time aging to no more than
@@ -1812,8 +2585,8 @@
 
 3851.	[func]		Allow libseccomp based system-call filtering
 			on Linux; use "configure --enable-seccomp" to
-			turn it on.  Thanks to Loganaden Velvindron for
-			the contribution. [RT #35347]
+			turn it on.  Thanks to Loganaden Velvindron
+			of AFRINIC for the contribution. [RT #35347]
 
 3850.	[bug]		Disabling forwarding could trigger a REQUIRE assertion.
 			[RT #35979]
@@ -3255,7 +4028,7 @@
 3414.	[bug]		Address locking issues found by Coverity. [RT #31626]
 
 3413.	[func]		Record the number of DNS64 AAAA RRsets that have been
-			synthesized. [RT #27636]
+			synthesised. [RT #27636]
 
 3412.	[bug]		Copy timeval structure from control message data.
 			[RT #31548]
@@ -10498,7 +11271,7 @@
 1137.	[func]		It is now possible to flush a given name from the
 			ADB by calling the new function dns_adb_flushname().
 
-1136.	[bug]		CNAME records synthesized from DNAMEs did not
+1136.	[bug]		CNAME records synthesised from DNAMEs did not
 			have a TTL of zero as required by RFC2672.
 			[RT #2129]
 
@@ -12292,7 +13065,7 @@
 
  586.	[bug]		multiple views with the same name were fatal. [RT #516]
 
- 585.	[func]		dns_db_addrdataset() and and dns_rdataslab_merge()
+ 585.	[func]		dns_db_addrdataset() and dns_rdataslab_merge()
 			now support 'exact' additions in a similar manner to
 			dns_db_subtractrdataset() and dns_rdataslab_subtract().
 
diff --git a/usr.sbin/bind/COPYRIGHT b/usr.sbin/bind/COPYRIGHT
index e09f6a15b3c..9772b23dfea 100644
--- a/usr.sbin/bind/COPYRIGHT
+++ b/usr.sbin/bind/COPYRIGHT
@@ -1,5 +1,4 @@
-Copyright (C) 2004-2017  Internet Systems Consortium, Inc. ("ISC")
-Copyright (C) 1996-2003  Internet Software Consortium.
+Copyright (C) 1996-2018  Internet Systems Consortium, Inc. ("ISC")
 
 Permission to use, copy, modify, and/or distribute this software for any
 purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/FAQ.xml b/usr.sbin/bind/FAQ.xml
index d8df8a8e083..85b8ab4a85f 100644
--- a/usr.sbin/bind/FAQ.xml
+++ b/usr.sbin/bind/FAQ.xml
@@ -1,6 +1,5 @@
 <!--
- - Copyright (C) 2004-2010, 2013-2017  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003  Internet Software Consortium.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -20,27 +19,10 @@
 
   <articleinfo>
     <copyright>
-      <year>2004</year>
-      <year>2005</year>
-      <year>2006</year>
-      <year>2007</year>
-      <year>2008</year>
-      <year>2009</year>
-      <year>2010</year>
-      <year>2013</year>
-      <year>2014</year>
-      <year>2015</year>
-      <year>2016</year>
       <year>2017</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
   </articleinfo>
   <qandaset defaultlabel="qanda">
 
diff --git a/usr.sbin/bind/HISTORY b/usr.sbin/bind/HISTORY
index 6db5f2d88e9..1f088a9d499 100644
--- a/usr.sbin/bind/HISTORY
+++ b/usr.sbin/bind/HISTORY
@@ -1,364 +1,278 @@
-Summary of functional enhancements from prior major releases of BIND 9:
+Functional enhancements from prior major releases of BIND 9
+
+BIND 9.9.0
+
+BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
+releases. New features include:
+
+  * Inline signing, allowing automatic DNSSEC signing of master zones
+    without modification of the zonefile, or "bump in the wire" signing in
+    slaves.
+  * NXDOMAIN redirection.
+  * New 'rndc flushtree' command clears all data under a given name from
+    the DNS cache.
+  * New 'rndc sync' command dumps pending changes in a dynamic zone to
+    disk without a freeze/thaw cycle.
+  * New 'rndc signing' command displays or clears signing status records
+    in 'auto-dnssec' zones.
+  * NSEC3 parameters for 'auto-dnssec' zones can now be set prior to
+    signing, eliminating the need to initially sign with NSEC.
+  * Startup time improvements on large authoritative servers.
+  * Slave zones are now saved in raw format by default.
+  * Several improvements to response policy zones (RPZ).
+  * Improved hardware scalability by using multiple threads to listen for
+    queries and using finer-grained client locking
+  * The 'also-notify' option now takes the same syntax as 'masters', so it
+    can used named masterlists and TSIG keys.
+  * 'dnssec-signzone -D' writes an output file containing only DNSSEC
+    data, which can be included by the primary zone file.
+  * 'dnssec-signzone -R' forces removal of signatures that are not expired
+    but were created by a key which no longer exists.
+  * 'dnssec-signzone -X' allows a separate expiration date to be specified
+    for DNSKEY signatures from other signatures.
+  * New '-L' option to dnssec-keygen, dnssec-settime, and
+    dnssec-keyfromlabel sets the default TTL for the key.
+  * dnssec-dsfromkey now supports reading from standard input, to make it
+    easier to convert DNSKEY to DS.
+  * RFC 1918 reverse zones have been added to the empty-zones table per
+    RFC 6303.
+  * Dynamic updates can now optionally set the zone's SOA serial number to
+    the current UNIX time.
+  * DLZ modules can now retrieve the source IP address of the querying
+    client.
+  * 'request-ixfr' option can now be set at the per-zone level.
+  * 'dig +rrcomments' turns on comments about DNSKEY records, indicating
+    their key ID, algorithm and function
+  * Simplified nsupdate syntax and added readline support
 
 BIND 9.8.0
 
-        BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
-        releases.  New features include:
-
-        - Built-in trust anchor for the root zone, which can be
-          switched on via "dnssec-validation auto;"
-        - Support for DNS64.
-        - Support for response policy zones (RPZ).
-        - Support for writable DLZ zones.
-        - Improved ease of configuration of GSS/TSIG for
-          interoperability with Active Directory
-        - Support for GOST signing algorithm for DNSSEC.
-        - Removed RTT Banding from server selection algorithm.
-        - New "static-stub" zone type.
-        - Allow configuration of resolver timeouts via
-          "resolver-query-timeout" option.
-        - The DLZ "dlopen" driver is now built by default.
-        - Added a new include file with function typedefs
-          for the DLZ "dlopen" driver.
-        - Made "--with-gssapi" default.
-        - More verbose error reporting from DLZ LDAP.
+BIND 9.8.0 includes a number of changes from BIND 9.7 and earlier
+releases. New features include:
+
+  * Built-in trust anchor for the root zone, which can be switched on via
+    "dnssec-validation auto;"
+  * Support for DNS64.
+  * Support for response policy zones (RPZ).
+  * Support for writable DLZ zones.
+  * Improved ease of configuration of GSS/TSIG for interoperability with
+    Active Directory
+  * Support for GOST signing algorithm for DNSSEC.
+  * Removed RTT Banding from server selection algorithm.
+  * New "static-stub" zone type.
+  * Allow configuration of resolver timeouts via "resolver-query-timeout"
+    option.
+  * The DLZ "dlopen" driver is now built by default.
+  * Added a new include file with function typedefs for the DLZ "dlopen"
+    driver.
+  * Made "--with-gssapi" default.
+  * More verbose error reporting from DLZ LDAP.
 
 BIND 9.7.0
 
-	BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
-	releases.  Most are intended to simplify DNSSEC configuration.
-	New features include:
-
-	- Fully automatic signing of zones by "named".
-	- Simplified configuration of DNSSEC Lookaside Validation (DLV).
-	- Simplified configuration of Dynamic DNS, using the "ddns-confgen"
-	  command line tool or the "local" update-policy option.  (As a side
-	  effect, this also makes it easier to configure automatic zone
-	  re-signing.)
-	- New named option "attach-cache" that allows multiple views to
-	  share a single cache.
-	- DNS rebinding attack prevention.
-	- New default values for dnssec-keygen parameters.
-	- Support for RFC 5011 automated trust anchor maintenance
-	- Smart signing: simplified tools for zone signing and key
-	  maintenance.
-	- The "statistics-channels" option is now available on Windows.
-	- A new DNSSEC-aware libdns API for use by non-BIND9 applications
-	- On some platforms, named and other binaries can now print out
-	  a stack backtrace on assertion failure, to aid in debugging.
-	- A "tools only" installation mode on Windows, which only installs
-	  dig, host, nslookup and nsupdate.
-	- Improved PKCS#11 support, including Keyper support and explicit
-	  OpenSSL engine selection.
+BIND 9.7.0 includes a number of changes from BIND 9.6 and earlier
+releases. Most are intended to simplify DNSSEC configuration. New features
+include:
+
+  * Fully automatic signing of zones by "named".
+  * Simplified configuration of DNSSEC Lookaside Validation (DLV).
+  * Simplified configuration of Dynamic DNS, using the "ddns-confgen"
+    command line tool or the "local" update-policy option. (As a side
+    effect, this also makes it easier to configure automatic zone
+    re-signing.)
+  * New named option "attach-cache" that allows multiple views to share a
+    single cache.
+  * DNS rebinding attack prevention.
+  * New default values for dnssec-keygen parameters.
+  * Support for RFC 5011 automated trust anchor maintenance
+  * Smart signing: simplified tools for zone signing and key maintenance.
+  * The "statistics-channels" option is now available on Windows.
+  * A new DNSSEC-aware libdns API for use by non-BIND9 applications
+  * On some platforms, named and other binaries can now print out a stack
+    backtrace on assertion failure, to aid in debugging.
+  * A "tools only" installation mode on Windows, which only installs dig,
+    host, nslookup and nsupdate.
+  * Improved PKCS#11 support, including Keyper support and explicit
+    OpenSSL engine selection.
 
 BIND 9.6.0
 
-        Full NSEC3 support
-
-        Automatic zone re-signing
-
-	New update-policy methods tcp-self and 6to4-self
-
-        The BIND 8 resolver library, libbind, has been removed from the
-        BIND 9 distribution and is now available as a separate download.
-
-	Change the default pid file location from /var/run to
-	/var/run/{named,lwresd} for improved chroot/setuid support.
+  * Full NSEC3 support
+  * Automatic zone re-signing
+  * New update-policy methods tcp-self and 6to4-self
+  * The BIND 8 resolver library, libbind, has been removed from the BIND 9
+    distribution and is now available as a separate download.
+  * Change the default pid file location from /var/run to /var/run/
+    {named,lwresd} for improved chroot/setuid support.
 
 BIND 9.5.0
 
-	GSS-TSIG support (RFC 3645).
-
-	DHCID support.
-
-	Experimental http server and statistics support for named via xml.
-
-	More detailed statistics counters including those supported in BIND 8.
-
-	Faster ACL processing.
-
-	Use Doxygen to generate internal documentation.
-
-        Efficient LRU cache-cleaning mechanism.
-
-        NSID support.
+  * GSS-TSIG support (RFC 3645).
+  * DHCID support.
+  * Experimental http server and statistics support for named via xml.
+  * More detailed statistics counters including those supported in BIND 8.
+  * Faster ACL processing.
+  * Use Doxygen to generate internal documentation.
+  * Efficient LRU cache-cleaning mechanism.
+  * NSID support.
 
 BIND 9.4.0
 
-	Implemented "additional section caching (or acache)", an
-	internal cache framework for additional section content to
-	improve response performance.  Several configuration options
-	were provided to control the behavior.
-
-	New notify type 'master-only'.  Enable notify for master
-	zones only.
-
-	Accept 'notify-source' style syntax for query-source.
-
-	rndc now allows addresses to be set in the server clauses.
-
-	New option "allow-query-cache".  This lets "allow-query"
-	be used to specify the default zone access level rather
-	than having to have every zone override the global value.
-	"allow-query-cache" can be set at both the options and view
-	levels.  If "allow-query-cache" is not set then "allow-recursion"
-	is used if set, otherwise "allow-query" is used if set
-	unless "recursion no;" is set in which case "none;" is used,
-	otherwise the default (localhost; localnets;) is used.
-
-	rndc: the source address can now be specified.
-
-	ixfr-from-differences now takes master and slave in addition
-	to yes and no at the options and view levels.
-
-	Allow the journal's name to be changed via named.conf.
-
-	'rndc notify zone [class [view]]' resend the NOTIFY messages
-	for the specified zone.
-
-	'dig +trace' now randomly selects the next servers to try.
-	Report if there is a bad delegation.
-
-	Improve check-names error messages.
-
-	Make public the function to read a key file, dst_key_read_public().
-
-	dig now returns the byte count for axfr/ixfr.
-			
-	allow-update is now settable at the options / view level.
-
-	named-checkconf now checks the logging configuration.
-
-	host now can turn on memory debugging flags with '-m'.
-
-	Don't send notify messages to self.
-
-	Perform sanity checks on NS records which refer to 'in zone' names.
-
-	New zone option "notify-delay".  Specify a minimum delay
-	between sets of NOTIFY messages.
-
-	Extend adjusting TTL warning messages.
-
-	Named and named-checkzone can now both check for non-terminal
-	wildcard records.
-
-	"rndc freeze/thaw" now freezes/thaws all zones.
-
-	named-checkconf now check acls to verify that they only
-	refer to existing acls.
-
-	The server syntax has been extended to support a range of
-	servers.
-
-	Report differences between hints and real NS rrset and
-	associated address records.
-
-	Preserve the case of domain names in rdata during zone
-	transfers.
-
-	Restructured the data locking framework using architecture
-	dependent atomic operations (when available), improving
-	response performance on multi-processor machines significantly.
-	x86, x86_64, alpha, powerpc, and mips are currently supported.
-
-	UNIX domain controls are now supported.
-
-	Add support for additional zone file formats for improving
-	loading performance.  The masterfile-format option in
-	named.conf can be used to specify a non-default format.  A
-	separate command named-compilezone was provided to generate
-	zone files in the new format.  Additionally, the -I and -O
-	options for dnssec-signzone specify the input and output
-	formats.
-
-	dnssec-signzone can now randomize signature end times
-	(dnssec-signzone -j jitter).
-
-	Add support for CH A record.
-
-	Add additional zone data constancy checks.  named-checkzone
-	has extended checking of NS, MX and SRV record and the hosts
-	they reference.  named has extended post zone load checks.
-	New zone options: check-mx and integrity-check.
-
-
-	edns-udp-size can now be overridden on a per server basis.
-
-	dig can now specify the EDNS version when making a query.
-
-	Added framework for handling multiple EDNS versions.
-
-	Additional memory debugging support to track size and mctx
-	arguments.
-
-	Detect duplicates of UDP queries we are recursing on and
-	drop them.  New stats category "duplicates".
-
-	"USE INTERNAL MALLOC" is now runtime selectable.
-
-	The lame cache is now done on a <qname,qclass,qtype> basis
-	as some servers only appear to be lame for certain query
-	types.
-
-	Limit the number of recursive clients that can be waiting
-	for a single query (<qname,qtype,qclass>) to resolve.  New
-	options clients-per-query and max-clients-per-query.
-
-	dig: report the number of extra bytes still left in the
-	packet after processing all the records.
-
-	Support for IPSECKEY rdata type.
-
-	Raise the UDP recieve buffer size to 32k if it is less than 32k.
-
-	x86 and x86_64 now have seperate atomic locking implementations.
-
-	named-checkconf now validates update-policy entries.
-
-	Attempt to make the amount of work performed in a iteration
-	self tuning.  The covers nodes clean from the cache per
-	iteration, nodes written to disk when rewriting a master
-	file and nodes destroyed per iteration when destroying a
-	zone or a cache.
-
-	ISC string copy API.
-
-	Automatic empty zone creation for D.F.IP6.ARPA and friends.
-	Note: RFC 1918 zones are not yet covered by this but are
-	likely to be in a future release.
-
-	New options: empty-server, empty-contact, empty-zones-enable
-	and disable-empty-zone.
-
-	dig now has a '-q queryname' and '+showsearch' options.
-
-	host/nslookup now continue (default)/fail on SERVFAIL.
-
-	dig now warns if 'RA' is not set in the answer when 'RD'
-	was set in the query.  host/nslookup skip servers that fail
-	to set 'RA' when 'RD' is set unless a server is explicitly
-	set.
-
-	Integrate contibuted DLZ code into named.
-
-	Integrate contibuted IDN code from JPNIC.
-
-	libbind: corresponds to that from BIND 8.4.7.
+  * Implemented "additional section caching (or acache)", an internal
+    cache framework for additional section content to improve response
+    performance. Several configuration options were provided to control
+    the behavior.
+  * New notify type 'master-only'. Enable notify for master zones only.
+  * Accept 'notify-source' style syntax for query-source.
+  * rndc now allows addresses to be set in the server clauses.
+  * New option "allow-query-cache". This lets "allow-query" be used to
+    specify the default zone access level rather than having to have every
+    zone override the global value. "allow-query-cache" can be set at both
+    the options and view levels. If "allow-query-cache" is not set then
+    "allow-recursion" is used if set, otherwise "allow-query" is used if
+    set unless "recursion no;" is set in which case "none;" is used,
+    otherwise the default (localhost; localnets;) is used.
+  * rndc: the source address can now be specified.
+  * ixfr-from-differences now takes master and slave in addition to yes
+    and no at the options and view levels.
+  * Allow the journal's name to be changed via named.conf.
+  * 'rndc notify zone [class [view]]' resend the NOTIFY messages for the
+    specified zone.
+  * 'dig +trace' now randomly selects the next servers to try. Report if
+    there is a bad delegation.
+  * Improve check-names error messages.
+  * Make public the function to read a key file, dst_key_read_public().
+  * dig now returns the byte count for axfr/ixfr.
+  * allow-update is now settable at the options / view level.
+  * named-checkconf now checks the logging configuration.
+  * host now can turn on memory debugging flags with '-m'.
+  * Don't send notify messages to self.
+  * Perform sanity checks on NS records which refer to 'in zone' names.
+  * New zone option "notify-delay". Specify a minimum delay between sets
+    of NOTIFY messages.
+  * Extend adjusting TTL warning messages.
+  * Named and named-checkzone can now both check for non-terminal wildcard
+    records.
+  * "rndc freeze/thaw" now freezes/thaws all zones.
+  * named-checkconf now check acls to verify that they only refer to
+    existing acls.
+  * The server syntax has been extended to support a range of servers.
+  * Report differences between hints and real NS rrset and associated
+    address records.
+  * Preserve the case of domain names in rdata during zone transfers.
+  * Restructured the data locking framework using architecture dependent
+    atomic operations (when available), improving response performance on
+    multi-processor machines significantly. x86, x86_64, alpha, powerpc,
+    and mips are currently supported.
+  * UNIX domain controls are now supported.
+  * Add support for additional zone file formats for improving loading
+    performance. The masterfile-format option in named.conf can be used to
+    specify a non-default format. A separate command named-compilezone was
+    provided to generate zone files in the new format. Additionally, the
+    -I and -O options for dnssec-signzone specify the input and output
+    formats.
+  * dnssec-signzone can now randomize signature end times (dnssec-signzone
+    -j jitter).
+  * Add support for CH A record.
+  * Add additional zone data constancy checks. named-checkzone has
+    extended checking of NS, MX and SRV record and the hosts they
+    reference. named has extended post zone load checks. New zone options:
+    check-mx and integrity-check.
+  * edns-udp-size can now be overridden on a per server basis.
+  * dig can now specify the EDNS version when making a query.
+  * Added framework for handling multiple EDNS versions.
+  * Additional memory debugging support to track size and mctx arguments.
+  * Detect duplicates of UDP queries we are recursing on and drop them.
+    New stats category "duplicates".
+  * "USE INTERNAL MALLOC" is now runtime selectable.
+  * The lame cache is now done on a basis as some servers only appear to
+    be lame for certain query types.
+  * Limit the number of recursive clients that can be waiting for a single
+    query () to resolve. New options clients-per-query and
+    max-clients-per-query.
+  * dig: report the number of extra bytes still left in the packet after
+    processing all the records.
+  * Support for IPSECKEY rdata type.
+  * Raise the UDP recieve buffer size to 32k if it is less than 32k.
+  * x86 and x86_64 now have seperate atomic locking implementations.
+  * named-checkconf now validates update-policy entries.
+  * Attempt to make the amount of work performed in a iteration self
+    tuning. The covers nodes clean from the cache per iteration, nodes
+    written to disk when rewriting a master file and nodes destroyed per
+    iteration when destroying a zone or a cache.
+  * ISC string copy API.
+  * Automatic empty zone creation for D.F.IP6.ARPA and friends. Note: RFC
+    1918 zones are not yet covered by this but are likely to be in a
+    future release.
+  * New options: empty-server, empty-contact, empty-zones-enable and
+    disable-empty-zone.
+  * dig now has a '-q queryname' and '+showsearch' options.
+  * host/nslookup now continue (default)/fail on SERVFAIL.
+  * dig now warns if 'RA' is not set in the answer when 'RD' was set in
+    the query. host/nslookup skip servers that fail to set 'RA' when 'RD'
+    is set unless a server is explicitly set.
+  * Integrate contibuted DLZ code into named.
+  * Integrate contibuted IDN code from JPNIC.
+  * libbind: corresponds to that from BIND 8.4.7.
 
 BIND 9.3.0
 
-	DNSSEC is now DS based (RFC 3658).
-	See also RFC 3845, doc/draft/draft-ietf-dnsext-dnssec-*.
-
-	DNSSEC lookaside validation.
-
-	check-names is now implemented.
-	rrset-order in more complete.
-
-	IPv4/IPv6 transition support, dual-stack-servers.
-
-	IXFR deltas can now be generated when loading master files,
-	ixfr-from-differences.
-
-	It is now possible to specify the size of a journal, max-journal-size.
-
-	It is now possible to define a named set of master servers to be
-	used in masters clause, masters.
-
-	The advertised EDNS UDP size can now be set, edns-udp-size.
-
-	allow-v6-synthesis has been obsoleted.
-
-	NOTE:
-	* Zones containing MD and MF will now be rejected.
-	* dig, nslookup name. now report "Not Implemented" as
-	  NOTIMP rather than NOTIMPL.  This will have impact on scripts
-	  that are looking for NOTIMPL.
-
-	libbind: corresponds to that from BIND 8.4.5.
+  * DNSSEC is now DS based (RFC 3658).
+  * DNSSEC lookaside validation.
+  * check-names is now implemented.
+  * rrset-order is more complete.
+  * IPv4/IPv6 transition support, dual-stack-servers.
+  * IXFR deltas can now be generated when loading master files,
+    ixfr-from-differences.
+  * It is now possible to specify the size of a journal, max-journal-size.
+  * It is now possible to define a named set of master servers to be used
+    in masters clause, masters.
+  * The advertised EDNS UDP size can now be set, edns-udp-size.
+  * allow-v6-synthesis has been obsoleted.
+  * Zones containing MD and MF will now be rejected.
+  * dig, nslookup name. now report "Not Implemented" as NOTIMP rather than
+    NOTIMPL. This will have impact on scripts that are looking for
+    NOTIMPL.
+  * libbind: corresponds to that from BIND 8.4.5.
 
 BIND 9.2.0
 
-	The size of the cache can now be limited using the
-        "max-cache-size" option.
-
-	The server can now automatically convert RFC1886-style recursive
-	lookup requests into RFC2874-style lookups, when enabled using the
-	new option "allow-v6-synthesis".  This allows stub resolvers that
-	support AAAA records but not A6 record chains or binary labels to
-	perform lookups in domains that make use of these IPv6 DNS
-	features.
-
-	Performance has been improved.
-
-	The man pages now use the more portable "man" macros rather than
-	the "mandoc" macros, and are installed by "make install".
-
-	The named.conf parser has been completely rewritten.  It now
-	supports "include" directives in more places such as inside "view"
-	statements, and it no longer has any reserved words.
-
-	The "rndc status" command is now implemented.
-
-	rndc can now be configured automatically.
-
-	A BIND 8 compatible stub resolver library is now included in
-	lib/bind.
-
-	OpenSSL has been removed from the distribution.  This means that to
-	use DNSSEC, OpenSSL must be installed and the --with-openssl option
-	must be supplied to configure.  This does not apply to the use of
-	TSIG, which does not require OpenSSL.
-
-	The source distribution now builds on Windows.  See
-	win32utils/readme1.txt and win32utils/win32-build.txt for details.
-
-	This distribution also includes a new lightweight stub
-	resolver library and associated resolver daemon that fully
-	support forward and reverse lookups of both IPv4 and IPv6
-	addresses.  This library is considered experimental and
-	is not a complete replacement for the BIND 8 resolver library.
-	Applications that use the BIND 8 res_* functions to perform
-	DNS lookups or dynamic updates still need to be linked against
-	the BIND 8 libraries.  For DNS lookups, they can also use the
-	new "getrrsetbyname()" API.
-
-	BIND 9.2 is capable of acting as an authoritative server
-	for DNSSEC secured zones.  This functionality is believed to
-	be stable and complete except for lacking support for
-	verifications involving wildcard records in secure zones.
-
-	When acting as a caching server, BIND 9.2 can be configured
-	to perform DNSSEC secure resolution on behalf of its clients.
-	This part of the DNSSEC implementation is still considered
-	experimental.  For detailed information about the state of the
-	DNSSEC implementation, see the file doc/misc/dnssec.
-
-	There are a few known bugs:
-
-	    On some systems, IPv6 and IPv4 sockets interact in
-	    unexpected ways.  For details, see doc/misc/ipv6.
-	    To reduce the impact of these problems, the server
-	    no longer listens for requests on IPv6 addresses
-	    by default.  If you need to accept DNS queries over
-	    IPv6, you must specify "listen-on-v6 { any; };"
-	    in the named.conf options statement.
-
-	    FreeBSD prior to 4.2 (and 4.2 if running as non-root)
-	    and OpenBSD prior to 2.8 log messages like
-	    "fcntl(8, F_SETFL, 4): Inappropriate ioctl for device".
-	    This is due to a bug in "/dev/random" and impacts the
-	    server's DNSSEC support.
-
-	    OS X 10.1.4 (Darwin 5.4), OS X 10.1.5 (Darwin 5.5) and
-	    OS X 10.2 (Darwin 6.0) reports errors like
-	    "fcntl(3, F_SETFL, 4): Operation not supported by device".
-	    This is due to a bug in "/dev/random" and impacts the
-	    server's DNSSEC support.
-
-	    --with-libtool does not work on AIX.
-
-	A bug in some versions of the Microsoft DNS server can cause zone
-        transfers from a BIND 9 server to a W2K server to fail.  For details,
-	see the "Zone Transfers" section in doc/misc/migration.
+  * The size of the cache can now be limited using the "max-cache-size"
+    option.
+  * The server can now automatically convert RFC1886-style recursive
+    lookup requests into RFC2874-style lookups, when enabled using the new
+    option "allow-v6-synthesis". This allows stub resolvers that support
+    AAAA records but not A6 record chains or binary labels to perform
+    lookups in domains that make use of these IPv6 DNS features.
+  * Performance has been improved.
+  * The man pages now use the more portable "man" macros rather than the
+    "mandoc" macros, and are installed by "make install".
+  * The named.conf parser has been completely rewritten. It now supports
+    "include" directives in more places such as inside "view" statements,
+    and it no longer has any reserved words.
+  * The "rndc status" command is now implemented.
+  * rndc can now be configured automatically.
+  * A BIND 8 compatible stub resolver library is now included in lib/bind.
+  * OpenSSL has been removed from the distribution. This means that to use
+    DNSSEC, OpenSSL must be installed and the --with-openssl option must
+    be supplied to configure. This does not apply to the use of TSIG,
+    which does not require OpenSSL.
+  * The source distribution now builds on Windows. See win32utils/
+    readme1.txt and win32utils/win32-build.txt for details.
+  * This distribution also includes a new lightweight stub resolver
+    library and associated resolver daemon that fully support forward and
+    reverse lookups of both IPv4 and IPv6 addresses. This library is
+    considered experimental and is not a complete replacement for the BIND
+    8 resolver library. Applications that use the BIND 8 res_* functions
+    to perform DNS lookups or dynamic updates still need to be linked
+    against the BIND 8 libraries. For DNS lookups, they can also use the
+    new "getrrsetbyname()" API.
+  * BIND 9.2 is capable of acting as an authoritative server for DNSSEC
+    secured zones. This functionality is believed to be stable and
+    complete except for lacking support for verifications involving
+    wildcard records in secure zones.
+  * When acting as a caching server, BIND 9.2 can be configured to perform
+    DNSSEC secure resolution on behalf of its clients. This part of the
+    DNSSEC implementation is still considered experimental. For detailed
+    information about the state of the DNSSEC implementation, see the file
+    doc/misc/dnssec.
diff --git a/usr.sbin/bind/README b/usr.sbin/bind/README
index 017cdc5b115..36473f0ddba 100644
--- a/usr.sbin/bind/README
+++ b/usr.sbin/bind/README
@@ -1,614 +1,502 @@
 BIND 9
 
-	BIND version 9 is a major rewrite of nearly all aspects of the
-	underlying BIND architecture.  Some of the important features of
-	BIND 9 are:
+Contents
+
+ 1. Introduction
+ 2. Reporting bugs and getting help
+ 3. Contributing to BIND
+ 4. BIND 9.10 features
+ 5. Building BIND
+ 6. macOS
+ 7. Compile-time options
+ 8. Automated testing
+ 9. Documentation
+10. Change log
+11. Acknowledgments
+
+Introduction
+
+BIND (Berkeley Internet Name Domain) is a complete, highly portable
+implementation of the DNS (Domain Name System) protocol.
+
+The BIND name server, named, is able to serve as an authoritative name
+server, recursive resolver, DNS forwarder, or all three simultaneously. It
+implements views for split-horizon DNS, automatic DNSSEC zone signing and
+key management, catalog zones to facilitate provisioning of zone data
+throughout a name server constellation, response policy zones (RPZ) to
+protect clients from malicious data, response rate limiting (RRL) and
+recursive query limits to reduce distributed denial of service attacks,
+and many other advanced DNS features. BIND also includes a suite of
+administrative tools, including the dig and delv DNS lookup tools,
+nsupdate for dynamic DNS zone updates, rndc for remote name server
+administration, and more.
+
+BIND 9 is a complete re-write of the BIND architecture that was used in
+versions 4 and 8. Internet Systems Consortium (https://www.isc.org), a 501
+(c)(3) public benefit corporation dedicated to providing software and
+services in support of the Internet infrastructure, developed BIND 9 and
+is responsible for its ongoing maintenance and improvement. BIND is open
+source software licenced under the terms of the ISC License for all
+versions up to and including BIND 9.10, and the Mozilla Public License
+version 2.0 for all subsequent verisons.
+
+For a summary of features introduced in past major releases of BIND, see
+the file HISTORY.
+
+For a detailed list of changes made throughout the history of BIND 9, see
+the file CHANGES. See below for details on the CHANGES file format.
+
+For up-to-date release notes and errata, see http://www.isc.org/software/
+bind9/releasenotes
+
+Reporting bugs and getting help
+
+To report non-security-sensitive bugs or request new features, you may
+open an Issue in the BIND 9 project on the ISC GitLab server at https://
+gitlab.isc.org/isc-projects/bind9.
+
+Please note that, unless you explicitly mark the newly created Issue as
+"confidential", it will be publicly readable. Please do not include any
+information in bug reports that you consider to be confidential unless the
+issue has been marked as such. In particular, if submitting the contents
+of your configuration file in a non-confidential Issue, it is advisable to
+obscure key secrets: this can be done automatically by using
+named-checkconf -px.
+
+If the bug you are reporting is a potential security issue, such as an
+assertion failure or other crash in named, please do NOT use GitLab to
+report it. Instead, please send mail to security-officer@isc.org.
+
+Professional support and training for BIND are available from ISC at
+https://www.isc.org/support.
+
+To join the BIND Users mailing list, or view the archives, visit https://
+lists.isc.org/mailman/listinfo/bind-users.
+
+If you're planning on making changes to the BIND 9 source code, you may
+also want to join the BIND Workers mailing list, at https://lists.isc.org/
+mailman/listinfo/bind-workers.
+
+Contributing to BIND
+
+ISC maintains a public git repository for BIND; details can be found at
+http://www.isc.org/git/.
+
+Information for BIND contributors can be found in the following files: -
+General information: doc/dev/contrib.md - BIND 9 code style: doc/dev/
+style.md - BIND architecture and developer guide: doc/dev/dev.md
+
+Patches for BIND may be submitted as Merge Requests in the ISC GitLab
+server at at https://gitlab.isc.org/isc-projects/bind9/merge_requests.
+
+By default, external contributors don't have ability to fork BIND in the
+GitLab server, but if you wish to contribute code to BIND, you may request
+permission to do so. Thereafter, you can create git branches and directly
+submit requests that they be reviewed and merged.
+
+If you prefer, you may also submit code by opening a GitLab Issue and
+including your patch as an attachment, preferably generated by git
+format-patch.
+
+BIND 9.10 features
+
+BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
+releases. New features include:
+
+  * DNS Response-rate limiting (DNS RRL), which blunts the impact of
+    reflection and amplification attacks, is always compiled in and no
+    longer requires a compile-time option to enable it.
+  * An experimental "Source Identity Token" (SIT) EDNS option is now
+    available. Similar to DNS Cookies as invented by Donald Eastlake 3rd,
+    these are designed to enable clients to detect off-path spoofed
+    responses, and to enable servers to detect spoofed-source queries.
+    Servers can be configured to send smaller responses to clients that
+    have not identified themselves using a SIT option, reducing the
+    effectiveness of amplification attacks. RRL processing has also been
+    updated; clients proven to be legitimate via SIT are not subject to
+    rate limiting. Use configure --enable-sit to enable this feature in
+    BIND.
+  * A new zone file format, map, stores zone data in a format that can be
+    mapped directly into memory, allowing significantly faster zone
+    loading.
+  * delv (domain entity lookup and validation) is a new tool with dig-like
+    semantics for looking up DNS data and performing internal DNSSEC
+    validation. This allows easy validation in environments where the
+    resolver may not be trustworthy, and assists with troubleshooting of
+    DNSSEC problems. (NOTE: In previous development releases of BIND 9.10,
+    this utility was called delve. The spelling has been changed to avoid
+    confusion with the delve utility included with the Xapian search
+    engine.)
+  * Improved EDNS(0) processing for better resolver performance and
+    reliability over slow or lossy connections.
+  * A new configure --with-tuning=large option tunes certain compiled-in
+    constants and default settings to values better suited to large
+    servers with abundant memory. This can improve performance on such
+    servers, but will consume more memory and may degrade performance on
+    smaller systems.
+  * Substantial improvement in response-policy zone (RPZ) performance. Up
+    to 32 response-policy zones can be configured with minimal performance
+    loss.
+  * To improve recursive resolver performance, cache records which are
+    still being requested by clients can now be automatically refreshed
+    from the authoritative server before they expire, reducing or
+    eliminating the time window in which no answer is available in the
+    cache.
+  * New rpz-client-ip triggers and drop policies allowing response
+    policies based on the IP address of the client.
+  * ACLs can now be specified based on geographic location using the
+    MaxMind GeoIP databases. Use configure --with-geoip to enable.
+  * Zone data can now be shared between views, allowing multiple views to
+    serve the same zones authoritatively without storing multiple copies
+    in memory.
+  * New XML schema (version 3) for the statistics channel includes many
+    new statistics and uses a flattened XML tree for faster parsing. The
+    older schema is now deprecated.
+  * A new stylesheet, based on the Google Charts API, displays XML
+    statistics in charts and graphs on javascript-enabled browsers.
+  * The statistics channel can now provide data in JSON format as well as
+    XML.
+  * New stats counters track TCP and UDP queries received per zone, and
+    EDNS options received in total.
+  * The internal and export versions of the BIND libraries (libisc,
+    libdns, etc) have been unified so that external library clients can
+    use the same libraries as BIND itself.
+  * A new compile-time option, configure --enable-native-pkcs11, allows
+    BIND 9 cryptography functions to use the PKCS#11 API natively, so that
+    BIND can drive a cryptographic hardware service module (HSM) directly
+    instead of using a modified OpenSSL as an intermediary. (Note: This
+    feature requires an HSM to have a full implementation of the PKCS#11
+    API; many current HSMs only have partial implementations. The new
+    pkcs11-tokens command can be used to check API completeness. Native
+    PKCS#11 is known to work with the Thales nShield HSM and with SoftHSM
+    version 2 from the Open DNSSEC project.)
+  * The new max-zone-ttl option enforces maximum TTLs for zones. This can
+    simplify the process of rolling DNSSEC keys by guaranteeing that
+    cached signatures will have expired within the specified amount of
+    time.
+  * dig +subnet sends an EDNS CLIENT-SUBNET option when querying.
+  * dig +expire sends an EDNS EXPIRE option when querying. When this
+    option is sent with an SOA query to a server that supports it, it will
+    report the expiry time of a slave zone.
+  * New dnssec-coverage tool to check DNSSEC key coverage for a zone and
+    report if a lapse in signing coverage has been inadvertently
+    scheduled.
+  * Signing algorithm flexibility and other improvements for the rndc
+    control channel.
+  * named-checkzone and named-compilezone can now read journal files,
+    allowing them to process dynamic zones.
+  * Multiple DLZ databases can now be configured. Individual zones can be
+    configured to be served from a specific DLZ database. DLZ databases
+    now serve zones of type master and redirect.
+  * rndc zonestatus reports information about a specified zone.
+  * named now listens on IPv6 as well as IPv4 interfaces by default.
+  * named now preserves the capitalization of names when responding to
+    queries: for instance, a query for "example.com" may be answered with
+    "example.COM" if the name was configured that way in the zone file.
+    Some clients have a bug causing them to depend on the older behavior,
+    in which the case of the answer always matched the case of the query,
+    rather than the case of the name configured in the DNS. Such clients
+    can now be specified in the new no-case-compress ACL; this will
+    restore the older behavior of named for those clients only.
+  * new dnssec-importkey command allows the use of offline DNSSEC keys
+    with automatic DNSKEY management.
+  * New named-rrchecker tool to verify the syntactic correctness of
+    individual resource records.
+  * When re-signing a zone, the new dnssec-signzone -Q option drops
+    signatures from keys that are still published but are no longer
+    active.
+  * named-checkconf -px will print the contents of configuration files
+    with the shared secrets obscured, making it easier to share
+    configuration (e.g. when submitting a bug report) without revealing
+    private information.
+  * rndc scan causes named to re-scan network interfaces for changes in
+    local addresses.
+  * On operating systems with support for routing sockets, network
+    interfaces are re-scanned automatically whenever they change.
+  * tsig-keygen is now available as an alternate command name to use for
+    ddns-confgen.
 
-		- DNS Security
-			DNSSEC (signed zones)
-			TSIG (signed DNS requests)
-
-		- IP version 6
-			Answers DNS queries on IPv6 sockets
-			IPv6 resource records (AAAA)
-			Experimental IPv6 Resolver Library
-
-		- DNS Protocol Enhancements
-			IXFR, DDNS, Notify, EDNS0
-			Improved standards conformance
-
-		- Views
-			One server process can provide multiple "views" of
-			the DNS namespace, e.g. an "inside" view to certain
-			clients, and an "outside" view to others.
-
-		- Multiprocessor Support
-
-		- Improved Portability Architecture
-
-
-	BIND version 9 development has been underwritten by the following
-	organizations:
-
-		Sun Microsystems, Inc.
-		Hewlett Packard
-		Compaq Computer Corporation
-		IBM
-		Process Software Corporation
-		Silicon Graphics, Inc.
-		Network Associates, Inc.
-		U.S. Defense Information Systems Agency
-		USENIX Association
-		Stichting NLnet - NLnet Foundation
-		Nominum, Inc.
-
-	For a summary of functional enhancements in previous
-	releases, see the HISTORY file.
-
-	For a detailed list of user-visible changes from
-	previous releases, see the CHANGES file.
-
-	For up-to-date release notes and errata, see
-	http://www.isc.org/software/bind9/releasenotes
-
-BIND 9.10.5-P3
-
-	Addresses a TSIG regression introduced in 9.10.5-P2.
-
-BIND 9.10.5-P2
-
-        This version contains a fix for the security flaws
-        disclosed in CVE-2017-3142 and CVE-2017-3143.
-
-BIND 9.10.5-P1
-
-        This version contains a fix for the security flaws
-        disclosed in CVE-2017-3140 and CVE-2017-3141.
+BIND 9.10.1
 
-BIND 9.10.5
-	
-	BIND 9.10.5 is a maintenance release and addresses the security
-	flaws disclosed in CVE-2016-2775, CVE-2016-2776, CVE-2016-6170,
-	CVE-2016-8864, CVE-2016-9131, CVE-2016-9147, CVE-2016-9444,
-	CVE-2017-3135, CVE-2017-3136, CVE-2017-3137, and CVE-2017-3138.
+BIND 9.10.1 is a maintenance release, and addresses the security flaws
+described in CVE-2014-3214 and CVE-2014-3859.
 
-BIND 9.10.4
+BIND 9.10.2
 
-	BIND 9.10.4 is a maintenance release and addresses bugs
-	found in BIND 9.10.3 and earlier, as well as the security
-	flaws described in CVE-2015-8000, CVE-2015-8461, CVE-2015-8704,
-	CVE-2015-8705, CVE-2016-1285, CVE-2016-1286, CVE-2016-2088,
-	CVE-2016-2775 and CVE-2016-2776.
+BIND 9.10.2 is a maintenance release, and addresses the security flaws
+described in CVE-2014-8500, CVE-2014-8680 and CVE-2015-1349.
 
 BIND 9.10.3
 
-	BIND 9.10.3 is a maintenance release and addresses bugs
-	found in BIND 9.10.2 and earlier, as well as the security
-	flaws described in CVE-2015-4620, CVE-2015-5477,
-	CVE-2015-5722, and CVE-2015-5986.
+BIND 9.10.3 is a maintenance release, and addresses the security flaws
+described in CVE-2015-4620, CVE-2015-5477, CVE-2015-5722, and
+CVE-2015-5986.
 
-	It also makes the following new features available:
+It also makes the following new features available:
 
-	- New "fetchlimit" quotas are now available for the use of
-	  recursive resolvers that are are under high query load for
-	  domains whose authoritative servers are nonresponsive or are
-	  experiencing a denial of service attack.
+  * New "fetchlimit" quotas are now available for the use of recursive
+    resolvers that are are under high query load for domains whose
+    authoritative servers are nonresponsive or are experiencing a denial
+    of service attack.
 
-	  + "fetches-per-server" limits the number of simultaneous queries
-	    that can be sent to any single authoritative server.  The
-	    configured value is a starting point; it is automatically
-	    adjusted downward if the server is partially or completely
-	    non-responsive. The algorithm used to adjust the quota can be
-	    configured via the "fetch-quota-params" option.
-	  + "fetches-per-zone" limits the number of simultaneous queries
-	    that can be sent for names within a single domain.  (Note:
-	    Unlike "fetches-per-server", this value is not self-tuning.)
-	  + New stats counters have been added to count
-	    queries spilled due to these quotas.
+      + fetches-per-server limits the number of simultaneous queries that
+        can be sent to any single authoritative server. The configured
+        value is a starting point; it is automatically adjusted downward
+        if the server is partially or completely non-responsive. The
+        algorithm used to adjust the quota can be configured via the
+        fetch-quota-params option.
+      + fetches-per-zone limits the number of simultaneous queries that
+        can be sent for names within a single domain. (Note: Unlike
+        fetches-per-server, this value is not self-tuning.)
+      + New stats counters have been added to count queries spilled due to
+        these quotas.
 
-	  NOTE: These features are NOT built in by default; use
-	  "configure --enable-fetchlimit" to enable them.
+NOTE: These features are NOT built in by default; use configure
+--enable-fetchlimit to enable them.
 
-	- Dig now supports sending of arbitrary EDNS options by specifying
-	  them on the command line.
+  * dig now supports sending of arbitrary EDNS options by specifying them
+    on the command line.
 
-BIND 9.10.2
+BIND 9.10.4
 
-	BIND 9.10.2 is a maintenance release and addresses bugs
-	found in BIND 9.10.1 and earlier, as well as the security
-	flaws described in CVE-2014-8500, CVE-2014-8680 and
-	CVE-2015-1349.
+BIND 9.10.4 is a maintenance release, and addresses the security flaws
+described in CVE-2015-8000, CVE-2015-8461, CVE-2015-8704, CVE-2015-8705,
+CVE-2016-1285, CVE-2016-1286, CVE-2016-2088, CVE-2016-2775 and
+CVE-2016-2776.
 
-BIND 9.10.1
+BIND 9.10.5
 
-	BIND 9.10.1 is a maintenance release and addresses bugs
-	found in BIND 9.10.0 and earlier.
-
-	This release addresses the security flaws described in
-	CVE-2014-3214 and CVE-2014-3859.
-
-BIND 9.10.0
-
-	BIND 9.10.0 includes a number of changes from BIND 9.9 and earlier
-	releases.  New features include:
-
-	 - DNS Response-rate limiting (DNS RRL), which blunts the
-	   impact of reflection and amplification attacks, is always
-	   compiled in and no longer requires a compile-time option
-	   to enable it.
-	 - An experimental "Source Identity Token" (SIT) EDNS option
-	   is now available.  Similar to DNS Cookies as invented by
-	   Donald Eastlake 3rd, these are designed to enable clients
-	   to detect off-path spoofed responses, and to enable servers
-	   to detect spoofed-source queries.  Servers can be configured
-	   to send smaller responses to clients that have not identified
-	   themselves using a SIT option, reducing the effectiveness of
-	   amplification attacks.  RRL processing has also been updated;
-	   clients proven to be legitimate via SIT are not subject to
-	   rate limiting.  Use "configure --enable-sit" to enable this
-	   feature in BIND.
-	 - A new zone file format, "map", stores zone data in a
-	   format that can be mapped directly into memory, allowing
-	   significantly faster zone loading.
-	 - "delv" (domain entity lookup and validation) is a new tool
-	   with dig-like semantics for looking up DNS data and performing
-	   internal DNSSEC validation.  This allows easy validation in
-	   environments where the resolver may not be trustworthy, and
-	   assists with troubleshooting of DNSSEC problems. (NOTE:
-	   In previous development releases of BIND 9.10, this utility
-	   was called "delve". The spelling has been changed to avoid
-	   confusion with the "delve" utility included with the Xapian
-	   search engine.)
-	 - Improved EDNS(0) processing for better resolver performance
-	   and reliability over slow or lossy connections.
-	 - A new "configure --with-tuning=large" option tunes certain
-	   compiled-in constants and default settings to values better
-	   suited to large servers with abundant memory.  This can
-	   improve performance on such servers, but will consume more
-	   memory and may degrade performance on smaller systems.
-	 - Substantial improvement in response-policy zone (RPZ)
-	   performance.  Up to 32 response-policy zones can be
-	   configured with minimal performance loss.
-	 - To improve recursive resolver performance, cache records
-	   which are still being requested by clients can now be
-	   automatically refreshed from the authoritative server
-	   before they expire, reducing or eliminating the time
-	   window in which no answer is available in the cache.
-	 - New "rpz-client-ip" triggers and drop policies allowing
-	   response policies based on the IP address of the client.
-	 - ACLs can now be specified based on geographic location
-	   using the MaxMind GeoIP databases.  Use "configure
-	   --with-geoip" to enable.
-	 - Zone data can now be shared between views, allowing
-	   multiple views to serve the same zones authoritatively
-	   without storing multiple copies in memory.
-	 - New XML schema (version 3) for the statistics channel
-	   includes many new statistics and uses a flattened XML tree
-	   for faster parsing. The older schema is now deprecated.
-	 - A new stylesheet, based on the Google Charts API, displays
-	   XML statistics in charts and graphs on javascript-enabled
-	   browsers.
-	 - The statistics channel can now provide data in JSON
-	   format as well as XML.
-	 - New stats counters track TCP and UDP queries received
-	   per zone, and EDNS options received in total.
-	 - The internal and export versions of the BIND libraries
-	   (libisc, libdns, etc) have been unified so that external
-	   library clients can use the same libraries as BIND itself.
-	 - A new compile-time option, "configure --enable-native-pkcs11",
-	   allows BIND 9 cryptography functions to use the PKCS#11 API
-	   natively, so that BIND can drive a cryptographic hardware
-	   service module (HSM) directly instead of using a modified
-	   OpenSSL as an intermediary. (Note: This feature requires an
-	   HSM to have a full implementation of the PKCS#11 API; many
-	   current HSMs only have partial implementations. The new
-	   "pkcs11-tokens" command can be used to check API completeness.
-	   Native PKCS#11 is known to work with the Thales nShield HSM
-	   and with SoftHSM version 2 from the Open DNSSEC project.)
-	 - The new "max-zone-ttl" option enforces maximum TTLs for
-	   zones. This can simplify the process of rolling DNSSEC keys
-	   by guaranteeing that cached signatures will have expired
-	   within the specified amount of time.
-	 - "dig +subnet" sends an EDNS CLIENT-SUBNET option when
-	   querying.
-	 - "dig +expire" sends an EDNS EXPIRE option when querying.
-	   When this option is sent with an SOA query to a server
-	   that supports it, it will report the expiry time of
-	   a slave zone.
-	 - New "dnssec-coverage" tool to check DNSSEC key coverage
-	   for a zone and report if a lapse in signing coverage has
-	   been inadvertently scheduled.
-	 - Signing algorithm flexibility and other improvements
-	   for the "rndc" control channel.
-	 - "named-checkzone" and "named-compilezone" can now read
-	   journal files, allowing them to process dynamic zones.
-	 - Multiple DLZ databases can now be configured.  Individual
-	   zones can be configured to be served from a specific DLZ
-	   database.  DLZ databases now serve zones of type "master"
-	   and "redirect".
-	 - "rndc zonestatus" reports information about a specified zone.
-	 - "named" now listens on IPv6 as well as IPv4 interfaces
-	   by default.
-	 - "named" now preserves the capitalization of names
-	   when responding to queries: for instance, a query for
-	   "example.com" may be answered with "example.COM" if the
-	   name was configured that way in the zone file.  Some
-	   clients have a bug causing them to depend on the older
-	   behavior, in which the case of the answer always matched
-	   the case of the query, rather than the case of the name
-	   configured in the DNS.  Such clients can now be specified
-	   in the new "no-case-compress" ACL; this will restore the
-	   older behavior of "named" for those clients only.
-	 - new "dnssec-importkey" command allows the use of offline
-	   DNSSEC keys with automatic DNSKEY management.
-	 - New "named-rrchecker" tool to verify the syntactic
-	   correctness of individual resource records.
-	 - When re-signing a zone, the new "dnssec-signzone -Q" option
-	   drops signatures from keys that are still published but are
-	   no longer active.
-	 - "named-checkconf -px" will print the contents of configuration
-	   files with the shared secrets obscured, making it easier to
-	   share configuration (e.g. when submitting a bug report)
-	   without revealing private information.
-	 - "rndc scan" causes named to re-scan network interfaces for
-	   changes in local addresses.
-	 - On operating systems with support for routing sockets,
-	   network interfaces are re-scanned automatically whenever
-	   they change.
-	 - "tsig-keygen" is now available as an alternate command
-	   name to use for "ddns-confgen".
-
-BIND 9.9.0
-
-	BIND 9.9.0 includes a number of changes from BIND 9.8 and earlier
-	releases.  New features include:
-
-	- Inline signing, allowing automatic DNSSEC signing of
-	  master zones without modification of the zonefile, or
-	  "bump in the wire" signing in slaves.
-	- NXDOMAIN redirection.
-	- New 'rndc flushtree' command clears all data under a given
-	  name from the DNS cache.
-	- New 'rndc sync' command dumps pending changes in a dynamic
-	  zone to disk without a freeze/thaw cycle.
-	- New 'rndc signing' command displays or clears signing status
-	  records in 'auto-dnssec' zones.
-	- NSEC3 parameters for 'auto-dnssec' zones can now be set prior
-	  to signing, eliminating the need to initially sign with NSEC.
-	- Startup time improvements on large authoritative servers.
-	- Slave zones are now saved in raw format by default.
-	- Several improvements to response policy zones (RPZ).
-	- Improved hardware scalability by using multiple threads
-	  to listen for queries and using finer-grained client locking
-	- The 'also-notify' option now takes the same syntax as
-	  'masters', so it can used named masterlists and TSIG keys.
-	- 'dnssec-signzone -D' writes an output file containing only DNSSEC
-	  data, which can be included by the primary zone file.
-	- 'dnssec-signzone -R' forces removal of signatures that are
-	  not expired but were created by a key which no longer exists.
-	- 'dnssec-signzone -X' allows a separate expiration date to
-	  be specified for DNSKEY signatures from other signatures.
-	- New '-L' option to dnssec-keygen, dnssec-settime, and
-	  dnssec-keyfromlabel sets the default TTL for the key.
-	- dnssec-dsfromkey now supports reading from standard input,
-	  to make it easier to convert DNSKEY to DS.
-	- RFC 1918 reverse zones have been added to the empty-zones
-	  table per RFC 6303.
-	- Dynamic updates can now optionally set the zone's SOA serial
-	  number to the current UNIX time.
-	- DLZ modules can now retrieve the source IP address of
-	  the querying client.
-	- 'request-ixfr' option can now be set at the per-zone level.
-	- 'dig +rrcomments' turns on comments about DNSKEY records,
-	  indicating their key ID, algorithm and function
-	- Simplified nsupdate syntax and added readline support
-
-Building
-
-	BIND 9 currently requires a UNIX system with an ANSI C compiler,
-	basic POSIX support, and a 64 bit integer type.
-
-	We've had successful builds and tests on the following systems:
-
-		COMPAQ Tru64 UNIX 5.1B
-		Fedora Core 6
-		FreeBSD 4.10, 5.2.1, 6.2
-		HP-UX 11.11
-		Mac OS X 10.5
-		NetBSD 3.x, 4.0-beta, 5.0-beta
-		OpenBSD 3.3 and up
-		Solaris 8, 9, 9 (x86), 10
-		Ubuntu 7.04, 7.10
-		Windows XP/2003/2008
-
-	NOTE:  As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
-	Windows, including Windows NT and Windows 2000, are no longer
-	supported.
-
-	We have recent reports from the user community that a supported
-	version of BIND will build and run on the following systems:
-
-		AIX 4.3, 5L
-		CentOS 4, 4.5, 5
-		Darwin 9.0.0d1/ARM
-		Debian 4, 5, 6
-		Fedora Core 5, 7, 8
-		FreeBSD 6, 7, 8
-		HP-UX 11.23 PA
-		MacOS X 10.5, 10.6, 10.7
-		Red Hat Enterprise Linux 4, 5, 6
-		SCO OpenServer 5.0.6
-		Slackware 9, 10
-		SuSE 9, 10
-
-	To build, just
-
-		./configure
-		make
-
-	Do not use a parallel "make".
-
-	Several environment variables that can be set before running
-	configure will affect compilation:
-
-	    CC
-		The C compiler to use.  configure tries to figure
-		out the right one for supported systems.
-
-	    CFLAGS
-		C compiler flags.  Defaults to include -g and/or -O2
-		as supported by the compiler.  Please include '-g'
-		if you need to set CFLAGS.
-
-	    STD_CINCLUDES
-		System header file directories.  Can be used to specify
-		where add-on thread or IPv6 support is, for example.
-		Defaults to empty string.
-
-	    STD_CDEFINES
-		Any additional preprocessor symbols you want defined.
-		Defaults to empty string.
-
-		Possible settings:
-		Change the default syslog facility of named/lwresd.
-		  -DISC_FACILITY=LOG_LOCAL0
-		Enable DNSSEC signature chasing support in dig.
-		  (This feature is deprecated. Use `delv` instead.)
-		  -DDIG_SIGCHASE=1 (sets -DDIG_SIGCHASE_TD=1 and
-				    -DDIG_SIGCHASE_BU=1)
-		Disable dropping queries from particular well known ports.
-		  -DNS_CLIENT_DROPPORT=0
-		Sibling glue checking in named-checkzone is enabled by default.
-		To disable the default check set.  -DCHECK_SIBLING=0
-		named-checkzone checks out-of-zone addresses by default.
-		To disable this default set.  -DCHECK_LOCAL=0
-		To create the default pid files in ${localstatedir}/run rather
-		than ${localstatedir}/run/{named,lwresd}/ set.
-		  -DNS_RUN_PID_DIR=0
-		Enable workaround for Solaris kernel bug about /dev/poll
-		  -DISC_SOCKET_USE_POLLWATCH=1
-		  The watch timeout is also configurable, e.g.,
-		  -DISC_SOCKET_POLLWATCH_TIMEOUT=20
-
-	    LDFLAGS
-		Linker flags. Defaults to empty string.
-
-	The following need to be set when cross compiling.
-
-	    BUILD_CC
-		The native C compiler.
-	    BUILD_CFLAGS (optional)
-	    BUILD_CPPFLAGS (optional)
-		Possible Settings:
-		-DNEED_OPTARG=1         (optarg is not declared in <unistd.h>)
-	    BUILD_LDFLAGS (optional)
-	    BUILD_LIBS (optional)
-
-	On most platforms, BIND 9 is built with multithreading
-	support, allowing it to take advantage of multiple CPUs.
-	You can configure this by specifying "--enable-threads" or
-	"--disable-threads" on the configure command line.  The default
-	is to enable threads, except on some older operating systems
-	on which threads are known to have had problems in the past.
-	(Note: Prior to BIND 9.10, the default was to disable threads on
-	Linux systems; this has been reversed.  On Linux systems, the
-	threaded build is known to change BIND's behavior with respect
-	to file permissions; it may be necessary to specify a user with
-	the -u option when running named.)
-
-	To build shared libraries, specify "--with-libtool" on the
-	configure command line.
-
-	Certain compiled-in constants and default settings can be
-	increased to values better suited to large servers with abundant
-	memory resources (e.g, 64-bit servers with 12G or more of memory)
-	by specifying "--with-tuning=large" on the configure command
-	line. This can improve performance on big servers, but will
-	consume more memory and may degrade performance on smaller
-	systems.
-
-	For the server to support DNSSEC, you need to build it
-	with crypto support.  You must have OpenSSL 1.0.1t
-	or newer installed and specify "--with-openssl" on the
-	configure command line.  If OpenSSL is installed under
-	a nonstandard prefix, you can tell configure where to
-	look for it using "--with-openssl=/prefix".
-
-	To support the HTTP statistics channel, the server must
-	be linked with at least one of the following: libxml2
-	(http://xmlsoft.org) or json-c (https://github.com/json-c).
-	If these are installed at a nonstandard prefix, use
-	"--with-libxml2=/prefix" or "--with-libjson=/prefix".
-
-	Python requires 'argparse' to be available.  'argparse' is
-	a standard module as of Python 2.7 and Python 3.2.
-
-	On some platforms it is necessary to explicitly request large
-	file support to handle files bigger than 2GB.  This can be
-	done by "--enable-largefile" on the configure command line.
-
-	Support for the "fixed" rrset-order option can be enabled
-	or disabled by specifying "--enable-fixed-rrset" or
-	"--disable-fixed-rrset" on the configure command line.
-	The default is "disabled", to reduce memory footprint.
-
-	If your operating system has integrated support for IPv6, it
-	will be used automatically.  If you have installed KAME IPv6
-	separately, use "--with-kame[=PATH]" to specify its location.
-
-	"make install" will install "named" and the various BIND 9 libraries.
-	By default, installation is into /usr/local, but this can be changed
-	with the "--prefix" option when running "configure".
-
-	You may specify the option "--sysconfdir" to set the directory
-	where configuration files like "named.conf" go by default,
-	and "--localstatedir" to set the default parent directory
-	of "run/named.pid".   For backwards compatibility with BIND 8,
-	--sysconfdir defaults to "/etc" and --localstatedir defaults to
-	"/var" if no --prefix option is given.  If there is a --prefix
-	option, sysconfdir defaults to "$prefix/etc" and localstatedir
-	defaults to "$prefix/var".
-
-	To see additional configure options, run "configure --help".
-	Note that the help message does not reflect the BIND 8
-	compatibility defaults for sysconfdir and localstatedir.
-
-	If you're planning on making changes to the BIND 9 source, you
-	should also "make depend".  If you're using Emacs, you might find
-	"make tags" helpful.
-
-	If you need to re-run configure please run "make distclean" first.
-	This will ensure that all the option changes take.
-
-	Building with gcc is not supported, unless gcc is the vendor's usual
-	compiler (e.g. the various BSD systems, Linux).
-
-	Known compiler issues:
-	* gcc-3.2.1 and gcc-3.1.1 is known to cause problems with solaris-x86.
-	* gcc prior to gcc-3.2.3 ultrasparc generates incorrect code at -02.
-	* gcc-3.3.5 powerpc generates incorrect code at -02.
-	* Irix, MipsPRO 7.4.1m is known to cause problems.
-
-	A limited test suite can be run with "make test".  Many of
-	the tests require you to configure a set of virtual IP addresses
-	on your system, and some require Perl; see bin/tests/system/README
-	for details.
-
-	SunOS 4 requires "printf" to be installed to make the shared
-	libraries.  sh-utils-1.16 provides a "printf" which compiles
-	on SunOS 4.
-
-Known limitations
-
-	Linux requires kernel build 2.6.39 or later to get the
-	performance benefits from using multiple sockets.
+BIND 9.10.5 is a maintenance release, and addresses the security flaws
+disclosed in CVE-2016-2775, CVE-2016-2776, CVE-2016-6170, CVE-2016-8864,
+CVE-2016-9131, CVE-2016-9147, CVE-2016-9444, CVE-2017-3135, CVE-2017-3136,
+CVE-2017-3137, and CVE-2017-3138.
+
+BIND 9.10.6
+
+BIND 9.10.6 is a maintenance release, and addresses the security flaws
+disclosed in CVE-2017-3140 and CVE-2017-3141, CVE-2017-3142 and
+CVE-2017-3143.
+
+BIND 9.10.7
+
+BIND 9.10.7 is a maintenance release, and addresses the security flaw
+disclosed in CVE-2017-3145.
+
+BIND 9.10.8
+
+BIND 9.10.8 is a maintenance release, and addresses the security flaw
+disclosed in CVE-2018-5738.
+
+Building BIND
+
+BIND requires a UNIX or Linux system with an ANSI C compiler, basic POSIX
+support, and a 64-bit integer type. Successful builds have been observed
+on many versions of Linux and UNIX, including RedHat, Fedora, Debian,
+Ubuntu, SuSE, Slackware, FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris,
+HP-UX, AIX, SCO OpenServer, and OpenWRT.
+
+BIND is also available for Windows XP, 2003, 2008, and higher. See
+win32utils/readme1st.txt for details on building for Windows systems.
+
+To build on a UNIX or Linux system, use:
+
+    $ ./configure
+    $ make
+
+If you're planning on making changes to the BIND 9 source, you should run
+make depend. If you're using Emacs, you might find make tags helpful.
+
+Several environment variables that can be set before running configure
+will affect compilation:
+
+Variable       Description
+CC             The C compiler to use. configure tries to figure out the
+               right one for supported systems.
+               C compiler flags. Defaults to include -g and/or -O2 as
+CFLAGS         supported by the compiler. Please include '-g' if you need
+               to set CFLAGS.
+               System header file directories. Can be used to specify
+STD_CINCLUDES  where add-on thread or IPv6 support is, for example.
+               Defaults to empty string.
+               Any additional preprocessor symbols you want defined.
+STD_CDEFINES   Defaults to empty string. For a list of possible settings,
+               see the file OPTIONS.
+LDFLAGS        Linker flags. Defaults to empty string.
+BUILD_CC       Needed when cross-compiling: the native C compiler to use
+               when building for the target system.
+BUILD_CFLAGS   Optional, used for cross-compiling
+BUILD_CPPFLAGS
+BUILD_LDFLAGS
+BUILD_LIBS
+
+macOS
+
+Building on macOS assumes that the "Command Tools for Xcode" is installed.
+This can be downloaded from https://developer.apple.com/download/more/ or
+if you have Xcode already installed you can run "xcode-select --install".
+This will add /usr/include to the system and install the compiler and
+other tools so that they can be easily found.
+
+Compile-time options
+
+To see a full list of configuration options, run configure --help.
+
+On most platforms, BIND 9 is built with multithreading support, allowing
+it to take advantage of multiple CPUs. You can configure this by
+specifying --enable-threads or --disable-threads on the configure command
+line. The default is to enable threads, except on some older operating
+systems on which threads are known to have had problems in the past.
+(Note: Prior to BIND 9.10, the default was to disable threads on Linux
+systems; this has now been reversed. On Linux systems, the threaded build
+is known to change BIND's behavior with respect to file permissions; it
+may be necessary to specify a user with the -u option when running named.)
+
+To build shared libraries, specify --with-libtool on the configure command
+line.
+
+Certain compiled-in constants and default settings can be increased to
+values better suited to large servers with abundant memory resources (e.g,
+64-bit servers with 12G or more of memory) by specifying --with-tuning=
+large on the configure command line. This can improve performance on big
+servers, but will consume more memory and may degrade performance on
+smaller systems.
+
+For the server to support DNSSEC, you need to build it with crypto
+support. To use OpenSSL, you should have OpenSSL 1.0.2e or newer
+installed. If the OpenSSL library is installed in a nonstandard location,
+specify the prefix using "--with-openssl=<PREFIX>" on the configure
+command line. To use a PKCS#11 hardware service module for cryptographic
+operations, specify the path to the PKCS#11 provider library using
+"--with-pkcs11=<PREFIX>", and configure BIND with
+"--enable-native-pkcs11".
+
+To support the HTTP statistics channel, the server must be linked with at
+least one of the following: libxml2 http://xmlsoft.org or json-c https://
+github.com/json-c. If these are installed at a nonstandard location,
+specify the prefix using --with-libxml2=/prefix or --with-libjson=/prefix.
+
+To support GeoIP location-based ACLs, the server must be linked with
+libGeoIP. This is not turned on by default; BIND must be configured with
+"--with-geoip". If the library is installed in a nonstandard location, use
+specify the prefix using "--with-geoip=/prefix".
+
+Portions of BIND that are written in Python, including dnssec-coverage,
+dnssec-checkds, and some of the system tests, require the 'argparse'
+module to be available. 'argparse' is a standard module as of Python 2.7
+and Python 3.2.
+
+On some platforms it is necessary to explicitly request large file support
+to handle files bigger than 2GB. This can be done by using
+--enable-largefile on the configure command line.
+
+Support for the "fixed" rrset-order option can be enabled or disabled by
+specifying --enable-fixed-rrset or --disable-fixed-rrset on the configure
+command line. By default, fixed rrset-order is disabled to reduce memory
+footprint.
+
+If your operating system has integrated support for IPv6, it will be used
+automatically. If you have installed KAME IPv6 separately, use --with-kame
+[=PATH] to specify its location.
+
+make install will install named and the various BIND 9 libraries. By
+default, installation is into /usr/local, but this can be changed with the
+--prefix option when running configure.
+
+You may specify the option --sysconfdir to set the directory where
+configuration files like named.conf go by default, and --localstatedir to
+set the default parent directory of run/named.pid. For backwards
+compatibility with BIND 8, --sysconfdir defaults to /etc and
+--localstatedir defaults to /var if no --prefix option is given. If there
+is a --prefix option, sysconfdir defaults to $prefix/etc and localstatedir
+defaults to $prefix/var.
+
+Automated testing
+
+A system test suite can be run with make test. The system tests require
+you to configure a set of virtual IP addresses on your system (this allows
+multiple servers to run locally and communicate with one another). These
+IP addresses can be configured by running the command bin/tests/system/
+ifconfig.sh up as root.
+
+Some tests require Perl and the Net::DNS and/or IO::Socket::INET6 modules,
+and will be skipped if these are not available. Some tests require Python
+and the 'dnspython' module and will be skipped if these are not available.
+See bin/tests/system/README for further details.
+
+Unit tests are implemented using Automated Testing Framework (ATF). To run
+them, use configure --with-atf, then run make test or make unit.
 
 Documentation
 
-	The BIND 9 Administrator Reference Manual is included with the
-	source distribution in DocBook XML and HTML format, in the
-	doc/arm directory.
-
-	Some of the programs in the BIND 9 distribution have man pages
-	in their directories.  In particular, the command line
-	options of "named" are documented in /bin/named/named.8.
-	There is now also a set of man pages for the lwres library.
-
-	If you are upgrading from BIND 8, please read the migration
-	notes in doc/misc/migration.  If you are upgrading from
-	BIND 4, read doc/misc/migration-4to9.
-
-	Frequently asked questions and their answers can be found in
-	FAQ.
-
-	Additional information on various subjects can be found
-	in the other README files.
-
-
-Change Log
-
-	A detailed list of all changes to BIND 9 is included in the
-	file CHANGES, with the most recent changes listed first.
-	Change notes include tags indicating the category of the
-	change that was made; these categories are:
-
-	   [func]         New feature
-
-	   [bug]          General bug fix
-
-	   [security]     Fix for a significant security flaw
-
-	   [experimental] Used for new features when the syntax
-			  or other aspects of the design are still
-			  in flux and may change
-
-	   [port]         Portability enhancement
-
-	   [maint]        Updates to built-in data such as root
-			  server addresses and keys
-
-	   [tuning]       Changes to built-in configuration defaults
-			  and constants to improve performance
-
-	   [performance]  Other changes to improve server performance
-
-	   [protocol]     Updates to the DNS protocol such as new
-			  RR types
-
-	   [test]         Changes to the automatic tests, not
-			  affecting server functionality
-
-	   [cleanup]      Minor corrections and refactoring
-
-	   [doc]          Documentation
-
-	   [contrib]	  Changes to the contributed tools and
-			  libraries in the 'contrib' subdirectory
-
-	   [placeholder]  Used in the master development branch to
-			  reserve change numbers for use in other
-			  branches, e.g. when fixing a bug that only
-			  exists in older releases
-
-	In general, [func] and [experimental] tags will only appear
-	in new-feature releases (i.e., those with version numbers
-	ending in zero).  Some new functionality may be backported to
-	older releases on a case-by-case basis.  All other change
-	types may be applied to all currently-supported releases.
-
-
-Bug Reports and Mailing Lists
-
-	Bug reports should be sent to:
-
-		bind9-bugs@isc.org
-
-	Feature requests can be sent to:
-
-		bind-suggest@isc.org
-
-	To join or view the archives of the BIND Users mailing list,
-	visit:
-
-		https://lists.isc.org/mailman/listinfo/bind-users
-
-	If you're planning on making changes to the BIND 9 source
-	code, you may also want to join the BIND Workers mailing
-	list:
-
-		https://lists.isc.org/mailman/listinfo/bind-workers
-
-	Information on read-only Git access, coding style and developer
-	guidelines can be found at:
-
-		http://www.isc.org/git/
-
+The BIND 9 Administrator Reference Manual is included with the source
+distribution, in DocBook XML, HTML and PDF format, in the doc/arm
+directory.
+
+Some of the programs in the BIND 9 distribution have man pages in their
+directories. In particular, the command line options of named are
+documented in bin/named/named.8.
+
+Frequently (and not-so-frequently) asked questions and their answers can
+be found in the ISC Knowledge Base at https://kb.isc.org.
+
+Additional information on various subjects can be found in other README
+files throughout the source tree.
+
+Change log
+
+A detailed list of all changes that have been made throughout the
+development BIND 9 is included in the file CHANGES, with the most recent
+changes listed first. Change notes include tags indicating the category of
+the change that was made; these categories are:
+
+Category       Description
+[func]         New feature
+[bug]          General bug fix
+[security]     Fix for a significant security flaw
+[experimental] Used for new features when the syntax or other aspects of
+               the design are still in flux and may change
+[port]         Portability enhancement
+[maint]        Updates to built-in data such as root server addresses and
+               keys
+[tuning]       Changes to built-in configuration defaults and constants to
+               improve performance
+[performance]  Other changes to improve server performance
+[protocol]     Updates to the DNS protocol such as new RR types
+[test]         Changes to the automatic tests, not affecting server
+               functionality
+[cleanup]      Minor corrections and refactoring
+[doc]          Documentation
+[contrib]      Changes to the contributed tools and libraries in the
+               'contrib' subdirectory
+               Used in the master development branch to reserve change
+[placeholder]  numbers for use in other branches, e.g. when fixing a bug
+               that only exists in older releases
+
+In general, [func] and [experimental] tags will only appear in new-feature
+releases (i.e., those with version numbers ending in zero). Some new
+functionality may be backported to older releases on a case-by-case basis.
+All other change types may be applied to all currently-supported releases.
 
 Acknowledgments
 
-	- This product includes software developed by the OpenSSL Project
-	  for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/).
-	- This product includes cryptographic software written by Eric
-	  Young (eay@cryptsoft.com).
-	- This product includes software written by Tim Hudson
-	  (tjh@cryptsoft.com).
+  * The original development of BIND 9 was underwritten by the following
+    organizations:
+
+    Sun Microsystems, Inc.
+    Hewlett Packard
+    Compaq Computer Corporation
+    IBM
+    Process Software Corporation
+    Silicon Graphics, Inc.
+    Network Associates, Inc.
+    U.S. Defense Information Systems Agency
+    USENIX Association
+    Stichting NLnet - NLnet Foundation
+    Nominum, Inc.
+
+  * This product includes software developed by the OpenSSL Project for
+    use in the OpenSSL Toolkit. http://www.OpenSSL.org/
+  * This product includes cryptographic software written by Eric Young
+    (eay@cryptsoft.com)
+  * This product includes software written by Tim Hudson
+    (tjh@cryptsoft.com)
diff --git a/usr.sbin/bind/acconfig.h b/usr.sbin/bind/acconfig.h
index cd434f4388f..f2fc2c80604 100644
--- a/usr.sbin/bind/acconfig.h
+++ b/usr.sbin/bind/acconfig.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008, 2012, 2014, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acconfig.h,v 1.8 2019/12/16 16:16:22 deraadt Exp $ */
+/* $Id: acconfig.h,v 1.9 2019/12/17 01:46:30 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/bin/Makefile.in b/usr.sbin/bind/bin/Makefile.in
index 5442a055cb1..f6bf45b99b8 100644
--- a/usr.sbin/bind/bin/Makefile.in
+++ b/usr.sbin/bind/bin/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2007, 2009, 2012-2014  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.8 2019/12/16 16:16:23 deraadt Exp $
+# $Id: Makefile.in,v 1.9 2019/12/17 01:46:31 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/bin/dig/Makefile.in b/usr.sbin/bind/bin/dig/Makefile.in
index 1dc973510cc..817ea741065 100644
--- a/usr.sbin/bind/bin/dig/Makefile.in
+++ b/usr.sbin/bind/bin/dig/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2005, 2007, 2009, 2012-2016  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000-2002  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.7 2019/12/16 16:16:23 deraadt Exp $
+# $Id: Makefile.in,v 1.8 2019/12/17 01:46:31 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -25,9 +24,9 @@ VERSION=@BIND9_VERSION@
 
 READLINE_LIB = @READLINE_LIB@
 
-CINCLUDES =	-I${srcdir}/include ${DNS_INCLUDES} ${BIND9_INCLUDES} \
-		${ISC_INCLUDES} @DST_OPENSSL_INC@ \
-		${LWRES_INCLUDES} ${ISCCFG_INCLUDES}
+CINCLUDES =	-I${srcdir}/include ${DNS_INCLUDES} \
+		${BIND9_INCLUDES} ${ISC_INCLUDES} \
+		${LWRES_INCLUDES} ${ISCCFG_INCLUDES} @DST_OPENSSL_INC@
 
 CDEFINES =	-DVERSION=\"${VERSION}\" @CRYPTO@
 CWARNINGS =
diff --git a/usr.sbin/bind/bin/dig/dig.1 b/usr.sbin/bind/bin/dig/dig.1
index 55aa341f1cb..feb036d0ce4 100644
--- a/usr.sbin/bind/bin/dig/dig.1
+++ b/usr.sbin/bind/bin/dig/dig.1
@@ -1,5 +1,4 @@
-.\" Copyright (C) 2004-2011, 2013-2017 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000-2003 Internet Software Consortium.
+.\" Copyright (C) 2000-2011, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -48,7 +47,7 @@
 dig \- DNS lookup utility
 .SH "SYNOPSIS"
 .HP \w'\fBdig\fR\ 'u
-\fBdig\fR [@server] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfilename\fR\fR] [\fB\-k\ \fR\fB\fIfilename\fR\fR] [\fB\-m\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIname:key\fR\fR] [\fB\-4\fR] [\fB\-6\fR] [name] [type] [class] [queryopt...]
+\fBdig\fR [@server] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfilename\fR\fR] [\fB\-k\ \fR\fB\fIfilename\fR\fR] [\fB\-m\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIname:key\fR\fR] [[\fB\-4\fR] | [\fB\-6\fR]] [name] [type] [class] [queryopt...]
 .HP \w'\fBdig\fR\ 'u
 \fBdig\fR [\fB\-h\fR]
 .HP \w'\fBdig\fR\ 'u
@@ -56,7 +55,7 @@ dig \- DNS lookup utility
 .SH "DESCRIPTION"
 .PP
 \fBdig\fR
-(domain information groper) is a flexible tool for interrogating DNS name servers\&. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried\&. Most DNS administrators use
+is a flexible tool for interrogating DNS name servers\&. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried\&. Most DNS administrators use
 \fBdig\fR
 to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output\&. Other lookup tools tend to have less functionality than
 \fBdig\fR\&.
@@ -185,7 +184,7 @@ using the command\-line interface\&.
 .PP
 \-i
 .RS 4
-Do reverse IPv6 lookups using the obsolete RFC1886 IP6\&.INT domain, which is no longer in use\&. Obsolete bit string label queries (RFC2874) are not attempted\&.
+Do reverse IPv6 lookups using the obsolete RFC 1886 IP6\&.INT domain, which is no longer in use\&. Obsolete bit string label queries (RFC 2874) are not attempted\&.
 .RE
 .PP
 \-k \fIkeyfile\fR
@@ -219,13 +218,20 @@ from other arguments\&.
 .PP
 \-t \fItype\fR
 .RS 4
-The resource record type to query\&. It can be any valid query type which is supported in BIND 9\&. The default query type is "A", unless the
+The resource record type to query\&. It can be any valid query type\&. If it is a resource record type supported in BIND 9, it can be given by the type mnemonic (such as "NS" or "AAAA")\&. The default query type is "A", unless the
 \fB\-x\fR
 option is supplied to indicate a reverse lookup\&. A zone transfer can be requested by specifying a type of AXFR\&. When an incremental zone transfer (IXFR) is required, set the
 \fItype\fR
 to
 ixfr=N\&. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone\*(Aqs SOA record was
 \fIN\fR\&.
+.sp
+All resource record types can be expressed as "TYPEnn", where "nn" is the number of the type\&. If the resource record type is not supported in BIND 9, the result will be displayed as described in RFC 3597\&.
+.RE
+.PP
+\-u
+.RS 4
+Print query times in microseconds instead of milliseconds\&.
 .RE
 .PP
 \-v
@@ -367,6 +373,26 @@ and the query options that have been applied\&. This comment is printed by defau
 Toggle the display of comment lines in the output\&. The default is to print comments\&.
 .RE
 .PP
+\fB+[no]cookie\fR\fB[=####]\fR
+.RS 4
+Send an COOKIE EDNS option, containing an optional
+\fIvalue\fR\&. Replaying a COOKIE from a previous response will allow the server to identify a previous client\&. The default is
+\fB+nocookie\fR\&.
+.sp
+\fB+cookie\fR
+is automatically set when +trace is in use, to better emulate the default queries from a nameserver\&.
+.sp
+This option was formerly called
+\fB+[no]sit\fR
+(Server Identity Token)\&. In BIND 9\&.10\&.0 through BIND 9\&.10\&.2, it sent the experimental option code 65001\&. This was changed to option code 10 in BIND 9\&.10\&.3 when the DNS COOKIE option was allocated\&.
+.sp
+The
+\fB+[no]sit\fR
+is now deprecated, but has been retained as a synonym for
+\fB+[no]cookie\fR
+for backward compatibility within the BIND 9\&.10 branch\&.
+.RE
+.PP
 \fB+[no]crypto\fR
 .RS 4
 Toggle the display of cryptographic fields in DNSSEC records\&. The contents of these field are unnecessary to debug most DNSSEC validation failures and removing them makes it easier to see the common failures\&. The default is to display the fields\&. When omitted they are replaced by the string "[omitted]" or in the DNSKEY case the key id is displayed as the replacement, e\&.g\&. "[ key id = value ]"\&.
@@ -418,8 +444,13 @@ Specify EDNS option with code point
 and optionally payload of
 \fBvalue\fR
 as a hexadecimal string\&.
+\fBcode\fR
+can be either an EDNS option name (for example,
+NSID
+or
+ECS), or an arbitrary numeric value\&.
 \fB+noednsopt\fR
-clears the EDNS options to to be sent\&.
+clears the EDNS options to be sent\&.
 .RE
 .PP
 \fB+[no]expire\fR
@@ -574,8 +605,12 @@ instead\&.
 .PP
 \fB+[no]sit\fR\fB[=####]\fR
 .RS 4
-Send a Source Identity Token EDNS option, with optional value\&. Replaying a SIT from a previous response will allow the server to identify a previous client\&. The default is
-\fB+nosit\fR\&. Currently using experimental value 65001 for the option code\&.
+This option is a synonym for
+\fB+[no]cookie\fR\&.
+.sp
+The
+\fB+[no]sit\fR
+is deprecated\&.
 .RE
 .PP
 \fB+split=W\fR
@@ -742,7 +777,7 @@ ${HOME}/\&.digrc
 \fBhost\fR(1),
 \fBnamed\fR(8),
 \fBdnssec-keygen\fR(8),
-RFC1035\&.
+RFC 1035\&.
 .SH "BUGS"
 .PP
 There are probably too many query options\&.
@@ -751,7 +786,5 @@ There are probably too many query options\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004-2011, 2013-2017 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000-2003 Internet Software Consortium.
+Copyright \(co 2000-2011, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/usr.sbin/bind/bin/dig/dig.c b/usr.sbin/bind/bin/dig/dig.c
index 950ca635a77..592c530c040 100644
--- a/usr.sbin/bind/bin/dig/dig.c
+++ b/usr.sbin/bind/bin/dig/dig.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dig.c,v 1.19 2019/12/16 17:32:39 deraadt Exp $ */
+/* $Id: dig.c,v 1.20 2019/12/17 01:46:31 sthen Exp $ */
 
 /*! \file */
 
@@ -28,6 +27,7 @@
 #include <isc/app.h>
 #include <isc/netaddr.h>
 #include <isc/parseint.h>
+#include <isc/platform.h>
 #include <isc/print.h>
 #include <isc/string.h>
 #include <isc/task.h>
@@ -58,6 +58,16 @@
 
 #define DIG_MAX_ADDRESSES 20
 
+#ifndef DNS_NAME_INITABSOLUTE
+#define DNS_NAME_INITABSOLUTE(A,B) { \
+	DNS_NAME_MAGIC, \
+	A, sizeof(A), sizeof(B), \
+	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE, \
+	B, NULL, { (void *)-1, (void *)-1}, \
+	{NULL, NULL} \
+}
+#endif
+
 dig_lookup_t *default_lookup = NULL;
 
 static char *batchname = NULL;
@@ -126,13 +136,13 @@ rcode_totext(dns_rcode_t rcode)
 {
 	static char buf[sizeof("?65535")];
 
+	if (rcode == dns_rcode_badcookie)
+		return ("BADCOOKIE");
 	if (rcode >= (sizeof(rcodetext)/sizeof(rcodetext[0]))) {
 		snprintf(buf, sizeof(buf), "?%u", rcode);
 		return (buf);
-	} else if (rcode == dns_rcode_badcookie)
-		return ("BADCOOKIE");
-	else
-		return (rcodetext[rcode]);
+	}
+	return (rcodetext[rcode]);
 }
 
 /*% print usage */
@@ -198,6 +208,9 @@ help(void) {
 "                 +[no]cl             (Control display of class in records)\n"
 "                 +[no]cmd            (Control display of command line)\n"
 "                 +[no]comments       (Control display of comment lines)\n"
+#ifdef ISC_PLATFORM_USESIT
+"                 +[no]cookie         (Add a COOKIE option to the request)\n"
+#endif
 "                 +[no]crypto         (Control display of cryptographic "
 				       "fields in records)\n"
 "                 +[no]defname        (Use search list (+[no]search))\n"
@@ -235,7 +248,7 @@ help(void) {
 "                 +[no]sigchase       (Chase DNSSEC signatures)\n"
 #endif
 #ifdef ISC_PLATFORM_USESIT
-"                 +[no]sit            (Request a Source Identity Token)\n"
+"                 +[no]sit            (A synonym for +[no]cookie)\n"
 #endif
 "                 +[no]split=##       (Split hex/base64 fields into chunks)\n"
 "                 +[no]stats          (Control display of statistics)\n"
@@ -264,12 +277,16 @@ help(void) {
 /*%
  * Callback from dighost.c to print the received message.
  */
-void
-received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
+static void
+received(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 	isc_uint64_t diff;
 	time_t tnow;
 	struct tm tmnow;
+#ifdef WIN32
+	wchar_t time_str[100];
+#else
 	char time_str[100];
+#endif
 	char fromtext[ISC_SOCKADDR_FORMATSIZE];
 
 	isc_sockaddr_format(from, fromtext, sizeof(fromtext));
@@ -282,10 +299,25 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 			printf(";; Query time: %ld msec\n", (long) diff / 1000);
 		printf(";; SERVER: %s(%s)\n", fromtext, query->servname);
 		time(&tnow);
+#if defined(ISC_PLATFORM_USETHREADS) && !defined(WIN32)
+		(void)localtime_r(&tnow, &tmnow);
+#else
 		tmnow  = *localtime(&tnow);
+#endif
+
+#ifdef WIN32
+		/*
+		 * On Windows, time zone name ("%Z") may be a localized
+		 * wide-character string, which strftime() handles incorrectly.
+		 */
+		if (wcsftime(time_str, sizeof(time_str)/sizeof(time_str[0]),
+			     L"%a %b %d %H:%M:%S %Z %Y", &tmnow) > 0U)
+			printf(";; WHEN: %ls\n", time_str);
+#else
 		if (strftime(time_str, sizeof(time_str),
 			     "%a %b %d %H:%M:%S %Z %Y", &tmnow) > 0U)
 			printf(";; WHEN: %s\n", time_str);
+#endif
 		if (query->lookup->doing_xfr) {
 			printf(";; XFR size: %u records (messages %u, "
 			       "bytes %" ISC_PRINT_QUADFORMAT "u)\n",
@@ -294,12 +326,12 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 		} else {
 			printf(";; MSG SIZE  rcvd: %u\n", bytes);
 		}
-		if (key != NULL) {
+		if (tsigkey != NULL) {
 			if (!validated)
 				puts(";; WARNING -- Some TSIG could not "
 				     "be validated");
 		}
-		if ((key == NULL) && (keysecret[0] != 0)) {
+		if ((tsigkey == NULL) && (keysecret[0] != 0)) {
 			puts(";; WARNING -- TSIG key was not used.");
 		}
 		puts("");
@@ -327,7 +359,7 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
  * Not used in dig.
  * XXX print_trying
  */
-void
+static void
 trying(char *frm, dig_lookup_t *lookup) {
 	UNUSED(frm);
 	UNUSED(lookup);
@@ -340,7 +372,7 @@ static isc_result_t
 say_message(dns_rdata_t *rdata, dig_query_t *query, isc_buffer_t *buf) {
 	isc_result_t result;
 	isc_uint64_t diff;
-	char store[sizeof("12345678901234567890")];
+	char store[sizeof(" in 18446744073709551616 us.")];
 	unsigned int styleflags = 0;
 
 	if (query->lookup->trace || query->lookup->ns_search_only) {
@@ -361,13 +393,14 @@ say_message(dns_rdata_t *rdata, dig_query_t *query, isc_buffer_t *buf) {
 		return (result);
 	check_result(result, "dns_rdata_totext");
 	if (query->lookup->identify) {
+
 		diff = isc_time_microdiff(&query->time_recv, &query->time_sent);
 		ADD_STRING(buf, " from server ");
 		ADD_STRING(buf, query->servname);
 		if (use_usec)
-			snprintf(store, 19, " in %ld us.", (long) diff);
+			snprintf(store, sizeof(store), " in %" ISC_PLATFORM_QUADFORMAT "u us.", diff);
 		else
-			snprintf(store, 19, " in %ld ms.", (long) diff / 1000);
+			snprintf(store, sizeof(store), " in %" ISC_PLATFORM_QUADFORMAT "u ms.", diff / 1000);
 		ADD_STRING(buf, store);
 	}
 	ADD_STRING(buf, "\n");
@@ -425,7 +458,7 @@ short_answer(dns_message_t *msg, dns_messagetextflag_t flags,
 	return (ISC_R_SUCCESS);
 }
 #ifdef DIG_SIGCHASE
-isc_result_t
+static isc_result_t
 printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
 	      isc_buffer_t *target)
 {
@@ -482,10 +515,30 @@ printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
 }
 #endif
 
+static isc_boolean_t
+isdotlocal(dns_message_t *msg) {
+	isc_result_t result;
+	static unsigned char local_ndata[] = { "\005local\0" };
+	static unsigned char local_offsets[] = { 0, 6 };
+	static dns_name_t local =
+		DNS_NAME_INITABSOLUTE(local_ndata, local_offsets);
+
+	for (result = dns_message_firstname(msg, DNS_SECTION_QUESTION);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(msg, DNS_SECTION_QUESTION))
+	{
+		dns_name_t *name = NULL;
+		dns_message_currentname(msg, DNS_SECTION_QUESTION, &name);
+		if (dns_name_issubdomain(name, &local))
+			return (ISC_TRUE);
+	}
+	return (ISC_FALSE);
+}
+
 /*
  * Callback from dighost.c to print the reply from a server
  */
-isc_result_t
+static isc_result_t
 printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 	isc_result_t result;
 	dns_messagetextflag_t flags;
@@ -563,6 +616,12 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 			printf(";; Got answer:\n");
 
 		if (headers) {
+			if (isdotlocal(msg)) {
+				printf(";; WARNING: .local is reserved for "
+				       "Multicast DNS\n;; You are currently "
+				       "testing what happens when an mDNS "
+				       "query is leaked to DNS\n");
+			}
 			printf(";; ->>HEADER<<- opcode: %s, status: %s, "
 			       "id: %u\n",
 			       opcodetext[msg->opcode],
@@ -718,33 +777,27 @@ cleanup:
 static void
 printgreeting(int argc, char **argv, dig_lookup_t *lookup) {
 	int i;
-	size_t remaining;
 	static isc_boolean_t first = ISC_TRUE;
 	char append[MXNAME];
 
 	if (printcmd) {
-		lookup->cmdline[sizeof(lookup->cmdline) - 1] = 0;
 		snprintf(lookup->cmdline, sizeof(lookup->cmdline),
 			 "%s; <<>> DiG " VERSION " <<>>",
 			 first?"\n":"");
 		i = 1;
 		while (i < argc) {
 			snprintf(append, sizeof(append), " %s", argv[i++]);
-			remaining = sizeof(lookup->cmdline) -
-				    strlen(lookup->cmdline) - 1;
-			strncat(lookup->cmdline, append, remaining);
+			strlcat(lookup->cmdline, append,
+				sizeof(lookup->cmdline));
 		}
-		remaining = sizeof(lookup->cmdline) -
-			    strlen(lookup->cmdline) - 1;
-		strncat(lookup->cmdline, "\n", remaining);
+		strlcat(lookup->cmdline, "\n", sizeof(lookup->cmdline));
 		if (first && addresscount != 0) {
 			snprintf(append, sizeof(append),
 				 "; (%d server%s found)\n",
 				 addresscount,
 				 addresscount > 1 ? "s" : "");
-			remaining = sizeof(lookup->cmdline) -
-				    strlen(lookup->cmdline) - 1;
-			strncat(lookup->cmdline, append, remaining);
+			strlcat(lookup->cmdline, append,
+				sizeof(lookup->cmdline));
 		}
 		if (first) {
 			snprintf(append, sizeof(append),
@@ -752,9 +805,8 @@ printgreeting(int argc, char **argv, dig_lookup_t *lookup) {
 				 short_form ? " +short" : "",
 				 printcmd ? " +cmd" : "");
 			first = ISC_FALSE;
-			remaining = sizeof(lookup->cmdline) -
-				    strlen(lookup->cmdline) - 1;
-			strncat(lookup->cmdline, append, remaining);
+			strlcat(lookup->cmdline, append,
+				sizeof(lookup->cmdline));
 		}
 	}
 }
@@ -779,8 +831,7 @@ plus_option(const char *option, isc_boolean_t is_batchfile,
 	size_t n;
 #endif
 
-	strncpy(option_store, option, sizeof(option_store));
-	option_store[sizeof(option_store)-1]=0;
+	strlcpy(option_store, option, sizeof(option_store));
 	ptr = option_store;
 	cmd = next_token(&ptr, "=");
 	if (cmd == NULL) {
@@ -896,10 +947,23 @@ plus_option(const char *option, isc_boolean_t is_batchfile,
 			printcmd = state;
 			break;
 		case 'o': /* comments */
-			FULLCHECK("comments");
-			lookup->comments = state;
-			if (lookup == default_lookup)
-				pluscomm = state;
+#ifdef ISC_PLATFORM_USESIT
+			switch (cmd[2]) {
+			case 'o':
+				FULLCHECK("cookie");
+				goto sit;
+			case 'm':
+#endif
+				FULLCHECK("comments");
+				lookup->comments = state;
+				if (lookup == default_lookup)
+					pluscomm = state;
+#ifdef ISC_PLATFORM_USESIT
+				break;
+			default:
+				goto invalid_option;
+			}
+#endif
 			break;
 		case 'r':
 			FULLCHECK("crypto");
@@ -929,8 +993,7 @@ plus_option(const char *option, isc_boolean_t is_batchfile,
 				goto need_value;
 			if (!state)
 				goto invalid_option;
-			strncpy(domainopt, value, sizeof(domainopt));
-			domainopt[sizeof(domainopt)-1] = '\0';
+			strlcpy(domainopt, value, sizeof(domainopt));
 			break;
 		default:
 			goto invalid_option;
@@ -1242,6 +1305,7 @@ plus_option(const char *option, isc_boolean_t is_batchfile,
 #ifdef ISC_PLATFORM_USESIT
 			case 't': /* sit */
 				FULLCHECK("sit");
+ sit:
 				if (state && lookup->edns == -1)
 					lookup->edns = 0;
 				lookup->sit = state;
@@ -1272,11 +1336,11 @@ plus_option(const char *option, isc_boolean_t is_batchfile,
 
 			result = parse_uint(&splitwidth, value,
 					    1023, "split");
-			if (splitwidth % 4 != 0) {
+			if ((splitwidth % 4) != 0U) {
 				splitwidth = ((splitwidth + 3) / 4) * 4;
 				fprintf(stderr, ";; Warning, split must be "
 						"a multiple of 4; adjusting "
-						"to %d\n", splitwidth);
+						"to %u\n", splitwidth);
 			}
 			/*
 			 * There is an adjustment done in the
@@ -1307,7 +1371,10 @@ plus_option(const char *option, isc_boolean_t is_batchfile,
 			}
 			if (lookup->edns == -1)
 				lookup->edns = 0;
-
+			if (lookup->ecs_addr != NULL) {
+				isc_mem_free(mctx, lookup->ecs_addr);
+				lookup->ecs_addr = NULL;
+			}
 			result = parse_netprefix(&lookup->ecs_addr, value);
 			if (result != ISC_R_SUCCESS)
 				fatal("Couldn't parse client");
@@ -1564,8 +1631,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 		batchname = value;
 		return (value_from_next);
 	case 'k':
-		strncpy(keyfile, value, sizeof(keyfile));
-		keyfile[sizeof(keyfile)-1]=0;
+		strlcpy(keyfile, value, sizeof(keyfile));
 		return (value_from_next);
 	case 'p':
 		result = parse_uint(&num, value, MAXPORT, "port number");
@@ -1579,9 +1645,8 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 				(*lookup) = clone_lookup(default_lookup,
 							 ISC_TRUE);
 			*need_clone = ISC_TRUE;
-			strncpy((*lookup)->textname, value,
+			strlcpy((*lookup)->textname, value,
 				sizeof((*lookup)->textname));
-			(*lookup)->textname[sizeof((*lookup)->textname)-1]=0;
 			(*lookup)->trace_root = ISC_TF((*lookup)->trace  ||
 						     (*lookup)->ns_search_only);
 			(*lookup)->new_search = ISC_TRUE;
@@ -1662,10 +1727,8 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 #endif
 			digestbits = 0;
 		}
-		strncpy(keynametext, ptr, sizeof(keynametext));
-		keynametext[sizeof(keynametext)-1]=0;
-		strncpy(keysecret, ptr2, sizeof(keysecret));
-		keysecret[sizeof(keysecret)-1]=0;
+		strlcpy(keynametext, ptr, sizeof(keynametext));
+		strlcpy(keysecret, ptr2, sizeof(keysecret));
 		return (value_from_next);
 	case 'x':
 		if (*need_clone)
@@ -1673,9 +1736,8 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 		*need_clone = ISC_TRUE;
 		if (get_reverse(textname, sizeof(textname), value,
 				ip6_int, ISC_FALSE) == ISC_R_SUCCESS) {
-			strncpy((*lookup)->textname, textname,
+			strlcpy((*lookup)->textname, textname,
 				sizeof((*lookup)->textname));
-			(*lookup)->textname[sizeof((*lookup)->textname)-1] = 0;
 			debug("looking up %s", (*lookup)->textname);
 			(*lookup)->trace_root = ISC_TF((*lookup)->trace  ||
 						(*lookup)->ns_search_only);
@@ -1799,8 +1861,7 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 				bargc = 1;
 				input = batchline;
 				bargv[bargc] = next_token(&input, " \t\r\n");
-				while ((bargv[bargc] != NULL) &&
-				       (bargc < 62)) {
+				while ((bargc < 62) && (bargv[bargc] != NULL)) {
 					bargc++;
 					bargv[bargc] =
 						next_token(&input, " \t\r\n");
@@ -1949,9 +2010,8 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 					lookup = clone_lookup(default_lookup,
 								      ISC_TRUE);
 				need_clone = ISC_TRUE;
-				strncpy(lookup->textname, rv[0],
+				strlcpy(lookup->textname, rv[0],
 					sizeof(lookup->textname));
-				lookup->textname[sizeof(lookup->textname)-1]=0;
 				lookup->trace_root = ISC_TF(lookup->trace  ||
 						     lookup->ns_search_only);
 				lookup->new_search = ISC_TRUE;
@@ -1992,7 +2052,7 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 				goto next_line;
 			input = batchline;
 			bargv[bargc] = next_token(&input, " \t\r\n");
-			while ((bargv[bargc] != NULL) && (bargc < 14)) {
+			while ((bargc < 14) && (bargv[bargc] != NULL)) {
 				bargc++;
 				bargv[bargc] = next_token(&input, " \t\r\n");
 			}
@@ -2017,7 +2077,7 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 		lookup->trace_root = ISC_TF(lookup->trace ||
 					    lookup->ns_search_only);
 		lookup->new_search = ISC_TRUE;
-		strcpy(lookup->textname, ".");
+		strlcpy(lookup->textname, ".", sizeof(lookup->textname));
 		lookup->rdtype = dns_rdatatype_ns;
 		lookup->rdtypeset = ISC_TRUE;
 		if (firstarg) {
@@ -2035,8 +2095,8 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
  * Here, we're possibly reading from a batch file, then shutting down
  * for real if there's nothing in the batch file to read.
  */
-void
-dighost_shutdown(void) {
+static void
+query_finished(void) {
 	char batchline[MXNAME];
 	int bargc;
 	char *bargv[16];
@@ -2062,7 +2122,7 @@ dighost_shutdown(void) {
 		bargc = 1;
 		input = batchline;
 		bargv[bargc] = next_token(&input, " \t\r\n");
-		while ((bargv[bargc] != NULL) && (bargc < 14)) {
+		while ((bargc < 14) && (bargv[bargc] != NULL)) {
 			bargc++;
 			bargv[bargc] = next_token(&input, " \t\r\n");
 		}
@@ -2082,9 +2142,8 @@ dighost_shutdown(void) {
 	}
 }
 
-/*% Main processing routine for dig */
-int
-main(int argc, char **argv) {
+void dig_setup(int argc, char **argv)
+{
 	isc_result_t result;
 
 	ISC_LIST_INIT(lookup_list);
@@ -2096,38 +2155,90 @@ main(int argc, char **argv) {
 		exit(1);
 	}
 
-	debug("main()");
-	preparse_args(argc, argv);
+	debug("dig_setup()");
+
+	/* setup dighost callbacks */
+#ifdef DIG_SIGCHASE
+	dighost_printrdataset = printrdataset;
+#endif
+	dighost_printmessage = printmessage;
+	dighost_received = received;
+	dighost_trying = trying;
+	dighost_shutdown = query_finished;
+
 	progname = argv[0];
+	preparse_args(argc, argv);
+
 	result = isc_app_start();
 	check_result(result, "isc_app_start");
+
 	setup_libs();
-	parse_args(ISC_FALSE, ISC_FALSE, argc, argv);
+	setup_system();
+}
+
+void dig_query_setup(isc_boolean_t is_batchfile, isc_boolean_t config_only,
+		int argc, char **argv)
+{
+	debug("dig_query_setup");
+
+	parse_args(is_batchfile, config_only, argc, argv);
+	if (keyfile[0] != 0)
+		setup_file_key();
+	else if (keysecret[0] != 0)
+		setup_text_key();
 
 	if (pledge("stdio inet dns", NULL) == -1) {
 		perror("pledge");
 		exit(1);
 	}
 
-	setup_system();
 	if (domainopt[0] != '\0') {
 		set_search_domain(domainopt);
 		usesearch = ISC_TRUE;
 	}
+}
+
+void dig_startup() {
+	isc_result_t result;
+
+	debug("dig_startup()");
+
 	result = isc_app_onrun(mctx, global_task, onrun_callback, NULL);
 	check_result(result, "isc_app_onrun");
 	isc_app_run();
+}
+
+void dig_query_start()
+{
+	start_lookup();
+}
+
+void
+dig_shutdown() {
 	destroy_lookup(default_lookup);
 	if (batchname != NULL) {
 		if (batchfp != stdin)
 			fclose(batchfp);
 		batchname = NULL;
 	}
+
 #ifdef DIG_SIGCHASE
 	clean_trustedkey();
 #endif
+
 	cancel_all();
 	destroy_libs();
 	isc_app_finish();
+}
+
+/*% Main processing routine for dig */
+int
+main(int argc, char **argv) {
+
+	dig_setup(argc, argv);
+	dig_query_setup(ISC_FALSE, ISC_FALSE, argc, argv);
+	dig_startup();
+	dig_shutdown();
+
 	return (exitcode);
 }
diff --git a/usr.sbin/bind/bin/dig/dig.docbook b/usr.sbin/bind/bin/dig/dig.docbook
index 577d6d0d232..8e6c31a2787 100644
--- a/usr.sbin/bind/bin/dig/dig.docbook
+++ b/usr.sbin/bind/bin/dig/dig.docbook
@@ -1,8 +1,7 @@
 <!DOCTYPE book [
 <!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004-2011, 2013-2017  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003  Internet Software Consortium.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -40,6 +39,10 @@
 
   <docinfo>
     <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2002</year>
+      <year>2003</year>
       <year>2004</year>
       <year>2005</year>
       <year>2006</year>
@@ -53,15 +56,9 @@
       <year>2015</year>
       <year>2016</year>
       <year>2017</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
   </docinfo>
 
   <refsynopsisdiv>
@@ -79,8 +76,10 @@
       <arg choice="opt" rep="norepeat"><option>-v</option></arg>
       <arg choice="opt" rep="norepeat"><option>-x <replaceable class="parameter">addr</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-y <replaceable class="parameter"><optional>hmac:</optional>name:key</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-4</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-6</option></arg>
+      <group choice="opt" rep="norepeat">
+	<arg choice="opt" rep="norepeat"><option>-4</option></arg>
+	<arg choice="opt" rep="norepeat"><option>-6</option></arg>
+      </group>
       <arg choice="opt" rep="norepeat">name</arg>
       <arg choice="opt" rep="norepeat">type</arg>
       <arg choice="opt" rep="norepeat">class</arg>
@@ -101,8 +100,7 @@
 
   <refsection><info><title>DESCRIPTION</title></info>
 
-    <para><command>dig</command>
-      (domain information groper) is a flexible tool
+    <para><command>dig</command> is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
       displays the answers that are returned from the name server(s) that
       were queried.  Most DNS administrators use <command>dig</command> to
@@ -282,9 +280,9 @@
         <term>-i</term>
         <listitem>
 	  <para>
-	    Do reverse IPv6 lookups using the obsolete RFC1886 IP6.INT
+	    Do reverse IPv6 lookups using the obsolete RFC 1886 IP6.INT
 	    domain, which is no longer in use. Obsolete bit string
-	    label queries (RFC2874) are not attempted.
+	    label queries (RFC 2874) are not attempted.
 	  </para>
         </listitem>
       </varlistentry>
@@ -345,24 +343,39 @@
         <term>-t <replaceable class="parameter">type</replaceable></term>
         <listitem>
 	  <para>
-	    The resource record type to query. It can be any valid query type
-	    which is
-	    supported in BIND 9.  The default query type is "A", unless the
-	    <option>-x</option> option is supplied to indicate a reverse lookup.
-	    A zone transfer can be requested by specifying a type of AXFR.  When
+	    The resource record type to query. It can be any valid query
+	    type.  If it is a resource record type supported in BIND 9, it
+	    can be given by the type mnemonic (such as "NS" or "AAAA").
+	    The default query type is "A", unless the <option>-x</option>
+	    option is supplied to indicate a reverse lookup.  A zone
+	    transfer can be requested by specifying a type of AXFR.  When
 	    an incremental zone transfer (IXFR) is required, set the
 	    <parameter>type</parameter> to <literal>ixfr=N</literal>.
 	    The incremental zone transfer will contain the changes
 	    made to the zone since the serial number in the zone's SOA
-	    record was
-	    <parameter>N</parameter>.
+	    record was <parameter>N</parameter>.
 	  </para>
-        </listitem>
+	  <para>
+	    All resource record types can be expressed as "TYPEnn", where
+	    "nn" is the number of the type. If the resource record type is
+	    not supported in BIND 9, the result will be displayed as
+	    described in RFC 3597.
+	  </para>
+	</listitem>
       </varlistentry>
 
       <varlistentry>
-        <term>-v</term>
-        <listitem>
+	<term>-u</term>
+	<listitem>
+	  <para>
+	    Print query times in microseconds instead of milliseconds.
+	  </para>
+	</listitem>
+      </varlistentry>
+
+      <varlistentry>
+	<term>-v</term>
+	<listitem>
 	  <para>
 	    Print the version number and exit.
 	  </para>
@@ -592,6 +605,36 @@
 	</varlistentry>
 
 	<varlistentry>
+	  <term><option>+[no]cookie<optional>=####</optional></option></term>
+	  <listitem>
+	    <para>
+	      Send an COOKIE EDNS option, containing an optional
+	      <replaceable>value</replaceable>.  Replaying a COOKIE
+	      from a previous response will allow the server to
+	      identify a previous client.  The default is
+	      <option>+nocookie</option>.
+	    </para>
+	    <para>
+	      <command>+cookie</command> is automatically set when +trace
+	      is in use, to better emulate the default queries from a
+	      nameserver.
+	    </para>
+	    <para>
+	      This option was formerly called <option>+[no]sit</option>
+              (Server Identity Token). In BIND 9.10.0 through BIND 9.10.2,
+              it sent the experimental option code 65001.  This was
+              changed to option code 10 in BIND 9.10.3 when the DNS
+              COOKIE option was allocated.
+	    </para>
+	    <para>
+	      The <option>+[no]sit</option> is now deprecated, but has
+              been retained as a synonym for <option>+[no]cookie</option>
+              for backward compatibility within the BIND 9.10 branch.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+	<varlistentry>
 	  <term><option>+[no]crypto</option></term>
 	  <listitem>
 	    <para>
@@ -683,8 +726,11 @@
 	    <para>
 	      Specify EDNS option with code point <option>code</option>
 	      and optionally payload of <option>value</option> as a
-	      hexadecimal string.  <option>+noednsopt</option>
-	      clears the EDNS options to to be sent.
+	      hexadecimal string.  <option>code</option> can be
+	      either an EDNS option name (for example,
+	      <literal>NSID</literal> or <literal>ECS</literal>),
+	      or an arbitrary numeric value.  <option>+noednsopt</option>
+	      clears the EDNS options to be sent.
 	    </para>
 	  </listitem>
 	</varlistentry>
@@ -953,11 +999,10 @@
 	  <term><option>+[no]sit<optional>=####</optional></option></term>
 	  <listitem>
 	    <para>
-	      Send a Source Identity Token EDNS option, with optional
-	      value.  Replaying a SIT from a previous response will
-	      allow the server to identify a previous client.  The
-	      default is <option>+nosit</option>.  Currently using
-	      experimental value 65001 for the option code.
+	      This option is a synonym for <option>+[no]cookie</option>.
+	    </para>
+	    <para>
+	      The <option>+[no]sit</option> is deprecated.
 	    </para>
 	  </listitem>
 	</varlistentry>
@@ -1215,7 +1260,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
       <citerefentry>
 	<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>,
-      <citetitle>RFC1035</citetitle>.
+      <citetitle>RFC 1035</citetitle>.
     </para>
   </refsection>
 
diff --git a/usr.sbin/bind/bin/dig/dig.html b/usr.sbin/bind/bin/dig/dig.html
index cefd67fc179..20462f69b6c 100644
--- a/usr.sbin/bind/bin/dig/dig.html
+++ b/usr.sbin/bind/bin/dig/dig.html
@@ -1,7 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004-2011, 2013-2017 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
+ - Copyright (C) 2000-2011, 2013-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -54,8 +53,10 @@
        [<code class="option">-v</code>]
        [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>]
        [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]name:key</code></em></code>]
-       [<code class="option">-4</code>]
-       [<code class="option">-6</code>]
+       [
+	[<code class="option">-4</code>]
+	 |  [<code class="option">-6</code>]
+      ]
        [name]
        [type]
        [class]
@@ -77,8 +78,7 @@
   <div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
 
-    <p><span class="command"><strong>dig</strong></span>
-      (domain information groper) is a flexible tool
+    <p><span class="command"><strong>dig</strong></span> is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
       displays the answers that are returned from the name server(s) that
       were queried.  Most DNS administrators use <span class="command"><strong>dig</strong></span> to
@@ -238,9 +238,9 @@
 <dt><span class="term">-i</span></dt>
 <dd>
 	  <p>
-	    Do reverse IPv6 lookups using the obsolete RFC1886 IP6.INT
+	    Do reverse IPv6 lookups using the obsolete RFC 1886 IP6.INT
 	    domain, which is no longer in use. Obsolete bit string
-	    label queries (RFC2874) are not attempted.
+	    label queries (RFC 2874) are not attempted.
 	  </p>
         </dd>
 <dt><span class="term">-k <em class="replaceable"><code>keyfile</code></em></span></dt>
@@ -285,19 +285,31 @@
 <dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
 <dd>
 	  <p>
-	    The resource record type to query. It can be any valid query type
-	    which is
-	    supported in BIND 9.  The default query type is "A", unless the
-	    <code class="option">-x</code> option is supplied to indicate a reverse lookup.
-	    A zone transfer can be requested by specifying a type of AXFR.  When
+	    The resource record type to query. It can be any valid query
+	    type.  If it is a resource record type supported in BIND 9, it
+	    can be given by the type mnemonic (such as "NS" or "AAAA").
+	    The default query type is "A", unless the <code class="option">-x</code>
+	    option is supplied to indicate a reverse lookup.  A zone
+	    transfer can be requested by specifying a type of AXFR.  When
 	    an incremental zone transfer (IXFR) is required, set the
 	    <em class="parameter"><code>type</code></em> to <code class="literal">ixfr=N</code>.
 	    The incremental zone transfer will contain the changes
 	    made to the zone since the serial number in the zone's SOA
-	    record was
-	    <em class="parameter"><code>N</code></em>.
+	    record was <em class="parameter"><code>N</code></em>.
 	  </p>
-        </dd>
+	  <p>
+	    All resource record types can be expressed as "TYPEnn", where
+	    "nn" is the number of the type. If the resource record type is
+	    not supported in BIND 9, the result will be displayed as
+	    described in RFC 3597.
+	  </p>
+	</dd>
+<dt><span class="term">-u</span></dt>
+<dd>
+	  <p>
+	    Print query times in microseconds instead of milliseconds.
+	  </p>
+	</dd>
 <dt><span class="term">-v</span></dt>
 <dd>
 	  <p>
@@ -482,6 +494,33 @@
 	      The default is to print comments.
 	    </p>
 	  </dd>
+<dt><span class="term"><code class="option">+[no]cookie[<span class="optional">=####</span>]</code></span></dt>
+<dd>
+	    <p>
+	      Send an COOKIE EDNS option, containing an optional
+	      <em class="replaceable"><code>value</code></em>.  Replaying a COOKIE
+	      from a previous response will allow the server to
+	      identify a previous client.  The default is
+	      <code class="option">+nocookie</code>.
+	    </p>
+	    <p>
+	      <span class="command"><strong>+cookie</strong></span> is automatically set when +trace
+	      is in use, to better emulate the default queries from a
+	      nameserver.
+	    </p>
+	    <p>
+	      This option was formerly called <code class="option">+[no]sit</code>
+              (Server Identity Token). In BIND 9.10.0 through BIND 9.10.2,
+              it sent the experimental option code 65001.  This was
+              changed to option code 10 in BIND 9.10.3 when the DNS
+              COOKIE option was allocated.
+	    </p>
+	    <p>
+	      The <code class="option">+[no]sit</code> is now deprecated, but has
+              been retained as a synonym for <code class="option">+[no]cookie</code>
+              for backward compatibility within the BIND 9.10 branch.
+	    </p>
+	  </dd>
 <dt><span class="term"><code class="option">+[no]crypto</code></span></dt>
 <dd>
 	    <p>
@@ -552,8 +591,11 @@
 	    <p>
 	      Specify EDNS option with code point <code class="option">code</code>
 	      and optionally payload of <code class="option">value</code> as a
-	      hexadecimal string.  <code class="option">+noednsopt</code>
-	      clears the EDNS options to to be sent.
+	      hexadecimal string.  <code class="option">code</code> can be
+	      either an EDNS option name (for example,
+	      <code class="literal">NSID</code> or <code class="literal">ECS</code>),
+	      or an arbitrary numeric value.  <code class="option">+noednsopt</code>
+	      clears the EDNS options to be sent.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+[no]expire</code></span></dt>
@@ -753,11 +795,10 @@
 <dt><span class="term"><code class="option">+[no]sit[<span class="optional">=####</span>]</code></span></dt>
 <dd>
 	    <p>
-	      Send a Source Identity Token EDNS option, with optional
-	      value.  Replaying a SIT from a previous response will
-	      allow the server to identify a previous client.  The
-	      default is <code class="option">+nosit</code>.  Currently using
-	      experimental value 65001 for the option code.
+	      This option is a synonym for <code class="option">+[no]cookie</code>.
+	    </p>
+	    <p>
+	      The <code class="option">+[no]sit</code> is deprecated.
 	    </p>
 	  </dd>
 <dt><span class="term"><code class="option">+split=W</code></span></dt>
@@ -987,7 +1028,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
       <span class="citerefentry">
 	<span class="refentrytitle">dnssec-keygen</span>(8)
       </span>,
-      <em class="citetitle">RFC1035</em>.
+      <em class="citetitle">RFC 1035</em>.
     </p>
   </div>
 
diff --git a/usr.sbin/bind/bin/dig/dighost.c b/usr.sbin/bind/bin/dig/dighost.c
index 14c34bc488f..b0d9ae1bcee 100644
--- a/usr.sbin/bind/bin/dig/dighost.c
+++ b/usr.sbin/bind/bin/dig/dighost.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dighost.c,v 1.19 2019/12/16 16:16:23 deraadt Exp $ */
+/* $Id: dighost.c,v 1.20 2019/12/17 01:46:31 sthen Exp $ */
 
 /*! \file
  *  \note
@@ -193,7 +192,7 @@ unsigned char cookie[8];
 dns_name_t *hmacname = NULL;
 unsigned int digestbits = 0;
 isc_buffer_t *namebuf = NULL;
-dns_tsigkey_t *key = NULL;
+dns_tsigkey_t *tsigkey = NULL;
 isc_boolean_t validated = ISC_TRUE;
 isc_entropy_t *entp = NULL;
 isc_mempool_t *commctx = NULL;
@@ -252,13 +251,13 @@ isc_result_t	  prove_nx_domain(dns_message_t * msg,
 				  dns_rdataset_t ** sigrdataset);
 isc_result_t	  prove_nx_type(dns_message_t * msg, dns_name_t *name,
 				dns_rdataset_t *nsec,
-				dns_rdataclass_t class,
+				dns_rdataclass_t rdclass,
 				dns_rdatatype_t type,
 				dns_name_t * rdata_name,
 				dns_rdataset_t ** rdataset,
 				dns_rdataset_t ** sigrdataset);
 isc_result_t	  prove_nx(dns_message_t * msg, dns_name_t * name,
-			   dns_rdataclass_t class,
+			   dns_rdataclass_t rdclass,
 			   dns_rdatatype_t type,
 			   dns_name_t * rdata_name,
 			   dns_rdataset_t ** rdataset,
@@ -361,6 +360,29 @@ struct_tk_list tk_list = { {NULL, NULL, NULL, NULL, NULL}, 0};
 		     "isc_mutex_unlock");\
 }
 
+/* dynamic callbacks */
+
+#ifdef DIG_SIGCHASE
+isc_result_t
+(*dighost_printrdataset)(dns_name_t *owner_name, dns_rdataset_t *rdataset,
+	  isc_buffer_t *target);
+#endif
+
+isc_result_t
+(*dighost_printmessage)(dig_query_t *query, dns_message_t *msg,
+	isc_boolean_t headers);
+
+void
+(*dighost_received)(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query);
+
+void
+(*dighost_trying)(char *frm, dig_lookup_t *lookup);
+
+void
+(*dighost_shutdown)(void);
+
+/* forward declarations */
+
 static void
 cancel_lookup(dig_lookup_t *lookup);
 
@@ -425,7 +447,7 @@ hex_dump(isc_buffer_t *b) {
 
 	isc_buffer_usedregion(b, &r);
 
-	printf("%d bytes\n", r.length);
+	printf("%u bytes\n", r.length);
 	for (len = 0; len < r.length; len++) {
 		printf("%02x ", r.base[len]);
 		if (len % 16 == 15) {
@@ -458,8 +480,8 @@ hex_dump(isc_buffer_t *b) {
  * ISC_R_NOSPACE if that would advance p past 'end'.
  */
 static isc_result_t
-append(const char *text, int len, char **p, char *end) {
-	if (len > end - *p)
+append(const char *text, size_t len, char **p, char *end) {
+	if (*p + len > end)
 		return (ISC_R_NOSPACE);
 	memmove(*p, text, len);
 	*p += len;
@@ -469,7 +491,7 @@ append(const char *text, int len, char **p, char *end) {
 static isc_result_t
 reverse_octets(const char *in, char **p, char *end) {
 	const char *dot = strchr(in, '.');
-	int len;
+	size_t len;
 	if (dot != NULL) {
 		isc_result_t result;
 		result = reverse_octets(dot + 1, p, end);
@@ -560,7 +582,7 @@ debug(const char *format, ...) {
 		fflush(stdout);
 		if (debugtiming) {
 			TIME_NOW(&t);
-			fprintf(stderr, "%d.%06d: ", isc_time_seconds(&t),
+			fprintf(stderr, "%u.%06u: ", isc_time_seconds(&t),
 				isc_time_nanoseconds(&t) / 1000);
 		}
 		va_start(args, format);
@@ -839,6 +861,7 @@ make_empty_lookup(void) {
 	looknew->ednsopts = NULL;
 	looknew->ednsoptscnt = 0;
 	looknew->ednsneg = ISC_FALSE;
+	looknew->eoferr = 0;
 	dns_fixedname_init(&looknew->fdomain);
 	ISC_LINK_INIT(looknew, link);
 	ISC_LIST_INIT(looknew->q);
@@ -847,6 +870,41 @@ make_empty_lookup(void) {
 	return (looknew);
 }
 
+#define EDNSOPT_OPTIONS 100U
+
+static void
+cloneopts(dig_lookup_t *looknew, dig_lookup_t *lookold) {
+	size_t len = sizeof(looknew->ednsopts[0]) * EDNSOPT_OPTIONS;
+	size_t i;
+	looknew->ednsopts = isc_mem_allocate(mctx, len);
+	if (looknew->ednsopts == NULL)
+		fatal("out of memory");
+	for (i = 0; i < EDNSOPT_OPTIONS; i++) {
+		looknew->ednsopts[i].code = 0;
+		looknew->ednsopts[i].length = 0;
+		looknew->ednsopts[i].value = NULL;
+	}
+	looknew->ednsoptscnt = 0;
+	if (lookold == NULL || lookold->ednsopts == NULL)
+		return;
+
+	for (i = 0; i < lookold->ednsoptscnt; i++) {
+		len = lookold->ednsopts[i].length;
+		if (len != 0) {
+			INSIST(lookold->ednsopts[i].value != NULL);
+			looknew->ednsopts[i].value =
+				 isc_mem_allocate(mctx, len);
+			if (looknew->ednsopts[i].value == NULL)
+				fatal("out of memory");
+			memmove(looknew->ednsopts[i].value,
+				lookold->ednsopts[i].value, len);
+		}
+		looknew->ednsopts[i].code = lookold->ednsopts[i].code;
+		looknew->ednsopts[i].length = len;
+	}
+	looknew->ednsoptscnt = lookold->ednsoptscnt;
+}
+
 /*%
  * Clone a lookup, perhaps copying the server list.  This does not clone
  * the query list, since it will be regenerated by the setup_lookup()
@@ -893,8 +951,12 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
 	looknew->sit = lookold->sit;
 	looknew->sitvalue = lookold->sitvalue;
 #endif
-	looknew->ednsopts = lookold->ednsopts;
-	looknew->ednsoptscnt = lookold->ednsoptscnt;
+	if (lookold->ednsopts != NULL) {
+		cloneopts(looknew, lookold);
+	} else {
+		looknew->ednsopts = NULL;
+		looknew->ednsoptscnt = 0;
+	}
 	looknew->ednsneg = lookold->ednsneg;
 	looknew->idnout = lookold->idnout;
 #ifdef DIG_SIGCHASE
@@ -924,10 +986,12 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
 	looknew->section_answer = lookold->section_answer;
 	looknew->section_authority = lookold->section_authority;
 	looknew->section_additional = lookold->section_additional;
+	looknew->origin = lookold->origin;
 	looknew->retries = lookold->retries;
 	looknew->tsigctx = NULL;
 	looknew->need_search = lookold->need_search;
 	looknew->done_as_is = lookold->done_as_is;
+	looknew->eoferr = lookold->eoferr;
 
 	if (lookold->ecs_addr != NULL) {
 		size_t len = sizeof(isc_sockaddr_t);
@@ -975,8 +1039,7 @@ requeue_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
 	return (looknew);
 }
 
-
-static void
+void
 setup_text_key(void) {
 	isc_result_t result;
 	dns_name_t keyname;
@@ -1013,13 +1076,13 @@ setup_text_key(void) {
 
 	result = dns_tsigkey_create(&keyname, hmacname, secretstore,
 				    (int)secretsize, ISC_FALSE, NULL, 0, 0,
-				    mctx, NULL, &key);
+				    mctx, NULL, &tsigkey);
  failure:
 	if (result != ISC_R_SUCCESS)
 		printf(";; Couldn't create key %s: %s\n",
 		       keynametext, isc_result_totext(result));
 	else
-		dst_key_setbits(key->key, digestbits);
+		dst_key_setbits(tsigkey->key, digestbits);
 
 	isc_mem_free(mctx, secretstore);
 	dns_name_invalidate(&keyname);
@@ -1078,6 +1141,8 @@ parse_netprefix(isc_sockaddr_t **sap, const char *value) {
 	isc_boolean_t prefix_parsed = ISC_FALSE;
 	char buf[sizeof("xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:XXX.XXX.XXX.XXX/128")];
 
+	REQUIRE(sap != NULL && *sap == NULL);
+
 	if (strlcpy(buf, value, sizeof(buf)) >= sizeof(buf))
 		fatal("invalid prefix '%s'\n", value);
 
@@ -1088,7 +1153,6 @@ parse_netprefix(isc_sockaddr_t **sap, const char *value) {
 
 	if (strcmp(buf, "0") == 0) {
 		sa->type.sa.sa_family = AF_UNSPEC;
-		parsed = ISC_TRUE;
 		prefix_length = 0;
 		goto done;
 	}
@@ -1252,7 +1316,7 @@ read_confkey(void) {
 	return (result);
 }
 
-static void
+void
 setup_file_key(void) {
 	isc_result_t result;
 	dst_key_t *dstkey = NULL;
@@ -1305,7 +1369,7 @@ setup_file_key(void) {
 	}
 	result = dns_tsigkey_createfromkey(dst_key_name(dstkey), hmacname,
 					   dstkey, ISC_FALSE, NULL, 0, 0,
-					   mctx, NULL, &key);
+					   mctx, NULL, &tsigkey);
 	if (result != ISC_R_SUCCESS) {
 		printf(";; Couldn't create key %s: %s\n",
 		       keynametext, isc_result_totext(result));
@@ -1533,26 +1597,64 @@ setup_libs(void) {
 	check_result(result, "isc_mutex_init");
 }
 
-#define EDNSOPTS 100U
-static dns_ednsopt_t ednsopts[EDNSOPTS];
-static unsigned char ednsoptscnt = 0;
+typedef struct dig_ednsoptname {
+	isc_uint32_t code;
+	const char  *name;
+} dig_ednsoptname_t;
+
+dig_ednsoptname_t optnames[] = {
+	{ 3, "NSID" },		/* RFC 5001 */
+	{ 5, "DAU" },		/* RFC 6975 */
+	{ 6, "DHU" },		/* RFC 6975 */
+	{ 7, "N3U" },		/* RFC 6975 */
+	{ 8, "ECS" },		/* RFC 7871 */
+	{ 9, "EXPIRE" },	/* RFC 7314 */
+	{ 10, "COOKIE" },	/* RFC 7873 */
+	{ 11, "KEEPALIVE" },	/* RFC 7828 */
+	{ 12, "PADDING" },	/* RFC 7830 */
+	{ 12, "PAD" },		/* shorthand */
+	{ 13, "CHAIN" },	/* RFC 7901 */
+	{ 14, "KEY-TAG" },	/* RFC 8145 */
+	{ 26946, "DEVICEID" },	/* Brian Hartvigsen */
+};
+
+#define N_EDNS_OPTNAMES  (sizeof(optnames) / sizeof(optnames[0]))
 
 void
 save_opt(dig_lookup_t *lookup, char *code, char *value) {
-	isc_uint32_t num;
-	isc_buffer_t b;
 	isc_result_t result;
+	isc_uint32_t num = 0;
+	isc_buffer_t b;
+	isc_boolean_t found = ISC_FALSE;
+	unsigned int i;
 
-	if (ednsoptscnt == EDNSOPTS)
+	if (lookup->ednsoptscnt >= EDNSOPT_OPTIONS)
 		fatal("too many ednsopts");
 
-	result = parse_uint(&num, code, 65535, "ednsopt");
-	if (result != ISC_R_SUCCESS)
-		fatal("bad edns code point: %s", code);
+	for (i = 0; i < N_EDNS_OPTNAMES; i++) {
+		if (strcasecmp(code, optnames[i].name) == 0) {
+			num = optnames[i].code;
+			found = ISC_TRUE;
+			break;
+		}
+	}
+
+	if (!found) {
+		result = parse_uint(&num, code, 65535, "ednsopt");
+		if (result != ISC_R_SUCCESS)
+			fatal("bad edns code point: %s", code);
+	}
+
+	if (lookup->ednsopts == NULL) {
+		cloneopts(lookup, NULL);
+	}
 
-	ednsopts[ednsoptscnt].code = num;
-	ednsopts[ednsoptscnt].length = 0;
-	ednsopts[ednsoptscnt].value = NULL;
+	if (lookup->ednsopts[lookup->ednsoptscnt].value != NULL)
+		isc_mem_free(mctx, lookup->ednsopts[lookup->ednsoptscnt].value);
+
+	lookup->ednsopts[lookup->ednsoptscnt].code = num;
+	lookup->ednsopts[lookup->ednsoptscnt].length = 0;
+	lookup->ednsopts[lookup->ednsoptscnt].value = NULL;
 
 	if (value != NULL) {
 		char *buf;
@@ -1562,14 +1664,13 @@ save_opt(dig_lookup_t *lookup, char *code, char *value) {
 		isc_buffer_init(&b, buf, (unsigned int) strlen(value)/2 + 1);
 		result = isc_hex_decodestring(value, &b);
 		check_result(result, "isc_hex_decodestring");
-		ednsopts[ednsoptscnt].value = isc_buffer_base(&b);
-		ednsopts[ednsoptscnt].length = isc_buffer_usedlength(&b);
+		lookup->ednsopts[lookup->ednsoptscnt].value =
+						 isc_buffer_base(&b);
+		lookup->ednsopts[lookup->ednsoptscnt].length =
+						 isc_buffer_usedlength(&b);
 	}
 
-	if (lookup->ednsoptscnt == 0)
-		lookup->ednsopts = &ednsopts[ednsoptscnt];
 	lookup->ednsoptscnt++;
-	ednsoptscnt++;
 }
 
 /*%
@@ -1748,6 +1849,15 @@ destroy_lookup(dig_lookup_t *lookup) {
 	if (lookup->ecs_addr != NULL)
 		isc_mem_free(mctx, lookup->ecs_addr);
 
+	if (lookup->ednsopts != NULL) {
+		size_t i;
+		for (i = 0; i < EDNSOPT_OPTIONS; i++) {
+			if (lookup->ednsopts[i].value != NULL)
+				isc_mem_free(mctx, lookup->ednsopts[i].value);
+		}
+		isc_mem_free(mctx, lookup->ednsopts);
+	}
+
 	isc_mem_free(mctx, lookup);
 }
 
@@ -2004,7 +2114,8 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section)
 				       namestr, isc_result_totext(lresult));
 				if (addresses_result == ISC_R_SUCCESS) {
 					addresses_result = lresult;
-					strcpy(bad_namestr, namestr);
+					strlcpy(bad_namestr, namestr,
+						sizeof(bad_namestr));
 				}
 			}
 			numLookups += num;
@@ -2236,10 +2347,10 @@ setup_lookup(dig_lookup_t *lookup) {
 	check_result(result, "dns_message_gettempname");
 	dns_name_init(lookup->name, NULL);
 
-	isc_buffer_init(&lookup->namebuf, lookup->namespace,
-			sizeof(lookup->namespace));
-	isc_buffer_init(&lookup->onamebuf, lookup->onamespace,
-			sizeof(lookup->onamespace));
+	isc_buffer_init(&lookup->namebuf, lookup->name_space,
+			sizeof(lookup->name_space));
+	isc_buffer_init(&lookup->onamebuf, lookup->oname_space,
+			sizeof(lookup->oname_space));
 
 #ifdef WITH_IDN
 	/*
@@ -2383,7 +2494,7 @@ setup_lookup(dig_lookup_t *lookup) {
 		}
 	}
 	dns_name_format(lookup->name, store, sizeof(store));
-	trying(store, lookup);
+	dighost_trying(store, lookup);
 	INSIST(dns_name_isabsolute(lookup->name));
 
 	isc_random_get(&id);
@@ -2451,9 +2562,9 @@ setup_lookup(dig_lookup_t *lookup) {
 	/* XXX Insist this? */
 	lookup->tsigctx = NULL;
 	lookup->querysig = NULL;
-	if (key != NULL) {
+	if (tsigkey != NULL) {
 		debug("initializing keys");
-		result = dns_message_settsigkey(lookup->sendmsg, key);
+		result = dns_message_settsigkey(lookup->sendmsg, tsigkey);
 		check_result(result, "dns_message_settsigkey");
 	}
 
@@ -2472,9 +2583,10 @@ setup_lookup(dig_lookup_t *lookup) {
 	if (lookup->udpsize > 0 || lookup->dnssec ||
 	    lookup->edns > -1 || lookup->ecs_addr != NULL)
 	{
-		dns_ednsopt_t opts[EDNSOPTS + DNS_EDNSOPTIONS];
+#define MAXOPTS (EDNSOPT_OPTIONS + DNS_EDNSOPTIONS)
+		dns_ednsopt_t opts[MAXOPTS];
 		unsigned int flags;
-		int i = 0;
+		unsigned int i = 0;
 
 		if (lookup->udpsize == 0)
 			lookup->udpsize = 4096;
@@ -2482,7 +2594,7 @@ setup_lookup(dig_lookup_t *lookup) {
 			lookup->edns = 0;
 
 		if (lookup->nsid) {
-			INSIST(i < DNS_EDNSOPTIONS);
+			INSIST(i < MAXOPTS);
 			opts[i].code = DNS_OPT_NSID;
 			opts[i].length = 0;
 			opts[i].value = NULL;
@@ -2504,7 +2616,7 @@ setup_lookup(dig_lookup_t *lookup) {
 			/* Round up prefix len to a multiple of 8 */
 			addrl = (plen + 7) / 8;
 
-			INSIST(i < DNS_EDNSOPTIONS);
+			INSIST(i < MAXOPTS);
 			opts[i].code = DNS_OPT_CLIENT_SUBNET;
 			opts[i].length = (isc_uint16_t) addrl + 4;
 			check_result(result, "isc_buffer_allocate");
@@ -2574,7 +2686,7 @@ setup_lookup(dig_lookup_t *lookup) {
 
 #ifdef ISC_PLATFORM_USESIT
 		if (lookup->sit) {
-			INSIST(i < DNS_EDNSOPTIONS);
+			INSIST(i < MAXOPTS);
 			opts[i].code = DNS_OPT_COOKIE;
 			if (lookup->sitvalue != NULL) {
 				isc_buffer_init(&b, sitbuf, sizeof(sitbuf));
@@ -2593,7 +2705,7 @@ setup_lookup(dig_lookup_t *lookup) {
 #endif
 
 		if (lookup->expire) {
-			INSIST(i < DNS_EDNSOPTIONS);
+			INSIST(i < MAXOPTS);
 			opts[i].code = DNS_OPT_EXPIRE;
 			opts[i].length = 0;
 			opts[i].value = NULL;
@@ -2601,6 +2713,7 @@ setup_lookup(dig_lookup_t *lookup) {
 		}
 
 		if (lookup->ednsoptscnt != 0) {
+			INSIST(i + lookup->ednsoptscnt <= MAXOPTS);
 			memmove(&opts[i], lookup->ednsopts,
 				sizeof(dns_ednsopt_t) * lookup->ednsoptscnt);
 			i += lookup->ednsoptscnt;
@@ -2683,7 +2796,7 @@ setup_lookup(dig_lookup_t *lookup) {
 	/* XXX qrflag, print_query, etc... */
 	if (!ISC_LIST_EMPTY(lookup->q) && qr) {
 		extrabytes = 0;
-		printmessage(ISC_LIST_HEAD(lookup->q), lookup->sendmsg,
+		dighost_printmessage(ISC_LIST_HEAD(lookup->q), lookup->sendmsg,
 			     ISC_TRUE);
 	}
 	return (ISC_TRUE);
@@ -3083,7 +3196,7 @@ tcp_length_done(isc_task_t *task, isc_event_t *event) {
 	isc_buffer_t *b = NULL;
 	isc_result_t result;
 	dig_query_t *query = NULL;
-	dig_lookup_t *l;
+	dig_lookup_t *l, *n;
 	isc_uint16_t length;
 
 	REQUIRE(event->ev_type == ISC_SOCKEVENT_RECVDONE);
@@ -3118,13 +3231,20 @@ tcp_length_done(isc_task_t *task, isc_event_t *event) {
 				    sizeof(sockstr));
 		printf(";; communications error to %s: %s\n",
 		       sockstr, isc_result_totext(sevent->result));
+		if (keep != NULL)
+			isc_socket_detach(&keep);
 		l = query->lookup;
 		isc_socket_detach(&query->sock);
 		sockcount--;
 		debug("sockcount=%d", sockcount);
 		INSIST(sockcount >= 0);
+		if (sevent->result == ISC_R_EOF && l->eoferr == 0U) {
+			n = requeue_lookup(l, ISC_TRUE);
+			n->eoferr++;
+		}
 		isc_event_free(&event);
 		clear_query(query);
+		cancel_lookup(l);
 		check_next_lookup(l);
 		UNLOCK_LOOKUP;
 		return;
@@ -3455,7 +3575,7 @@ check_for_more_data(dig_query_t *query, dns_message_t *msg,
 	launch_next_query(query, ISC_FALSE);
 	return (ISC_FALSE);
  doexit:
-	received(sevent->n, &sevent->address, query);
+	dighost_received(sevent->n, &sevent->address, query);
 	return (ISC_TRUE);
 }
 
@@ -3632,13 +3752,20 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		} else {
 			printf(";; communications error: %s\n",
 			       isc_result_totext(sevent->result));
+			if (keep != NULL)
+				isc_socket_detach(&keep);
 			isc_socket_detach(&query->sock);
 			sockcount--;
 			debug("sockcount=%d", sockcount);
 			INSIST(sockcount >= 0);
 		}
+		if (sevent->result == ISC_R_EOF && l->eoferr == 0U) {
+			n = requeue_lookup(l, ISC_TRUE);
+			n->eoferr++;
+		}
 		isc_event_free(&event);
 		clear_query(query);
+		cancel_lookup(l);
 		check_next_lookup(l);
 		UNLOCK_LOOKUP;
 		return;
@@ -3700,6 +3827,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 			if (fail) {
 				isc_event_free(&event);
 				clear_query(query);
+				cancel_lookup(l);
 				check_next_lookup(l);
 				UNLOCK_LOOKUP;
 				return;
@@ -3722,7 +3850,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 	result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg);
 	check_result(result, "dns_message_create");
 
-	if (key != NULL) {
+	if (tsigkey != NULL) {
 		if (l->querysig == NULL) {
 			debug("getting initial querysig");
 			result = dns_message_getquerytsig(l->sendmsg, mctx,
@@ -3731,7 +3859,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		}
 		result = dns_message_setquerytsig(msg, l->querysig);
 		check_result(result, "dns_message_setquerytsig");
-		result = dns_message_settsigkey(msg, key);
+		result = dns_message_settsigkey(msg, tsigkey);
 		check_result(result, "dns_message_settsigkey");
 		msg->tsigctx = l->tsigctx;
 		l->tsigctx = NULL;
@@ -3811,6 +3939,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 			if (l->tcp_mode) {
 				isc_event_free(&event);
 				clear_query(query);
+				cancel_lookup(l);
 				check_next_lookup(l);
 				UNLOCK_LOOKUP;
 				return;
@@ -3825,10 +3954,9 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		 */
 		if (l->comments)
 			printf(";; BADVERS, retrying with EDNS version %u.\n",
-			       newedns);
+			       (unsigned int)newedns);
 		l->edns = newedns;
 		n = requeue_lookup(l, ISC_TRUE);
-		n->origin = query->lookup->origin;
 		if (l->trace && l->trace_root)
 			n->rdtype = l->qrdtype;
 		dns_message_destroy(&msg);
@@ -3849,7 +3977,6 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 			printf(";; Truncated, retrying in TCP mode.\n");
 		n = requeue_lookup(l, ISC_TRUE);
 		n->tcp_mode = ISC_TRUE;
-		n->origin = query->lookup->origin;
 		if (l->trace && l->trace_root)
 			n->rdtype = l->qrdtype;
 		dns_message_destroy(&msg);
@@ -3896,7 +4023,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		}
 	}
 
-	if (key != NULL) {
+	if (tsigkey != NULL) {
 		result = dns_tsig_verify(&query->recvbuf, msg, NULL, NULL);
 		if (result != ISC_R_SUCCESS) {
 			printf(";; Couldn't verify signature: %s\n",
@@ -3962,21 +4089,21 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		if (msg->rcode == dns_rcode_nxdomain &&
 		    (l->origin != NULL || l->need_search)) {
 			if (!next_origin(query->lookup) || showsearch) {
-				printmessage(query, msg, ISC_TRUE);
-				received(b->used, &sevent->address, query);
+				dighost_printmessage(query, msg, ISC_TRUE);
+				dighost_received(b->used, &sevent->address, query);
 			}
 		} else if (!l->trace && !l->ns_search_only) {
 #ifdef DIG_SIGCHASE
 			if (!do_sigchase)
 #endif
-				printmessage(query, msg, ISC_TRUE);
+				dighost_printmessage(query, msg, ISC_TRUE);
 		} else if (l->trace) {
 			int nl = 0;
 			int count = msg->counts[DNS_SECTION_ANSWER];
 
 			debug("in TRACE code");
 			if (!l->ns_search_only)
-				printmessage(query, msg, ISC_TRUE);
+				dighost_printmessage(query, msg, ISC_TRUE);
 
 			l->rdtype = l->qrdtype;
 			if (l->trace_root || (l->ns_search_only && count > 0)) {
@@ -4010,7 +4137,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 #ifdef DIG_SIGCHASE
 				if (!do_sigchase)
 #endif
-				printmessage(query, msg, ISC_TRUE);
+				dighost_printmessage(query, msg, ISC_TRUE);
 		}
 #ifdef DIG_SIGCHASE
 		if (do_sigchase) {
@@ -4084,7 +4211,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 #ifdef DIG_SIGCHASE
 			if (!l->sigchase)
 #endif
-				received(b->used, &sevent->address, query);
+				dighost_received(b->used, &sevent->address, query);
 		}
 
 		if (!query->lookup->ns_search_only)
@@ -4168,7 +4295,7 @@ getaddresses(dig_lookup_t *lookup, const char *host, isc_result_t *resultp) {
 		if (resultp == NULL)
 			fatal("couldn't get address for '%s': %s",
 			      host, isc_result_totext(result));
-		return 0;
+		return (0);
 	}
 
 	for (i = 0; i < count; i++) {
@@ -4178,7 +4305,7 @@ getaddresses(dig_lookup_t *lookup, const char *host, isc_result_t *resultp) {
 		ISC_LIST_APPEND(lookup->my_server_list, srv, link);
 	}
 
-	return count;
+	return (count);
 }
 
 /*%
@@ -4334,9 +4461,9 @@ destroy_libs(void) {
 		debug("freeing timermgr");
 		isc_timermgr_destroy(&timermgr);
 	}
-	if (key != NULL) {
-		debug("freeing key %p", key);
-		dns_tsigkey_detach(&key);
+	if (tsigkey != NULL) {
+		debug("freeing key %p", tsigkey);
+		dns_tsigkey_detach(&tsigkey);
 	}
 	if (namebuf != NULL)
 		isc_buffer_free(&namebuf);
@@ -4393,12 +4520,6 @@ destroy_libs(void) {
 	debug("Removing log context");
 	isc_log_destroy(&lctx);
 
-	while (ednsoptscnt > 0U) {
-		ednsoptscnt--;
-		if (ednsopts[ednsoptscnt].value != NULL)
-			isc_mem_free(mctx, ednsopts[ednsoptscnt].value);
-	}
-
 	debug("Destroy memory");
 	if (memdebugging != 0)
 		isc_mem_stats(mctx, stderr);
@@ -4457,7 +4578,7 @@ output_filter(isc_buffer_t *buffer, unsigned int used_org,
 	 */
 	if (idn_decodename(IDN_DECODE_APP, tmp1, tmp2, MAXDLEN) != idn_success)
 		return (ISC_R_SUCCESS);
-	strcpy(tmp1, tmp2);
+	strlcpy(tmp1, tmp2, MAXDLEN);
 
 	/*
 	 * Copy the converted contents in 'tmp1' back to 'buffer'.
@@ -4484,17 +4605,17 @@ append_textname(char *name, const char *origin, size_t namesize) {
 
 	/* Already absolute? */
 	if (namelen > 0 && name[namelen - 1] == '.')
-		return idn_success;
+		return (idn_success);
 
 	/* Append dot and origin */
 
 	if (namelen + 1 + originlen >= namesize)
-		return idn_buffer_overflow;
+		return (idn_buffer_overflow);
 
 	if (*origin != '.')
 		name[namelen++] = '.';
-	(void)strcpy(name + namelen, origin);
-	return idn_success;
+	(void)strlcpy(name + namelen, origin, namesize - namelen);
+	return (idn_success);
 }
 
 static void
@@ -5092,7 +5213,7 @@ print_rdataset(dns_name_t *name, dns_rdataset_t *rdataset)
 	result = isc_buffer_allocate(mctx, &b, 9000);
 	check_result(result, "isc_buffer_allocate");
 
-	printrdataset(name, rdataset, b);
+	dighost_printrdataset(name, rdataset, b);
 
 	isc_buffer_usedregion(b, &r);
 	r.base[r.length] = '\0';
@@ -6229,7 +6350,7 @@ prove_nx_domain(dns_message_t *msg,
  */
 isc_result_t
 prove_nx_type(dns_message_t *msg, dns_name_t *name, dns_rdataset_t *nsecset,
-	      dns_rdataclass_t class, dns_rdatatype_t type,
+	      dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	      dns_name_t *rdata_name, dns_rdataset_t **rdataset,
 	      dns_rdataset_t **sigrdataset)
 {
@@ -6237,7 +6358,7 @@ prove_nx_type(dns_message_t *msg, dns_name_t *name, dns_rdataset_t *nsecset,
 	dns_rdataset_t *signsecset;
 	dns_rdata_t nsec = DNS_RDATA_INIT;
 
-	UNUSED(class);
+	UNUSED(rdclass);
 
 	ret = dns_rdataset_first(nsecset);
 	check_result(ret,"dns_rdataset_first");
@@ -6270,7 +6391,7 @@ prove_nx_type(dns_message_t *msg, dns_name_t *name, dns_rdataset_t *nsecset,
  *
  */
 isc_result_t
-prove_nx(dns_message_t *msg, dns_name_t *name, dns_rdataclass_t class,
+prove_nx(dns_message_t *msg, dns_name_t *name, dns_rdataclass_t rdclass,
 	 dns_rdatatype_t type, dns_name_t *rdata_name,
 	 dns_rdataset_t **rdataset, dns_rdataset_t **sigrdataset)
 {
@@ -6292,7 +6413,7 @@ prove_nx(dns_message_t *msg, dns_name_t *name, dns_rdataclass_t class,
 					 DNS_SECTION_AUTHORITY);
 	if (nsecset != NULL) {
 		printf("We have a NSEC for this zone :OK\n");
-		ret = prove_nx_type(msg, name, nsecset, class,
+		ret = prove_nx_type(msg, name, nsecset, rdclass,
 				    type, rdata_name, rdataset,
 				    sigrdataset);
 		if (ret != ISC_R_SUCCESS) {
diff --git a/usr.sbin/bind/bin/dig/host.1 b/usr.sbin/bind/bin/dig/host.1
index cf73ea59bbb..d1ce9dd5e9b 100644
--- a/usr.sbin/bind/bin/dig/host.1
+++ b/usr.sbin/bind/bin/dig/host.1
@@ -1,5 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007-2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000-2002 Internet Software Consortium.
+.\" Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -48,7 +47,7 @@
 host \- DNS lookup utility
 .SH "SYNOPSIS"
 .HP \w'\fBhost\fR\ 'u
-\fBhost\fR [\fB\-aCdlnrsTwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-4\fR] [\fB\-6\fR] [\fB\-v\fR] [\fB\-V\fR] {name} [server]
+\fBhost\fR [\fB\-aCdlnrsTwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [[\fB\-4\fR] | [\fB\-6\fR]] [\fB\-v\fR] [\fB\-V\fR] {name} [server]
 .SH "DESCRIPTION"
 .PP
 \fBhost\fR
@@ -264,7 +263,5 @@ runs\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004, 2005, 2007-2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000-2002 Internet Software Consortium.
+Copyright \(co 2000-2002, 2004, 2005, 2007-2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/usr.sbin/bind/bin/dig/host.c b/usr.sbin/bind/bin/dig/host.c
index 690ff54ef25..91e88c2a1ec 100644
--- a/usr.sbin/bind/bin/dig/host.c
+++ b/usr.sbin/bind/bin/dig/host.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -169,13 +168,13 @@ show_usage(void) {
 	exit(1);
 }
 
-void
-dighost_shutdown(void) {
-	isc_app_shutdown();
+static void
+host_shutdown(void) {
+	(void) isc_app_shutdown();
 }
 
-void
-received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
+static void
+received(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 	isc_time_t now;
 	int diff;
 
@@ -189,7 +188,7 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 	}
 }
 
-void
+static void
 trying(char *frm, dig_lookup_t *lookup) {
 	UNUSED(lookup);
 
@@ -233,7 +232,7 @@ say_message(dns_name_t *name, const char *msg, dns_rdata_t *rdata,
 }
 #ifdef DIG_SIGCHASE
 /* Just for compatibility : not use in host program */
-isc_result_t
+static isc_result_t
 printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
 	      isc_buffer_t *target)
 {
@@ -414,7 +413,7 @@ chase_cnamechain(dns_message_t *msg, dns_name_t *qname) {
 	}
 }
 
-isc_result_t
+static isc_result_t
 printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 	isc_boolean_t did_flag = ISC_FALSE;
 	dns_rdataset_t *opt, *tsig = NULL;
@@ -474,9 +473,8 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 		dns_name_format(name, namestr, sizeof(namestr));
 		lookup = clone_lookup(query->lookup, ISC_FALSE);
 		if (lookup != NULL) {
-			strncpy(lookup->textname, namestr,
+			strlcpy(lookup->textname, namestr,
 				sizeof(lookup->textname));
-			lookup->textname[sizeof(lookup->textname)-1] = 0;
 			lookup->rdtype = dns_rdatatype_aaaa;
 			lookup->rdtypeset = ISC_TRUE;
 			lookup->origin = NULL;
@@ -485,9 +483,8 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 		}
 		lookup = clone_lookup(query->lookup, ISC_FALSE);
 		if (lookup != NULL) {
-			strncpy(lookup->textname, namestr,
+			strlcpy(lookup->textname, namestr,
 				sizeof(lookup->textname));
-			lookup->textname[sizeof(lookup->textname)-1] = 0;
 			lookup->rdtype = dns_rdatatype_mx;
 			lookup->rdtypeset = ISC_TRUE;
 			lookup->origin = NULL;
@@ -859,14 +856,12 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
 	lookup->pending = ISC_FALSE;
 	if (get_reverse(store, sizeof(store), hostname,
 			lookup->ip6_int, ISC_TRUE) == ISC_R_SUCCESS) {
-		strncpy(lookup->textname, store, sizeof(lookup->textname));
-		lookup->textname[sizeof(lookup->textname)-1] = 0;
+		strlcpy(lookup->textname, store, sizeof(lookup->textname));
 		lookup->rdtype = dns_rdatatype_ptr;
 		lookup->rdtypeset = ISC_TRUE;
 		default_lookups = ISC_FALSE;
 	} else {
-		strncpy(lookup->textname, hostname, sizeof(lookup->textname));
-		lookup->textname[sizeof(lookup->textname)-1]=0;
+		strlcpy(lookup->textname, hostname, sizeof(lookup->textname));
 		usesearch = ISC_TRUE;
 	}
 	lookup->new_search = ISC_TRUE;
@@ -888,6 +883,15 @@ main(int argc, char **argv) {
 	idnoptions = IDN_ASCCHECK;
 #endif
 
+	/* setup dighost callbacks */
+#ifdef DIG_SIGCHASE
+	dighost_printrdataset = printrdataset;
+#endif
+	dighost_printmessage = printmessage;
+	dighost_received = received;
+	dighost_trying = trying;
+	dighost_shutdown = host_shutdown;
+
 	debug("main()");
 	progname = argv[0];
 	pre_parse_args(argc, argv);
diff --git a/usr.sbin/bind/bin/dig/host.docbook b/usr.sbin/bind/bin/dig/host.docbook
index 17eccf8a9da..9e7db9a1f6e 100644
--- a/usr.sbin/bind/bin/dig/host.docbook
+++ b/usr.sbin/bind/bin/dig/host.docbook
@@ -1,8 +1,7 @@
 <!DOCTYPE book [
 <!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007-2009, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2002  Internet Software Consortium.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -40,6 +39,9 @@
 
   <docinfo>
     <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2002</year>
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
@@ -48,14 +50,10 @@
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2017</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2002</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
   </docinfo>
 
   <refsynopsisdiv>
@@ -68,8 +66,10 @@
       <arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-W <replaceable class="parameter">wait</replaceable></option></arg>
       <arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">flag</replaceable></option></arg>
-      <arg choice="opt" rep="norepeat"><option>-4</option></arg>
-      <arg choice="opt" rep="norepeat"><option>-6</option></arg>
+      <group choice="opt" rep="norepeat">
+	<arg choice="opt" rep="norepeat"><option>-4</option></arg>
+	<arg choice="opt" rep="norepeat"><option>-6</option></arg>
+      </group>
       <arg choice="opt" rep="norepeat"><option>-v</option></arg>
       <arg choice="opt" rep="norepeat"><option>-V</option></arg>
       <arg choice="req" rep="norepeat">name</arg>
diff --git a/usr.sbin/bind/bin/dig/host.html b/usr.sbin/bind/bin/dig/host.html
index acb1d31d1e5..66c2d1275e0 100644
--- a/usr.sbin/bind/bin/dig/host.html
+++ b/usr.sbin/bind/bin/dig/host.html
@@ -1,7 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004, 2005, 2007-2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2002 Internet Software Consortium.
+ - Copyright (C) 2000-2002, 2004, 2005, 2007-2009, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -49,8 +48,10 @@
        [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
        [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>]
        [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>]
-       [<code class="option">-4</code>]
-       [<code class="option">-6</code>]
+       [
+	[<code class="option">-4</code>]
+	 |  [<code class="option">-6</code>]
+      ]
        [<code class="option">-v</code>]
        [<code class="option">-V</code>]
        {name}
diff --git a/usr.sbin/bind/bin/dig/include/dig/dig.h b/usr.sbin/bind/bin/dig/include/dig/dig.h
index 7983b92c480..c37beaf810b 100644
--- a/usr.sbin/bind/bin/dig/include/dig/dig.h
+++ b/usr.sbin/bind/bin/dig/include/dig/dig.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2011-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -161,8 +160,8 @@ isc_boolean_t	sigchase;
 	dns_rdataclass_t rdclass;
 	isc_boolean_t rdtypeset;
 	isc_boolean_t rdclassset;
-	char namespace[BUFSIZE];
-	char onamespace[BUFSIZE];
+	char name_space[BUFSIZE];
+	char oname_space[BUFSIZE];
 	isc_buffer_t namebuf;
 	isc_buffer_t onamebuf;
 	isc_buffer_t renderbuf;
@@ -197,6 +196,7 @@ isc_boolean_t	sigchase;
 	unsigned int ednsoptscnt;
 	unsigned int ednsflags;
 	dns_opcode_t opcode;
+	unsigned int eoferr;
 };
 
 /*% The dig_query structure */
@@ -286,7 +286,7 @@ extern unsigned int digestbits;
 #ifdef DIG_SIGCHASE
 extern char trustedkey[MXNAME];
 #endif
-extern dns_tsigkey_t *key;
+extern dns_tsigkey_t *tsigkey;
 extern isc_boolean_t validated;
 extern isc_taskmgr_t *taskmgr;
 extern isc_task_t *global_task;
@@ -398,37 +398,38 @@ void
 clean_trustedkey(void);
 #endif
 
+char *
+next_token(char **stringp, const char *delim);
+
 /*
- * Routines to be defined in dig.c, host.c, and nslookup.c.
+ * Routines to be defined in dig.c, host.c, and nslookup.c. and
+ * then assigned to the appropriate function pointer
  */
 #ifdef DIG_SIGCHASE
-isc_result_t
-printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
+extern isc_result_t
+(*dighost_printrdataset)(dns_name_t *owner_name, dns_rdataset_t *rdataset,
 	      isc_buffer_t *target);
 #endif
 
-isc_result_t
-printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers);
+extern isc_result_t
+(*dighost_printmessage)(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers);
 /*%<
  * Print the final result of the lookup.
  */
 
-void
-received(int bytes, isc_sockaddr_t *from, dig_query_t *query);
+extern void
+(*dighost_received)(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query);
 /*%<
  * Print a message about where and when the response
  * was received from, like the final comment in the
  * output of "dig".
  */
 
-void
-trying(char *frm, dig_lookup_t *lookup);
-
-void
-dighost_shutdown(void);
+extern void
+(*dighost_trying)(char *frm, dig_lookup_t *lookup);
 
-char *
-next_token(char **stringp, const char *delim);
+extern void
+(*dighost_shutdown)(void);
 
 #ifdef DIG_SIGCHASE
 /* Chasing functions */
@@ -440,6 +441,44 @@ chase_sig(dns_message_t *msg);
 
 void save_opt(dig_lookup_t *lookup, char *code, char *value);
 
+void setup_file_key(void);
+void setup_text_key(void);
+
+/*
+ * Routines exported from dig.c for use by dig for iOS
+ */
+
+/*%<
+ * Call once only to set up libraries, parse global
+ * parameters and initial command line query parameters
+ */
+void
+dig_setup(int argc, char **argv);
+
+/*%<
+ * Call to supply new parameters for the next lookup
+ */
+void
+dig_query_setup(isc_boolean_t, isc_boolean_t, int argc, char **argv);
+
+/*%<
+ * set the main application event cycle running
+ */
+void
+dig_startup(void);
+
+/*%<
+ * Initiates the next lookup cycle
+ */
+void
+dig_query_start(void);
+
+/*%<
+ * Cleans up the application
+ */
+void
+dig_shutdown(void);
+
 ISC_LANG_ENDDECLS
 
 #endif
diff --git a/usr.sbin/bind/bin/dig/nslookup.1 b/usr.sbin/bind/bin/dig/nslookup.1
index c9c4c2f1b34..aec02566488 100644
--- a/usr.sbin/bind/bin/dig/nslookup.1
+++ b/usr.sbin/bind/bin/dig/nslookup.1
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2007, 2010, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2007, 2010, 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -298,5 +298,5 @@ returns with an exit status of 1 if any query failed, and 0 otherwise\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004-2007, 2010, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004-2007, 2010, 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/usr.sbin/bind/bin/dig/nslookup.c b/usr.sbin/bind/bin/dig/nslookup.c
index d86a7a77c6d..006a80578d2 100644
--- a/usr.sbin/bind/bin/dig/nslookup.c
+++ b/usr.sbin/bind/bin/dig/nslookup.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -164,8 +163,8 @@ rcode_totext(dns_rcode_t rcode)
 	return totext.deconsttext;
 }
 
-void
-dighost_shutdown(void) {
+static void
+query_finished(void) {
 	isc_event_t *event = global_event;
 
 	flush_lookup_list();
@@ -214,7 +213,7 @@ printa(dns_rdata_t *rdata) {
 }
 #ifdef DIG_SIGCHASE
 /* Just for compatibility : not use in host program */
-isc_result_t
+static isc_result_t
 printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
 	      isc_buffer_t *target)
 {
@@ -404,22 +403,21 @@ detailsection(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers,
 	return (ISC_R_SUCCESS);
 }
 
-void
-received(int bytes, isc_sockaddr_t *from, dig_query_t *query)
+static void
+received(unsigned int bytes, isc_sockaddr_t *from, dig_query_t *query)
 {
 	UNUSED(bytes);
 	UNUSED(from);
 	UNUSED(query);
 }
 
-void
+static void
 trying(char *frm, dig_lookup_t *lookup) {
 	UNUSED(frm);
 	UNUSED(lookup);
-
 }
 
-isc_result_t
+static isc_result_t
 printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 	char servtext[ISC_SOCKADDR_FORMATSIZE];
 
@@ -508,7 +506,7 @@ show_settings(isc_boolean_t full, isc_boolean_t serv_only) {
 	printf("  %s\t\t%s\n",
 	       usesearch ? "search" : "nosearch",
 	       recurse ? "recurse" : "norecurse");
-	printf("  timeout = %d\t\tretry = %d\tport = %d\tndots = %d\n",
+	printf("  timeout = %u\t\tretry = %d\tport = %u\tndots = %d\n",
 	       timeout, tries, port, ndots);
 	printf("  querytype = %-8s\tclass = %s\n", deftype, defclass);
 	printf("  srchlist = ");
@@ -595,7 +593,12 @@ version(void) {
 
 static void
 setoption(char *opt) {
-	if (strncasecmp(opt, "all", 3) == 0) {
+	size_t l = strlen(opt);
+
+#define CHECKOPT(A, N) \
+	((l >= N) && (l < sizeof(A)) && (strncasecmp(opt, A, l) == 0))
+
+	if (CHECKOPT("all", 3)) {
 		show_settings(ISC_TRUE, ISC_FALSE);
 	} else if (strncasecmp(opt, "class=", 6) == 0) {
 		if (testclass(&opt[6]))
@@ -637,41 +640,41 @@ setoption(char *opt) {
 		set_timeout(&opt[8]);
 	} else if (strncasecmp(opt, "t=", 2) == 0) {
 		set_timeout(&opt[2]);
-	} else if (strncasecmp(opt, "rec", 3) == 0) {
+	} else if (CHECKOPT("recurse", 3)) {
 		recurse = ISC_TRUE;
-	} else if (strncasecmp(opt, "norec", 5) == 0) {
+	} else if (CHECKOPT("norecurse", 5)) {
 		recurse = ISC_FALSE;
 	} else if (strncasecmp(opt, "retry=", 6) == 0) {
 		set_tries(&opt[6]);
 	} else if (strncasecmp(opt, "ret=", 4) == 0) {
 		set_tries(&opt[4]);
-	} else if (strncasecmp(opt, "def", 3) == 0) {
+	} else if (CHECKOPT("defname", 3)) {
 		usesearch = ISC_TRUE;
-	} else if (strncasecmp(opt, "nodef", 5) == 0) {
+	} else if (CHECKOPT("nodefname", 5)) {
 		usesearch = ISC_FALSE;
-	} else if (strncasecmp(opt, "vc", 3) == 0) {
+	} else if (CHECKOPT("vc", 2) == 0) {
 		tcpmode = ISC_TRUE;
-	} else if (strncasecmp(opt, "novc", 5) == 0) {
+	} else if (CHECKOPT("novc", 4) == 0) {
 		tcpmode = ISC_FALSE;
-	} else if (strncasecmp(opt, "deb", 3) == 0) {
+	} else if (CHECKOPT("debug", 3) == 0) {
 		short_form = ISC_FALSE;
 		showsearch = ISC_TRUE;
-	} else if (strncasecmp(opt, "nodeb", 5) == 0) {
+	} else if (CHECKOPT("nodebug", 5) == 0) {
 		short_form = ISC_TRUE;
 		showsearch = ISC_FALSE;
-	} else if (strncasecmp(opt, "d2", 2) == 0) {
+	} else if (CHECKOPT("d2", 2) == 0) {
 		debugging = ISC_TRUE;
-	} else if (strncasecmp(opt, "nod2", 4) == 0) {
+	} else if (CHECKOPT("nod2", 4) == 0) {
 		debugging = ISC_FALSE;
-	} else if (strncasecmp(opt, "search", 3) == 0) {
+	} else if (CHECKOPT("search", 3) == 0) {
 		usesearch = ISC_TRUE;
-	} else if (strncasecmp(opt, "nosearch", 5) == 0) {
+	} else if (CHECKOPT("nosearch", 5) == 0) {
 		usesearch = ISC_FALSE;
-	} else if (strncasecmp(opt, "sil", 3) == 0) {
+	} else if (CHECKOPT("sil", 3) == 0) {
 		/* deprecation_msg = ISC_FALSE; */
-	} else if (strncasecmp(opt, "fail", 3) == 0) {
+	} else if (CHECKOPT("fail", 3) == 0) {
 		nofail=ISC_FALSE;
-	} else if (strncasecmp(opt, "nofail", 3) == 0) {
+	} else if (CHECKOPT("nofail", 5) == 0) {
 		nofail=ISC_TRUE;
 	} else if (strncasecmp(opt, "ndots=", 6) == 0) {
 		set_ndots(&opt[6]);
@@ -910,6 +913,15 @@ main(int argc, char **argv) {
 
 	check_ra = ISC_TRUE;
 
+	/* setup dighost callbacks */
+#ifdef DIG_SIGCHASE
+	dighost_printrdataset = printrdataset;
+#endif
+	dighost_printmessage = printmessage;
+	dighost_received = received;
+	dighost_trying = trying;
+	dighost_shutdown = query_finished;
+
 	result = isc_app_start();
 	check_result(result, "isc_app_start");
 
diff --git a/usr.sbin/bind/bin/dig/nslookup.docbook b/usr.sbin/bind/bin/dig/nslookup.docbook
index cb59a684d87..854b20ba2c9 100644
--- a/usr.sbin/bind/bin/dig/nslookup.docbook
+++ b/usr.sbin/bind/bin/dig/nslookup.docbook
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2007, 2010, 2013-2016  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -74,6 +74,7 @@
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/usr.sbin/bind/bin/dig/nslookup.html b/usr.sbin/bind/bin/dig/nslookup.html
index 3ab2b981128..0ab4d722590 100644
--- a/usr.sbin/bind/bin/dig/nslookup.html
+++ b/usr.sbin/bind/bin/dig/nslookup.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004-2007, 2010, 2013-2016 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007, 2010, 2013-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/bind.keys b/usr.sbin/bind/bind.keys
index db22d4bc030..5e5a32ba9c7 100644
--- a/usr.sbin/bind/bind.keys
+++ b/usr.sbin/bind/bind.keys
@@ -1,45 +1,26 @@
 # The bind.keys file is used to override the built-in DNSSEC trust anchors
-# which are included as part of BIND 9.  As of the current release, the only
-# trust anchors it contains are those for the DNS root zone ("."), and for
-# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org").  Trust anchors
-# for any other zones MUST be configured elsewhere; if they are configured
-# here, they will not be recognized or used by named.
+# which are included as part of BIND 9.  The only trust anchors it contains
+# are for the DNS root zone (".").  Trust anchors for any other zones MUST
+# be configured elsewhere; if they are configured here, they will not be
+# recognized or used by named.
 #
 # The built-in trust anchors are provided for convenience of configuration.
 # They are not activated within named.conf unless specifically switched on.
-# To use the built-in root key, set "dnssec-validation auto;" in
-# named.conf options.  To use the built-in DLV key, set
-# "dnssec-lookaside auto;".  Without these options being set,
-# the keys in this file are ignored.
+# To use the built-in key, use "dnssec-validation auto;" in the
+# named.conf options.  Without this option being set, the keys in this
+# file are ignored.
 #
 # This file is NOT expected to be user-configured.
 #
-# These keys are current as of Feburary 2017.  If any key fails to
+# These keys are current as of October 2017.  If any key fails to
 # initialize correctly, it may have expired.  In that event you should
 # replace this file with a current version.  The latest version of
 # bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.
+#
+# See https://data.iana.org/root-anchors/root-anchors.xml
+# for current trust anchor information for the root zone.
 
 managed-keys {
-        # ISC DLV: See https://www.isc.org/solutions/dlv for details.
-        #
-        # NOTE: The ISC DLV zone is being phased out as of February 2017;
-        # the key will remain in place but the zone will be otherwise empty.
-        # Configuring "dnssec-lookaside auto;" to activate this key is
-        # harmless, but is no longer useful and is not recommended.
-        dlv.isc.org. initial-key 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2
-                brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+
-                1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5
-                ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk
-                Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM
-                QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt
-                TDN0YUuWrBNh";
-
-        # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
-        # for current trust anchor information.
-        #
-        # These keys are activated by setting "dnssec-validation auto;"
-        # in named.conf.
-        #
         # This key (19036) is to be phased out starting in 2017. It will
         # remain in the root zone for some time after its successor key
         # has been added. It will remain this file until it is removed from
@@ -52,7 +33,7 @@ managed-keys {
                 Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
                 QxA+Uk1ihz0=";
 
-        # This key (20326) is to be published in the root zone in 2017.
+        # This key (20326) was published in the root zone in 2017.
         # Servers which were already using the old key (19036) should
         # roll seamlessly to this new one via RFC 5011 rollover. Servers
         # being set up for the first time can use the contents of this
diff --git a/usr.sbin/bind/bind.keys.h b/usr.sbin/bind/bind.keys.h
index 50d298cffc7..746dfa289dc 100644
--- a/usr.sbin/bind/bind.keys.h
+++ b/usr.sbin/bind/bind.keys.h
@@ -1,46 +1,29 @@
+#ifndef BIND_KEYS_H
+#define BIND_KEYS_H 1
 #define TRUSTED_KEYS "\
 # The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
-# which are included as part of BIND 9.  As of the current release, the only\n\
-# trust anchors it contains are those for the DNS root zone (\".\"), and for\n\
-# the ISC DNSSEC Lookaside Validation zone (\"dlv.isc.org\").  Trust anchors\n\
-# for any other zones MUST be configured elsewhere; if they are configured\n\
-# here, they will not be recognized or used by named.\n\
+# which are included as part of BIND 9.  The only trust anchors it contains\n\
+# are for the DNS root zone (\".\").  Trust anchors for any other zones MUST\n\
+# be configured elsewhere; if they are configured here, they will not be\n\
+# recognized or used by named.\n\
 #\n\
 # The built-in trust anchors are provided for convenience of configuration.\n\
 # They are not activated within named.conf unless specifically switched on.\n\
-# To use the built-in root key, set \"dnssec-validation auto;\" in\n\
-# named.conf options.  To use the built-in DLV key, set\n\
-# \"dnssec-lookaside auto;\".  Without these options being set,\n\
-# the keys in this file are ignored.\n\
+# To use the built-in key, use \"dnssec-validation auto;\" in the\n\
+# named.conf options.  Without this option being set, the keys in this\n\
+# file are ignored.\n\
 #\n\
 # This file is NOT expected to be user-configured.\n\
 #\n\
-# These keys are current as of Feburary 2017.  If any key fails to\n\
+# These keys are current as of October 2017.  If any key fails to\n\
 # initialize correctly, it may have expired.  In that event you should\n\
 # replace this file with a current version.  The latest version of\n\
 # bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
+#\n\
+# See https://data.iana.org/root-anchors/root-anchors.xml\n\
+# for current trust anchor information for the root zone.\n\
 \n\
 trusted-keys {\n\
-        # ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
-        #\n\
-        # NOTE: The ISC DLV zone is being phased out as of February 2017;\n\
-        # the key will remain in place but the zone will be otherwise empty.\n\
-        # Configuring \"dnssec-lookaside auto;\" to activate this key is\n\
-        # harmless, but is no longer useful and is not recommended.\n\
-        dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
-                brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
-                1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
-                ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
-                Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
-                QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
-                TDN0YUuWrBNh\";\n\
-\n\
-        # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml\n\
-        # for current trust anchor information.\n\
-        #\n\
-        # These keys are activated by setting \"dnssec-validation auto;\"\n\
-        # in named.conf.\n\
-        #\n\
         # This key (19036) is to be phased out starting in 2017. It will\n\
         # remain in the root zone for some time after its successor key\n\
         # has been added. It will remain this file until it is removed from\n\
@@ -53,7 +36,7 @@ trusted-keys {\n\
                 Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
                 QxA+Uk1ihz0=\";\n\
 \n\
-        # This key (20326) is to be published in the root zone in 2017.\n\
+        # This key (20326) was published in the root zone in 2017.\n\
         # Servers which were already using the old key (19036) should\n\
         # roll seamlessly to this new one via RFC 5011 rollover. Servers\n\
         # being set up for the first time can use the contents of this\n\
@@ -72,47 +55,28 @@ trusted-keys {\n\
 
 #define MANAGED_KEYS "\
 # The bind.keys file is used to override the built-in DNSSEC trust anchors\n\
-# which are included as part of BIND 9.  As of the current release, the only\n\
-# trust anchors it contains are those for the DNS root zone (\".\"), and for\n\
-# the ISC DNSSEC Lookaside Validation zone (\"dlv.isc.org\").  Trust anchors\n\
-# for any other zones MUST be configured elsewhere; if they are configured\n\
-# here, they will not be recognized or used by named.\n\
+# which are included as part of BIND 9.  The only trust anchors it contains\n\
+# are for the DNS root zone (\".\").  Trust anchors for any other zones MUST\n\
+# be configured elsewhere; if they are configured here, they will not be\n\
+# recognized or used by named.\n\
 #\n\
 # The built-in trust anchors are provided for convenience of configuration.\n\
 # They are not activated within named.conf unless specifically switched on.\n\
-# To use the built-in root key, set \"dnssec-validation auto;\" in\n\
-# named.conf options.  To use the built-in DLV key, set\n\
-# \"dnssec-lookaside auto;\".  Without these options being set,\n\
-# the keys in this file are ignored.\n\
+# To use the built-in key, use \"dnssec-validation auto;\" in the\n\
+# named.conf options.  Without this option being set, the keys in this\n\
+# file are ignored.\n\
 #\n\
 # This file is NOT expected to be user-configured.\n\
 #\n\
-# These keys are current as of Feburary 2017.  If any key fails to\n\
+# These keys are current as of October 2017.  If any key fails to\n\
 # initialize correctly, it may have expired.  In that event you should\n\
 # replace this file with a current version.  The latest version of\n\
 # bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys.\n\
+#\n\
+# See https://data.iana.org/root-anchors/root-anchors.xml\n\
+# for current trust anchor information for the root zone.\n\
 \n\
 managed-keys {\n\
-        # ISC DLV: See https://www.isc.org/solutions/dlv for details.\n\
-        #\n\
-        # NOTE: The ISC DLV zone is being phased out as of February 2017;\n\
-        # the key will remain in place but the zone will be otherwise empty.\n\
-        # Configuring \"dnssec-lookaside auto;\" to activate this key is\n\
-        # harmless, but is no longer useful and is not recommended.\n\
-        dlv.isc.org. initial-key 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2\n\
-                brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+\n\
-                1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5\n\
-                ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk\n\
-                Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM\n\
-                QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt\n\
-                TDN0YUuWrBNh\";\n\
-\n\
-        # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml\n\
-        # for current trust anchor information.\n\
-        #\n\
-        # These keys are activated by setting \"dnssec-validation auto;\"\n\
-        # in named.conf.\n\
-        #\n\
         # This key (19036) is to be phased out starting in 2017. It will\n\
         # remain in the root zone for some time after its successor key\n\
         # has been added. It will remain this file until it is removed from\n\
@@ -125,7 +89,7 @@ managed-keys {\n\
                 Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq\n\
                 QxA+Uk1ihz0=\";\n\
 \n\
-        # This key (20326) is to be published in the root zone in 2017.\n\
+        # This key (20326) was published in the root zone in 2017.\n\
         # Servers which were already using the old key (19036) should\n\
         # roll seamlessly to this new one via RFC 5011 rollover. Servers\n\
         # being set up for the first time can use the contents of this\n\
@@ -141,3 +105,4 @@ managed-keys {\n\
                 R1AkUTV74bU=\";\n\
 };\n\
 "
+#endif /* BIND_KEYS_H */
diff --git a/usr.sbin/bind/config.h.in b/usr.sbin/bind/config.h.in
index 62d307a4ce6..816b4853d87 100644
--- a/usr.sbin/bind/config.h.in
+++ b/usr.sbin/bind/config.h.in
@@ -1,7 +1,6 @@
 /* config.h.in.  Generated from configure.in by autoheader.  */
 /*
- * Copyright (C) 2004, 2005, 2007, 2008, 2012, 2014, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -16,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.h.in,v 1.10 2019/12/16 16:16:22 deraadt Exp $ */
+/* $Id: config.h.in,v 1.11 2019/12/17 01:46:30 sthen Exp $ */
 
 /*! \file */
 
@@ -216,9 +215,6 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to 1 if you have the `dlclose' function. */
 #undef HAVE_DLCLOSE
 
-/* Define to 1 if you have the <dlfcn.h> header file. */
-#undef HAVE_DLFCN_H
-
 /* Define to 1 if you have the `dlopen' function. */
 #undef HAVE_DLOPEN
 
@@ -243,9 +239,15 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to 1 if you have the `EVP_sha512' function. */
 #undef HAVE_EVP_SHA512
 
+/* Define to 1 if you have the `explicit_bzero' function. */
+#undef HAVE_EXPLICIT_BZERO
+
 /* Define to 1 if you have the <fcntl.h> header file. */
 #undef HAVE_FCNTL_H
 
+/* Define if OpenSSL provides FIPS_mode() */
+#undef HAVE_FIPS_MODE
+
 /* Define to 1 if you have the `fseeko' function. */
 #undef HAVE_FSEEKO
 
@@ -372,6 +374,12 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define if your OpenSSL version supports ECDSA. */
 #undef HAVE_OPENSSL_ECDSA
 
+/* Define if your OpenSSL version supports Ed25519. */
+#undef HAVE_OPENSSL_ED25519
+
+/* Define if your OpenSSL version supports Ed448. */
+#undef HAVE_OPENSSL_ED448
+
 /* Define if your OpenSSL version supports EVP AES */
 #undef HAVE_OPENSSL_EVP_AES
 
@@ -381,12 +389,27 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define if your PKCS11 provider supports ECDSA. */
 #undef HAVE_PKCS11_ECDSA
 
+/* Define if your PKCS11 provider supports Ed25519. */
+#undef HAVE_PKCS11_ED25519
+
+/* Define if your PKCS11 provider supports Ed448. */
+#undef HAVE_PKCS11_ED448
+
 /* Define if your PKCS11 provider supports GOST. */
 #undef HAVE_PKCS11_GOST
 
 /* Support for PTHREAD_MUTEX_ADAPTIVE_NP */
 #undef HAVE_PTHREAD_MUTEX_ADAPTIVE_NP
 
+/* Define to 1 if you have the <pthread_np.h> header file. */
+#undef HAVE_PTHREAD_NP_H
+
+/* Define to 1 if you have the `pthread_setname_np' function. */
+#undef HAVE_PTHREAD_SETNAME_NP
+
+/* Define to 1 if you have the `pthread_set_name_np' function. */
+#undef HAVE_PTHREAD_SET_NAME_NP
+
 /* Define to 1 if you have the `pthread_yield' function. */
 #undef HAVE_PTHREAD_YIELD
 
@@ -510,10 +533,6 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to allow building of objects for dlopen(). */
 #undef ISC_DLZ_DLOPEN
 
-/* Define to the sub-directory in which libtool stores uninstalled libraries.
-   */
-#undef LT_OBJDIR
-
 /* Defined if extern char *optarg is not declared. */
 #undef NEED_OPTARG
 
diff --git a/usr.sbin/bind/config.h.win32 b/usr.sbin/bind/config.h.win32
index 0b0d6a8691c..22ef88bdae8 100644
--- a/usr.sbin/bind/config.h.win32
+++ b/usr.sbin/bind/config.h.win32
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2006-2009, 2011-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -331,18 +330,33 @@ typedef __int64 off_t;
 /* Define to 1 if you have the `EVP_sha512' function. */
 @HAVE_EVP_SHA512@
 
+/* Define if OpenSSL provides FIPS_mode() */
+@HAVE_FIPS_MODE@
+
 /* Define if OpenSSL includes DSA support */
 @HAVE_OPENSSL_DSA@
 
 /* Define if OpenSSL includes ECDSA support */
 @HAVE_OPENSSL_ECDSA@
 
+/* Define if OpenSSL includes Ed25519 support */
+@HAVE_OPENSSL_ED25519@
+
+/* Define if OpenSSL includes Ed448 support */
+@HAVE_OPENSSL_ED448@
+
 /* Define if your OpenSSL version supports GOST. */
 @HAVE_OPENSSL_GOST@
 
 /* Define if your PKCS11 provider supports ECDSA. */
 @HAVE_PKCS11_ECDSA@
 
+/* Define if your PKCS11 provider supports Ed25519. */
+@HAVE_PKCS11_ED25519@
+
+/* Define if your PKCS11 provider supports Ed448. */
+@HAVE_PKCS11_ED448@
+
 /* Define if your PKCS11 provider supports GOST. */
 @HAVE_PKCS11_GOST@
 
diff --git a/usr.sbin/bind/configure b/usr.sbin/bind/configure
index 3faf95ee60d..7078660dba2 100644
--- a/usr.sbin/bind/configure
+++ b/usr.sbin/bind/configure
@@ -1,6 +1,5 @@
 #! /bin/sh
-# Copyright (C) 2004-2017  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1996-2003  Internet Software Consortium.
+# Copyright (C) 1996-2018  Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -17,7 +16,7 @@
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.69 for BIND 9.10.
 #
-# Report bugs to <bind9-bugs@isc.org>.
+# Report bugs to <info@isc.org>.
 #
 #
 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -289,11 +288,10 @@ fi
     $as_echo "$0: In particular, zsh $ZSH_VERSION has bugs and should"
     $as_echo "$0: be upgraded to zsh 4.3.4 or later."
   else
-    $as_echo "$0: Please tell bug-autoconf@gnu.org and bind9-bugs@isc.org
-$0: about your system, including any error possibly output
-$0: before this message. Then install a modern shell, or
-$0: manually run the script under such a shell if you do
-$0: have one."
+    $as_echo "$0: Please tell bug-autoconf@gnu.org and info@isc.org about
+$0: your system, including any error possibly output before
+$0: this message. Then install a modern shell, or manually
+$0: run the script under such a shell if you do have one."
   fi
   exit 1
 fi
@@ -607,7 +605,7 @@ PACKAGE_NAME='BIND'
 PACKAGE_TARNAME='bind'
 PACKAGE_VERSION='9.10'
 PACKAGE_STRING='BIND 9.10'
-PACKAGE_BUGREPORT='bind9-bugs@isc.org'
+PACKAGE_BUGREPORT='info@isc.org'
 PACKAGE_URL='https://www.isc.org/downloads/BIND/'
 
 # Factoring default headers for most tests.
@@ -700,6 +698,7 @@ CURL
 DOXYGEN
 XMLLINT
 XSLTPROC
+PANDOC
 W3M
 DBLATEX
 PDFLATEX
@@ -714,6 +713,7 @@ ISC_PLATFORM_HAVEATOMICSTORE
 ISC_PLATFORM_HAVECMPXCHG
 ISC_PLATFORM_HAVEXADDQ
 ISC_PLATFORM_HAVEXADD
+ISC_PLATFORM_HAVESTDATOMIC
 ISC_PLATFORM_HAVEIFNAMETOINDEX
 ISC_PLATFORM_HAVESTRINGSH
 ISC_PLATFORM_BRACEPTHREADONCEINIT
@@ -812,6 +812,7 @@ MKDEPCC
 JSONSTATS
 XMLSTATS
 PKCS11_TEST
+PKCS11_ED25519
 PKCS11_GOST
 PKCS11_ECDSA
 CRYPTO
@@ -834,11 +835,16 @@ ISC_OPENSSL_INC
 ISC_PLATFORM_OPENSSLHASH
 ISC_PLATFORM_WANTAES
 OPENSSL_GOST
+OPENSSL_ED25519
 OPENSSL_ECDSA
 OPENSSLLINKSRCS
 OPENSSLLINKOBJS
 OPENSSLGOSTLINKSRCS
 OPENSSLGOSTLINKOBJS
+OPENSSLEDDSALINKSRCS
+OPENSSLEDDSALINKOBJS
+OPENSSLECDSALINKSRCS
+OPENSSLECDSALINKOBJS
 DST_OPENSSL_INC
 HAVE_SIT
 ISC_PLATFORM_USESIT
@@ -871,6 +877,8 @@ ISC_PLATFORM_NORETURN_PRE
 ISC_PLATFORM_HAVELONGLONG
 ISC_SOCKADDR_LEN_T
 expanded_sysconfdir
+PYTHON_INSTALL_LIB
+PYTHON_INSTALL_DIR
 PYTHON_TOOLS
 COVERAGE
 CHECKDS
@@ -993,6 +1001,7 @@ enable_warn_error
 enable_developer
 enable_seccomp
 with_python
+with_python_install_dir
 enable_kqueue
 enable_epoll
 enable_devpoll
@@ -1007,11 +1016,11 @@ with_openssl
 with_pkcs11
 with_ecdsa
 with_gost
+with_eddsa
 with_aes
 enable_openssl_hash
 enable_sit
 with_sit_alg
-enable_openssl_version_check
 with_libxml2
 with_libjson
 enable_largefile
@@ -1675,9 +1684,9 @@ Optional Features:
   --enable-fast-install[=PKGS]
                           optimize for fast installation [default=yes]
   --disable-libtool-lock  avoid locking (might break parallel builds)
-  --enable-libbind	  deprecated
-  --enable-warn-shadow	  turn on -Wshadow when compiling
-  --enable-warn-error	  turn on -Werror when compiling
+  --enable-libbind        deprecated
+  --enable-warn-shadow    turn on -Wshadow when compiling
+  --enable-warn-error     turn on -Werror when compiling
   --enable-developer      enable developer build settings
   --enable-seccomp        enable support for libseccomp system call filtering
                           [default=no]
@@ -1688,26 +1697,24 @@ Optional Features:
   --enable-native-pkcs11  use native PKCS11 for all crypto [default=no]
   --enable-openssl-hash   use OpenSSL for hash functions [default=no]
   --enable-sit            enable source identity token [default=no]
-  --enable-openssl-version-check
-                          check OpenSSL version [default=yes]
-  --enable-largefile	  64-bit file support
+  --enable-largefile      64-bit file support
   --enable-backtrace      log stack backtrace on abort [default=yes]
   --enable-symtable       use internal symbol table for backtrace
-			  [all|minimal(default)|none]
-  --enable-ipv6           use IPv6 default=autodetect
+                          [all|minimal(default)|none]
+  --enable-ipv6           use IPv6 [default=autodetect]
   --enable-getifaddrs     enable the use of getifaddrs() [yes|no].
   --disable-isc-spnego    use SPNEGO from GSSAPI library
   --disable-chroot        disable chroot
-  --disable-linux-caps	  disable linux capabilities
-  --enable-atomic	  enable machine specific atomic operations
-			  [default=autodetect]
+  --disable-linux-caps    disable linux capabilities
+  --enable-atomic         enable machine specific atomic operations
+                          [default=autodetect]
   --enable-fixed-rrset    enable fixed rrset ordering [default=no]
-  --disable-rpz-nsip	  disable rpz-nsip rules [default=enabled]
-  --disable-rpz-nsdname	  disable rpz-nsdname rules [default=enabled]
+  --disable-rpz-nsip      disable rpz nsip rules [default=enabled]
+  --disable-rpz-nsdname   disable rpz nsdname rules [default=enabled]
   --enable-fetchlimit     enable recursive fetch limits [default=no]
   --enable-filter-aaaa    enable filtering of AAAA records [default=no]
   --enable-querytrace     enable very verbose query trace logging [default=no]
-  --enable-full-report	  report values of all configure options
+  --enable-full-report    report values of all configure options
 
 Optional Packages:
   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
@@ -1718,32 +1725,38 @@ Optional Packages:
   --with-sysroot=DIR Search for dependent libraries within DIR
                         (or the compiler's sysroot if not specified).
   --with-python=PATH      specify path to python interpreter
+  --with-python-install-dir=PATH
+                          installation directory for Python modules
   --with-geoip=PATH       Build with GeoIP support (yes|no|path)
-  --with-gssapi=[PATH|[/path/]krb5-config]      Specify path for system-supplied GSSAPI [default=yes]
+  --with-gssapi=PATH|/path/krb5-config
+                          Specify path for system-supplied GSSAPI
+                          [default=yes]
   --with-randomdev=PATH   Specify path for random device
   --with-locktype=ARG     Specify mutex lock type (adaptive or standard)
   --with-libtool          use GNU libtool
-  --with-openssl=PATH     Build with OpenSSL yes|no|path.
-			  (Crypto is required for DNSSEC)
-  --with-pkcs11=PATH      Build with PKCS11 support yes|no|path
-			  (PATH is for the PKCS11 provider)
+  --with-openssl=PATH     Build with OpenSSL [yes|no|path]. (Crypto is
+                          required for DNSSEC)
+  --with-pkcs11=PATH      Build with PKCS11 support [yes|no|path] (PATH is for
+                          the PKCS11 provider)
   --with-ecdsa            Crypto ECDSA
-  --with-gost             Crypto GOST yes|no|raw|asn1.
+  --with-gost             Crypto GOST [yes|no|raw|asn1].
+  --with-eddsa            Crypto EDDSA [yes|all|no].
   --with-aes              Crypto AES
   --with-sit-alg=ALG      choose the algorithm for SIT [aes|sha1|sha256]
-  --with-libxml2=PATH     build with libxml2 library yes|no|path
-  --with-libjson=PATH     build with libjson0 library yes|no|path
+  --with-libxml2=PATH     build with libxml2 library [yes|no|path]
+  --with-libjson=PATH     build with libjson0 library [yes|no|path]
   --with-purify=PATH      use Rational purify
-  --with-gperftools-profiler  use gperftools CPU profiler
-  --with-kame=PATH	  use Kame IPv6 default path /usr/local/v6
-  --with-readline=LIBSPEC    specify readline library default auto
+  --with-gperftools-profiler
+                          use gperftools CPU profiler
+  --with-kame=PATH        use Kame IPv6 [default path /usr/local/v6]
+  --with-readline=LIBSPEC specify readline library [default auto]
 
   --with-docbook-xsl=PATH specify path for Docbook-XSL stylesheets
-  --with-idn=MPREFIX      enable IDN support using idnkit default PREFIX
-  --with-libiconv=IPREFIX GNU libiconv are in IPREFIX default PREFIX
-  --with-iconv=LIBSPEC    specify iconv library default -liconv
+  --with-idn=MPREFIX      enable IDN support using idnkit [default PREFIX]
+  --with-libiconv=IPREFIX GNU libiconv are in IPREFIX [default PREFIX]
+  --with-iconv=LIBSPEC    specify iconv library [default -liconv]
   --with-idnlib=ARG       specify libidnkit
-  --with-atf=ARG          support Automated Test Framework
+  --with-atf              support Automated Test Framework
   --with-tuning=ARG       Specify server tuning (large or default)
   --with-dlopen=ARG       support dynamically loadable DLZ drivers
   --with-make-clean       run "make clean" at end of configure [yes|no]
@@ -1769,7 +1782,7 @@ Help can also often be found on the BIND Users mailing list
 (https://lists.isc.org/mailman/listinfo/bind-users) or in the #bind
 channel of the Freenode IRC service.
 
-Report bugs to <bind9-bugs@isc.org>.
+Report bugs to <info@isc.org>.
 BIND home page: <https://www.isc.org/downloads/BIND/>.
 _ACEOF
 ac_status=$?
@@ -2232,9 +2245,9 @@ $as_echo "$as_me: WARNING: $2: see the Autoconf documentation" >&2;}
 $as_echo "$as_me: WARNING: $2:     section \"Present But Cannot Be Compiled\"" >&2;}
     { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5
 $as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;}
-( $as_echo "## --------------------------------- ##
-## Report this to bind9-bugs@isc.org ##
-## --------------------------------- ##"
+( $as_echo "## --------------------------- ##
+## Report this to info@isc.org ##
+## --------------------------- ##"
      ) | sed "s/^/$as_me: WARNING:     /" >&2
     ;;
 esac
@@ -11791,6 +11804,14 @@ else
 fi
 
 
+# Check whether --with-python-install-dir was given.
+if test "${with_python_install_dir+set}" = set; then :
+  withval=$with_python_install_dir; use_python_install_dir="$withval"
+else
+  use_python_install_dir="unspec"
+fi
+
+
 python="python python3 python3.5 python3.4 python3.3 python3.2 python2 python2.7"
 
 testargparse='try: import argparse
@@ -11865,12 +11886,12 @@ $as_echo_n "checking python2 version >= 2.7 or python3 version >= 3.2... " >&6;
 				if ${PYTHON:-false} -c "$testminvers"; then
 					{ $as_echo "$as_me:${as_lineno-$LINENO}: result: found" >&5
 $as_echo "found" >&6; }
-                                else
-                                        { $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5
+				else
+					{ $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5
 $as_echo "not found" >&6; }
-                                        unset ac_cv_path_PYTHON
-                                        unset PYTHON
-                                        continue
+					unset ac_cv_path_PYTHON
+					unset PYTHON
+					continue
 				fi
 				{ $as_echo "$as_me:${as_lineno-$LINENO}: checking python module 'argparse'" >&5
 $as_echo_n "checking python module 'argparse'... " >&6; }
@@ -11886,8 +11907,19 @@ $as_echo "not found" >&6; }
                                         continue
 				fi
 			done
-			if test "X$PYTHON" = "X"
+			if test "X$PYTHON" != "X"
 			then
+				case "$use_python_install_dir" in
+				unspec)
+					PYTHON_INSTALL_DIR=""
+					PYTHON_INSTALL_LIB=""
+					;;
+				*)
+					PYTHON_INSTALL_DIR="$use_python_install_dir"
+					PYTHON_INSTALL_LIB="--install-lib=$use_python_install_dir"
+					;;
+				esac
+			else
 				{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for python support" >&5
 $as_echo_n "checking for python support... " >&6; }
 				case "$use_python" in
@@ -11987,6 +12019,8 @@ fi
 
 
 
+
+
 #
 # Special processing of paths depending on whether --prefix,
 # --sysconfdir or --localstatedir arguments were given.  What's
@@ -13286,12 +13320,12 @@ _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
-         $as_echo "#define HAVE_UNAME 1" >>confdefs.h
+	 $as_echo "#define HAVE_UNAME 1" >>confdefs.h
 
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
-         { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: uname is not correctly supported" >&5
+	 { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: uname is not correctly supported" >&5
 $as_echo "$as_me: WARNING: uname is not correctly supported" >&2;}
 fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
@@ -15355,22 +15389,24 @@ else
 fi
 
 
-        case "$locktype" in
-                adaptive)
-                        { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PTHREAD_MUTEX_ADAPTIVE_NP" >&5
+	case "$locktype" in
+		adaptive)
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PTHREAD_MUTEX_ADAPTIVE_NP" >&5
 $as_echo_n "checking for PTHREAD_MUTEX_ADAPTIVE_NP... " >&6; }
 
-                        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+			cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
-                          #define _GNU_SOURCE
-                          #include <pthread.h>
+			  #ifndef _GNU_SOURCE
+			  #define _GNU_SOURCE
+			  #endif
+			  #include <pthread.h>
 
 int
 main ()
 {
 
-                          return (PTHREAD_MUTEX_ADAPTIVE_NP);
+			  return (PTHREAD_MUTEX_ADAPTIVE_NP);
 
   ;
   return 0;
@@ -15387,15 +15423,15 @@ else
 $as_echo "using standard lock type" >&6; }
 fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-                        ;;
-                standard)
-                        { $as_echo "$as_me:${as_lineno-$LINENO}: result: using standard lock type" >&5
+			;;
+		standard)
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: result: using standard lock type" >&5
 $as_echo "using standard lock type" >&6; }
-                        ;;
-                *)
-                        as_fn_error $? "You must specify \"adaptive\" or \"standard\" for --with-locktype." "$LINENO" 5
-                        ;;
-        esac
+			;;
+		*)
+			as_fn_error $? "You must specify \"adaptive\" or \"standard\" for --with-locktype." "$LINENO" 5
+			;;
+	esac
 
 	for ac_header in sched.h
 do :
@@ -15574,6 +15610,33 @@ fi
 			;;
 	esac
 
+	# Look for functions relating to thread naming
+	for ac_func in pthread_setname_np pthread_set_name_np
+do :
+  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+	for ac_header in pthread_np.h
+do :
+  ac_fn_c_check_header_compile "$LINENO" "pthread_np.h" "ac_cv_header_pthread_np_h" "#include <pthread.h>
+"
+if test "x$ac_cv_header_pthread_np_h" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_PTHREAD_NP_H 1
+_ACEOF
+
+fi
+
+done
+
+
 	#
 	# Look for sysconf to allow detection of the number of processors.
 	#
@@ -15687,7 +15750,7 @@ fi
 
 
 #
-# were --with-ecdsa, --with-gost, --with-aes specified
+# were --with-ecdsa, --with-gost, --with-eddsa, --with-aes specified
 #
 
 # Check whether --with-ecdsa was given.
@@ -15706,6 +15769,14 @@ else
 fi
 
 
+# Check whether --with-eddsa was given.
+if test "${with_eddsa+set}" = set; then :
+  withval=$with_eddsa; with_eddsa="$withval"
+else
+  with_eddsa="auto"
+fi
+
+
 # Check whether --with-aes was given.
 if test "${with_aes+set}" = set; then :
   withval=$with_aes; with_aes="$withval"
@@ -15770,7 +15841,7 @@ else
 fi
 
 
-if test "$enable_sit" = "yes"
+if test "yes" = "$enable_sit"
 then
 	case $with_sit_alg in
 		*1)
@@ -15780,21 +15851,21 @@ then
 			with_sit_alg="sha256"
 			;;
 		auto)
-			if test "$with_aes" != "no"
+			if test "no" != "$with_aes"
 			then
 				with_aes="yes"
 			fi
 			;;
 		*)
 			with_sit_alg="aes"
-			if test "$with_aes" != "no"
+			if test "no" != "$with_aes"
 			then
 				with_aes="yes"
 			fi
 			;;
 	esac
 fi
-if test "with_aes" = "checksit"
+if test "checksit" = "$with_aes"
 then
 	with_aes="no"
 fi
@@ -15823,6 +15894,7 @@ then
 fi
 OPENSSL_ECDSA=""
 OPENSSL_GOST=""
+OPENSSL_ED25519=""
 gosttype="raw"
 case "$with_gost" in
 	raw)
@@ -15848,8 +15920,12 @@ case "$use_openssl" in
 $as_echo "disabled because of native PKCS11" >&6; }
 		DST_OPENSSL_INC=""
 		CRYPTO="-DPKCS11CRYPTO"
+		OPENSSLECDSALINKOBJS=""
+		OPENSSLECDSALINKSRCS=""
+		OPENSSLEDDSALINKOBJS=""
+		OPENSSLEDDSALINKSRCS=""
 		OPENSSLGOSTLINKOBJS=""
-		OPENSSLGOSTLINKSRS=""
+		OPENSSLGOSTLINKSRCS=""
 		OPENSSLLINKOBJS=""
 		OPENSSLLINKSRCS=""
 		;;
@@ -15858,16 +15934,24 @@ $as_echo "disabled because of native PKCS11" >&6; }
 $as_echo "no" >&6; }
 		DST_OPENSSL_INC=""
 		CRYPTO=""
+		OPENSSLECDSALINKOBJS=""
+		OPENSSLECDSALINKSRCS=""
+		OPENSSLEDDSALINKOBJS=""
+		OPENSSLEDDSALINKSRCS=""
 		OPENSSLGOSTLINKOBJS=""
-		OPENSSLGOSTLINKSRS=""
+		OPENSSLGOSTLINKSRCS=""
 		OPENSSLLINKOBJS=""
 		OPENSSLLINKSRCS=""
 		;;
 	auto)
 		DST_OPENSSL_INC=""
 		CRYPTO=""
+		OPENSSLECDSALINKOBJS=""
+		OPENSSLECDSALINKSRCS=""
+		OPENSSLEDDSALINKOBJS=""
+		OPENSSLEDDSALINKSRCS=""
 		OPENSSLGOSTLINKOBJS=""
-		OPENSSLGOSTLINKSRS=""
+		OPENSSLGOSTLINKSRCS=""
 		OPENSSLLINKOBJS=""
 		OPENSSLLINKSRCS=""
 		as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
@@ -15876,7 +15960,7 @@ If you don't want OpenSSL, use --without-openssl" "$LINENO" 5
 	*)
 		if test "yes" = "$want_native_pkcs11"
 		then
-                        { $as_echo "$as_me:${as_lineno-$LINENO}: result: " >&5
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: result: " >&5
 $as_echo "" >&6; }
 			as_fn_error $? "OpenSSL and native PKCS11 cannot be used together." "$LINENO" 5
 		fi
@@ -16048,61 +16132,38 @@ fi
 rm -f core conftest.err conftest.$ac_objext \
     conftest$ac_exeext conftest.$ac_ext
 
-# Check whether --enable-openssl-version-check was given.
-if test "${enable_openssl_version_check+set}" = set; then :
-  enableval=$enable_openssl_version_check;
-fi
-
-case "$enable_openssl_version_check" in
-yes|'')
-		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking OpenSSL library version" >&5
-$as_echo_n "checking OpenSSL library version... " >&6; }
-		if test "$cross_compiling" = yes; then :
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: assuming target platform has compatible version" >&5
-$as_echo "assuming target platform has compatible version" >&6; }
-else
-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL FIPS mode support" >&5
+$as_echo_n "checking for OpenSSL FIPS mode support... " >&6; }
+	have_fips_mode=""
+	cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
-
-#include <stdio.h>
-#include <openssl/opensslv.h>
-int main() {
-	if ((OPENSSL_VERSION_NUMBER >= 0x009070cfL &&
-	     OPENSSL_VERSION_NUMBER < 0x00908000L) ||
-	     (OPENSSL_VERSION_NUMBER >= 0x0090804fL &&
-	     OPENSSL_VERSION_NUMBER < 0x10002000L) ||
-	     OPENSSL_VERSION_NUMBER >= 0x1000205fL)
-		return (0);
-	printf("\n\nFound   OPENSSL_VERSION_NUMBER %#010lx\n",
-		OPENSSL_VERSION_NUMBER);
-	printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n"
-	       "Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n"
-	       "Require OPENSSL_VERSION_NUMBER 0x1000000f or greater (1.0.0)\n"
-	       "Require OPENSSL_VERSION_NUMBER 0x1000100f or greater (1.0.1)\n"
-	       "Require OPENSSL_VERSION_NUMBER 0x1000205f or greater (1.0.2e)\n\n");
-	return (1);
+#include <openssl/crypto.h>
+int
+main ()
+{
+FIPS_mode();
+  ;
+  return 0;
 }
-
 _ACEOF
-if ac_fn_c_try_run "$LINENO"; then :
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: ok" >&5
-$as_echo "ok" >&6; }
+if ac_fn_c_try_link "$LINENO"; then :
+  have_fips_mode=yes
 else
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: not compatible" >&5
-$as_echo "not compatible" >&6; }
-		 OPENSSL_WARNING=yes
-
-fi
-rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
-  conftest.$ac_objext conftest.beam conftest.$ac_ext
+  have_fips_mode=no
 fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+	if test "x$have_fips_mode" = "xyes"
+	then
 
-;;
-no)
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: Skipped OpenSSL version check" >&5
-$as_echo "Skipped OpenSSL version check" >&6; }
-;;
-esac
+$as_echo "#define HAVE_FIPS_MODE 1" >>confdefs.h
+
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+	else
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	fi
 
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL DSA support" >&5
 $as_echo_n "checking for OpenSSL DSA support... " >&6; }
@@ -16188,6 +16249,8 @@ fi
 	case $have_ecdsa in
 	yes)
 		OPENSSL_ECDSA="yes"
+		OPENSSLECDSALINKOBJS='${OPENSSLECDSALINKOBJS}'
+		OPENSSLECDSALINKSRCS='${OPENSSLECDSALINKSRCS}'
 
 $as_echo "#define HAVE_OPENSSL_ECDSA 1" >>confdefs.h
 
@@ -16279,13 +16342,127 @@ $as_echo "#define HAVE_OPENSSL_GOST 1" >>confdefs.h
 		;;
 	esac
 
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL Ed25519 support" >&5
+$as_echo_n "checking for OpenSSL Ed25519 support... " >&6; }
+	have_ed25519=""
+	have_ed448=""
+	if test "$cross_compiling" = yes; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: using --with-eddsa" >&5
+$as_echo "using --with-eddsa" >&6; }
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+int main() {
+	EVP_PKEY_CTX *ctx;
+
+	ctx = EVP_PKEY_CTX_new_id(NID_ED25519, NULL);
+	if (ctx == NULL)
+		return (2);
+	return (0);
+}
+
+_ACEOF
+if ac_fn_c_try_run "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+	have_ed25519="yes"
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	have_ed25519="no"
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+  conftest.$ac_objext conftest.beam conftest.$ac_ext
+fi
+
+	case "$with_eddsa" in
+	yes|all)
+	    case "$have_ed25519" in
+	    no)  as_fn_error $? "eddsa not supported" "$LINENO" 5 ;;
+	    *)  have_ed25519=yes ;;
+	    esac
+	    ;;
+	no)
+	    have_ed25519=no ;;
+	*)
+	    case "$have_ed25519" in
+	    yes|no) ;;
+	    *) as_fn_error $? "need --with-eddsa=[yes, all or no]" "$LINENO" 5 ;;
+	    esac
+	    ;;
+	esac
+	case $have_ed25519 in
+	yes)
+		OPENSSL_ED25519="yes"
+		OPENSSLEDDSALINKOBJS='${OPENSSLEDDSALINKOBJS}'
+		OPENSSLEDDSALINKSRCS='${OPENSSLEDDSALINKSRCS}'
+
+$as_echo "#define HAVE_OPENSSL_ED25519 1" >>confdefs.h
+
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL Ed448 support" >&5
+$as_echo_n "checking for OpenSSL Ed448 support... " >&6; }
+		if test "$cross_compiling" = yes; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: using --with-eddsa" >&5
+$as_echo "using --with-eddsa" >&6; }
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+int main() {
+	EVP_PKEY_CTX *ctx;
+
+	ctx = EVP_PKEY_CTX_new_id(NID_ED448, NULL);
+	if (ctx == NULL)
+		return (2);
+	return (0);
+}
+
+_ACEOF
+if ac_fn_c_try_run "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+		have_ed448="yes"
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+		have_ed448="no"
+fi
+rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
+  conftest.$ac_objext conftest.beam conftest.$ac_ext
+fi
+
+		case $with_eddsa in
+		all)
+			have_ed448=yes ;;
+		*)
+			;;
+		esac
+		case $have_ed448 in
+		yes)
+
+$as_echo "#define HAVE_OPENSSL_ED448 1" >>confdefs.h
+],
+			;;
+		*)
+			;;
+		esac
+		;;
+	*)
+		;;
+	esac
+
 	have_aes="no"
 	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL AES support" >&5
 $as_echo_n "checking for OpenSSL AES support... " >&6; }
 	if test "$cross_compiling" = yes; then :
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: using --with-aes" >&5
 $as_echo "using --with-aes" >&6; }
-         # Expect cross-compiling with a modern OpenSSL
+	 # Expect cross-compiling with a modern OpenSSL
 	 have_aes="evp"
 else
   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
@@ -16371,6 +16548,11 @@ esac
 
 
 
+
+
+
+
+
 DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
 
 ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
@@ -16449,7 +16631,7 @@ $as_echo "#define HMAC_SHA256_SIT 1" >>confdefs.h
 		fi
 		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: aes" >&5
 $as_echo "aes" >&6; }
-		if test "$with_aes" != "yes"
+		if test "yes" != "$with_aes"
 		then
 			as_fn_error $? "\"SIT wants to use unavailable AES\"" "$LINENO" 5;
 		fi
@@ -16640,6 +16822,7 @@ esac
 
 PKCS11_ECDSA=""
 PKCS11_GOST=""
+PKCS11_ED25519=""
 set_pk11_flavor="no"
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for native PKCS11" >&5
 $as_echo_n "checking for native PKCS11... " >&6; }
@@ -16683,6 +16866,37 @@ $as_echo "#define HAVE_PKCS11_GOST 1" >>confdefs.h
 $as_echo "disabled" >&6; }
 			;;
 		esac
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 Ed25519" >&5
+$as_echo_n "checking for PKCS11 Ed25519... " >&6; }
+		case "$with_eddsa" in
+		yes|all)
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: result: enabled" >&5
+$as_echo "enabled" >&6; }
+			PKCS11_ED25519="yes"
+
+$as_echo "#define HAVE_PKCS11_ED25519 1" >>confdefs.h
+
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 Ed448" >&5
+$as_echo_n "checking for PKCS11 Ed448... " >&6; }
+			case "$with_eddsa" in
+			all)
+				{ $as_echo "$as_me:${as_lineno-$LINENO}: result: enabled" >&5
+$as_echo "enabled" >&6; }
+
+$as_echo "#define HAVE_PKCS11_ED448 1" >>confdefs.h
+
+				;;
+			*)
+				{ $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
+$as_echo "disabled" >&6; }
+				;;
+			esac
+			;;
+		*)
+			{ $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5
+$as_echo "disabled" >&6; }
+			;;
+		esac
 		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 flavor" >&5
 $as_echo_n "checking for PKCS11 flavor... " >&6; }
 		case "$PKCS11_PROVIDER" in
@@ -16743,6 +16957,7 @@ esac
 
 
 
+
 # for PKCS11 benchmarks
 
 have_clock_gt=no
@@ -16794,7 +17009,7 @@ fi
 
 fi
 
-if test "$have_clock_gt" != "no"; then
+if test "no" != "$have_clock_gt"; then
 
 $as_echo "#define HAVE_CLOCK_GETTIME 1" >>confdefs.h
 
@@ -17474,7 +17689,7 @@ $as_echo "no" >&6; }
 		PURIFY=""
 		;;
 	*)
-		if test -f $purify_path || test $purify_path = purify; then
+		if test -f "$purify_path" || test purify = "$purify_path"; then
 			{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $purify_path" >&5
 $as_echo "$purify_path" >&6; }
 			PURIFYFLAGS="`echo $PURIFYOPTIONS`"
@@ -17585,12 +17800,12 @@ $as_echo "$as_me: WARNING: Internal symbol table does not work with libtool.  Di
 		case $host_os in
 		freebsd*|netbsd*|openbsd*|linux*|solaris*|darwin*)
 			MKSYMTBL_PROGRAM="$PERL"
-			if test $want_symtable = all; then
+			if test "all" = "$want_symtable"; then
 				ALWAYS_MAKE_SYMTABLE="yes"
 			fi
 			;;
 		*)
-			if test $want_symtable = yes -o $want_symtable = all
+			if test "yes" = "$want_symtable" -o "all" = "$want_symtable"
 			then
 				{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: this system is not known to generate internal symbol table safely; disabling it" >&5
 $as_echo "$as_me: WARNING: this system is not known to generate internal symbol table safely; disabling it" >&2;}
@@ -18796,10 +19011,10 @@ fi
 ac_fn_c_check_func "$LINENO" "strlcpy" "ac_cv_func_strlcpy"
 if test "x$ac_cv_func_strlcpy" = xyes; then :
   ISC_PLATFORM_NEEDSTRLCPY="#undef ISC_PLATFORM_NEEDSTRLCPY"
-         LWRES_PLATFORM_NEEDSTRLCPY="#undef LWRES_PLATFORM_NEEDSTRLCPY"
+	 LWRES_PLATFORM_NEEDSTRLCPY="#undef LWRES_PLATFORM_NEEDSTRLCPY"
 else
   ISC_PLATFORM_NEEDSTRLCPY="#define ISC_PLATFORM_NEEDSTRLCPY 1"
-         LWRES_PLATFORM_NEEDSTRLCPY="#define LWRES_PLATFORM_NEEDSTRLCPY 1"
+	 LWRES_PLATFORM_NEEDSTRLCPY="#define LWRES_PLATFORM_NEEDSTRLCPY 1"
 fi
 
 
@@ -18889,7 +19104,7 @@ done
 			break
 		fi
 	done
-	if test "$use_readline" != "auto" &&
+	if test "auto" != "$use_readline" &&
 	   test "X$READLINE_LIB" = "X"
 	then
 		as_fn_error $? "The readline library was not found." "$LINENO" 5
@@ -18897,7 +19112,7 @@ done
 	LIBS="$saved_LIBS"
 	;;
 esac
-if test yes = "$ac_cv_func_readline"
+if test "yes" = "$ac_cv_func_readline"
 then
 	case "$READLINE_LIB" in
 	*edit*)
@@ -19023,12 +19238,14 @@ else
 /* end confdefs.h.  */
 
 #include <stdio.h>
+
+int
 main() {
-        size_t j = 0;
-        char buf[100];
-        buf[0] = 0;
-        sprintf(buf, "%zu", j);
-        exit(strcmp(buf, "0") != 0);
+	size_t j = 0;
+	char buf[100];
+	buf[0] = 0;
+	sprintf(buf, "%zu", j);
+	return ((buf[0] == '0' && buf[1] == '\0') ? 0 : 1);
 }
 
 _ACEOF
@@ -19040,9 +19257,9 @@ else
 $as_echo "no" >&6; }
 	ISC_PRINT_OBJS="print.$O"
 	ISC_PRINT_SRCS="print.c"
-        ISC_PLATFORM_NEEDPRINTF='#define ISC_PLATFORM_NEEDPRINTF 1'
-        ISC_PLATFORM_NEEDFPRINTF='#define ISC_PLATFORM_NEEDFPRINTF 1'
-        ISC_PLATFORM_NEEDFSRINTF='#define ISC_PLATFORM_NEEDSPRINTF 1'
+	ISC_PLATFORM_NEEDPRINTF='#define ISC_PLATFORM_NEEDPRINTF 1'
+	ISC_PLATFORM_NEEDFPRINTF='#define ISC_PLATFORM_NEEDFPRINTF 1'
+	ISC_PLATFORM_NEEDFSRINTF='#define ISC_PLATFORM_NEEDSPRINTF 1'
 	ISC_PLATFORM_NEEDVSNPRINTF="#define ISC_PLATFORM_NEEDVSNPRINTF 1"
 	LWRES_PLATFORM_NEEDVSNPRINTF="#define LWRES_PLATFORM_NEEDVSNPRINTF 1"
 fi
@@ -19378,11 +19595,11 @@ _ACEOF
 if ac_fn_c_try_compile "$LINENO"; then :
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
-        ISC_PLATFORM_HAVESTATNSEC="#define ISC_PLATFORM_HAVESTATNSEC 1"
+	ISC_PLATFORM_HAVESTATNSEC="#define ISC_PLATFORM_HAVESTATNSEC 1"
 else
   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
-        ISC_PLATFORM_HAVESTATNSEC="#undef ISC_PLATFORM_HAVESTATNSEC"
+	ISC_PLATFORM_HAVESTATNSEC="#undef ISC_PLATFORM_HAVESTATNSEC"
 fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 
@@ -19776,7 +19993,7 @@ $as_echo "#define HAVE_IF_NAMETOINDEX 1" >>confdefs.h
 esac
 
 
-for ac_func in nanosleep usleep
+for ac_func in nanosleep usleep explicit_bzero
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -19792,6 +20009,38 @@ done
 #
 # Machine architecture dependent features
 #
+have_stdatomic=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for usable stdatomic.h" >&5
+$as_echo_n "checking for usable stdatomic.h... " >&6; }
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+#include <stdio.h>
+#include <stdatomic.h>
+
+int
+main ()
+{
+
+atomic_int_fast32_t val = 0; atomic_fetch_add_explicit(&val, 1, memory_order_relaxed);
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+	 have_stdatomic=yes
+	 ISC_PLATFORM_HAVESTDATOMIC="#define ISC_PLATFORM_HAVESTDATOMIC 1"
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	 have_stdatomic=no
+	 ISC_PLATFORM_HAVESTDATOMIC="#undef ISC_PLATFORM_HAVESTDATOMIC"
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
 # Check whether --enable-atomic was given.
 if test "${enable_atomic+set}" = set; then :
   enableval=$enable_atomic; enable_atomic="$enableval"
@@ -19804,8 +20053,8 @@ case "$enable_atomic" in
 		case "$host" in
 		powerpc-ibm-aix*)
 			if test "X$GCC" = "Xyes"; then
-				{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if asm(\"isc\"); works" >&5
-$as_echo_n "checking if asm(\"isc\"); works... " >&6; }
+				{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if asm(\"ics\"); works" >&5
+$as_echo_n "checking if asm(\"ics\"); works... " >&6; }
 				cat confdefs.h - <<_ACEOF >conftest.$ac_ext
 /* end confdefs.h.  */
 
@@ -19867,11 +20116,44 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 		esac
 		;;
 	no)
+		have_stdatomic=no
+		ISC_PLATFORM_HAVESTDATOMIC="#undef ISC_PLATFORM_HAVESTDATOMIC"
 		use_atomic=no
 		arch=noatomic
 		;;
 esac
 
+if test "X$have_stdatomic" = "Xyes"; then
+    { $as_echo "$as_me:${as_lineno-$LINENO}: checking if -latomic is needed to use 64-bit stdatomic.h primitives" >&5
+$as_echo_n "checking if -latomic is needed to use 64-bit stdatomic.h primitives... " >&6; }
+    cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+#include <stdatomic.h>
+int
+main ()
+{
+atomic_int_fast64_t val = 0; atomic_fetch_add_explicit(&val, 1, memory_order_relaxed);
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+	 ISC_ATOMIC_LIBS=""
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+	 ISC_ATOMIC_LIBS="-latomic"
+
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+    LIBS="$LIBS $ISC_ATOMIC_LIBS"
+fi
+
+
+
 ISC_PLATFORM_USEOSFASM="#undef ISC_PLATFORM_USEOSFASM"
 ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
 ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
@@ -20152,7 +20434,7 @@ int
 main ()
 {
 
-        return (__builtin_expect(1, 1) ? 1 : 0);
+	return (__builtin_expect(1, 1) ? 1 : 0);
 
   ;
   return 0;
@@ -20160,14 +20442,14 @@ main ()
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
 
-        have_builtin_expect=yes
-        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+	have_builtin_expect=yes
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
 
 else
 
-        have_builtin_expect=no
-        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+	have_builtin_expect=no
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 
 fi
@@ -20191,7 +20473,7 @@ int
 main ()
 {
 
-        return (__builtin_clz(0xff) == 24 ? 1 : 0);
+	return (__builtin_clz(0xff) == 24 ? 1 : 0);
 
   ;
   return 0;
@@ -20199,14 +20481,14 @@ main ()
 _ACEOF
 if ac_fn_c_try_link "$LINENO"; then :
 
-        have_builtin_clz=yes
-        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+	have_builtin_clz=yes
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
 $as_echo "yes" >&6; }
 
 else
 
-        have_builtin_clz=no
-        { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+	have_builtin_clz=no
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
 $as_echo "no" >&6; }
 
 fi
@@ -20567,6 +20849,53 @@ test -n "$W3M" || W3M="w3m"
 
 
 #
+# Look for pandoc
+#
+# Extract the first word of "pandoc", so it can be a program name with args.
+set dummy pandoc; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_PANDOC+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  case $PANDOC in
+  [\\/]* | ?:[\\/]*)
+  ac_cv_path_PANDOC="$PANDOC" # Let the user override the test with a path.
+  ;;
+  *)
+  as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+  IFS=$as_save_IFS
+  test -z "$as_dir" && as_dir=.
+    for ac_exec_ext in '' $ac_executable_extensions; do
+  if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+    ac_cv_path_PANDOC="$as_dir/$ac_word$ac_exec_ext"
+    $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+    break 2
+  fi
+done
+  done
+IFS=$as_save_IFS
+
+  test -z "$ac_cv_path_PANDOC" && ac_cv_path_PANDOC="pandoc"
+  ;;
+esac
+fi
+PANDOC=$ac_cv_path_PANDOC
+if test -n "$PANDOC"; then
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PANDOC" >&5
+$as_echo "$PANDOC" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+
+
+
+#
 # Look for xsltproc (libxslt)
 #
 
@@ -21141,12 +21470,12 @@ if test "yes" = "$idnlib"; then
 fi
 
 IDNLIBS=
-if test "$use_idn" != no; then
+if test "no" != "$use_idn"; then
 
 $as_echo "#define WITH_IDN 1" >>confdefs.h
 
 	STD_CINCLUDES="$STD_CINCLUDES -I$idn_path/include"
-	if test "$idnlib" != no; then
+	if test "no" != "$idnlib"; then
 		IDNLIBS="$idnlib $iconvlib"
 	else
 		IDNLIBS="-L$idn_path/lib -lidnkit $iconvlib"
@@ -21165,7 +21494,7 @@ else
   atf="no"
 fi
 
-if test yes = "$atf"; then
+if test "yes" = "$atf"; then
 	atf=`pwd`/unit/atf
 	ATFBUILD=atf-src
 
@@ -21176,7 +21505,7 @@ $as_echo "building ATF from bind9/unit/atf-src" >&6; }
 fi
 
 ATFLIBS=
-if test "$atf" != no; then
+if test "no" != "$atf"; then
 
 $as_echo "#define ATF_TEST 1" >>confdefs.h
 
@@ -22311,7 +22640,7 @@ $config_headers
 Configuration commands:
 $config_commands
 
-Report bugs to <bind9-bugs@isc.org>.
+Report bugs to <info@isc.org>.
 BIND home page: <https://www.isc.org/downloads/BIND/>."
 
 _ACEOF
@@ -24015,7 +24344,7 @@ fi
 		 *) srcdir="../../$srcdir";;
 		 esac
 		 ${SHELL} "${srcdir}${srcdir:+/unit/atf-src/}./configure" --enable-tools --disable-shared MISSING=: --prefix $atfdir;
-		)  ;;
+		) || as_fn_error $? "Failed to configure ATF." "$LINENO" 5  ;;
     "chmod":C) chmod a+x isc-config.sh doc/doxygen/doxygen-input-filter ;;
 
   esac
@@ -24069,9 +24398,14 @@ fi
 
 case "$make_clean" in
 yes)
-	if test "$no_create" != "yes"
+	if test "yes" != "$no_create"
 	then
-		make clean
+		if test "yes" = "$silent"
+		then
+			make clean > /dev/null
+		else
+			make clean
+		fi
 	fi
 	;;
 esac
@@ -24082,139 +24416,157 @@ if test "${enable_full_report+set}" = set; then :
 fi
 
 
-echo "========================================================================"
-echo "Configuration summary:"
-echo "------------------------------------------------------------------------"
-echo "Optional features enabled:"
-if $use_threads; then
-    echo "    Multiprocessing support (--enable-threads)"
-    if test "yes" = "$enable_full_report" -o "standard" = "$locktype"; then
-        echo "        Mutex lock type: $locktype"
+report() {
+    echo "========================================================================"
+    echo "Configuration summary:"
+    echo "------------------------------------------------------------------------"
+    echo "Optional features enabled:"
+    if $use_threads; then
+	echo "    Multiprocessing support (--enable-threads)"
+	if test "yes" = "$enable_full_report" -o "standard" = "$locktype"; then
+	    echo "        Mutex lock type: $locktype"
+	fi
     fi
-fi
-test "large" = "$use_tuning" && echo "    Large-system tuning (--with-tuning)"
-test "no" = "$use_geoip" || echo "    GeoIP access control (--with-geoip)"
-test "no" = "$use_gssapi" || echo "    GSS-API (--with-gssapi)"
-test "yes" = "$enable_fetchlimit" && \
-    echo "    Recursive fetch limits for DoS attack mitigation (--enable-fetchlimit)"
-if test "no" = "$enable_sit"; then
-    echo "    Source Identity Token support (--enable-sit)"
-    if test "yes" = "$enable_full_report" -o "aes" = "$with_sit_alg"; then
-	echo "        Algorithm: $with_sit_alg"
+    test "large" = "$use_tuning" && echo "    Large-system tuning (--with-tuning)"
+    test "no" = "$use_geoip" || echo "    GeoIP access control (--with-geoip)"
+    test "no" = "$use_gssapi" || echo "    GSS-API (--with-gssapi)"
+    test "yes" = "$enable_fetchlimit" && \
+        echo "    Recursive fetch limits for DoS attack mitigation (--enable-fetchlimit)"
+    if test "no" = "$enable_sit"; then
+        echo "    Source Identity Token support (--enable-sit)"
+        if test "yes" = "$enable_full_report" -o "aes" = "$with_sit_alg"; then
+            echo "        Algorithm: $with_sit_alg"
+        fi
     fi
-fi
 
-# these lines are only printed if run with --enable-full-report
-if test "yes" = "$enable_full_report"; then
-    test "no" = "$enable_ipv6" -o "no" = "$found_ipv6" || \
-	echo "    IPv6 support (--enable-ipv6)"
-    test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
-	    echo "    OpenSSL cryptography/DNSSEC (--with-openssl)"
-    test "X$PYTHON" = "X" || echo "    Python tools (--with-python)"
-    test "X$XMLSTATS" = "X" || echo "    XML statistics (--with-libxml2)"
-    test "X$JSONSTATS" = "X" || echo "    JSON statistics (--with-libjson)"
-fi
+    # these lines are only printed if run with --enable-full-report
+    if test "yes" = "$enable_full_report"; then
+        test "no" = "$enable_ipv6" -o "no" = "$found_ipv6" || \
+            echo "    IPv6 support (--enable-ipv6)"
+        test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
+                echo "    OpenSSL cryptography/DNSSEC (--with-openssl)"
+        test "X$PYTHON" = "X" || echo "    Python tools (--with-python)"
+        test "X$XMLSTATS" = "X" || echo "    XML statistics (--with-libxml2)"
+        test "X$JSONSTATS" = "X" || echo "    JSON statistics (--with-libjson)"
+    fi
 
-if test "$use_pkcs11" != "no"; then
-    if test "yes" = "$want_native_pkcs11"; then
-	echo "    Native PKCS#11/Cryptoki support (--enable-native-pkcs11)"
-    else
-	echo "    PKCS#11/Cryptoki support using OpenSSL (--with-pkcs11)"
+    if test "no" != "$use_pkcs11"; then
+	if test "yes" = "$want_native_pkcs11"; then
+	    echo "    Native PKCS#11/Cryptoki support (--enable-native-pkcs11)"
+	else
+	    echo "    PKCS#11/Cryptoki support using OpenSSL (--with-pkcs11)"
+	fi
+	echo "        Provider library: $PKCS11_PROVIDER"
     fi
-    echo "        Provider library: $PKCS11_PROVIDER"
-fi
-if test "yes" = "$OPENSSL_GOST" -o "yes" = "$PKCS11_GOST"; then
-    echo "    GOST algorithm support (encoding: $gosttype) (--with-gost)"
-fi
-test "yes" = "$OPENSSL_ECDSA" -o "$PKCS11_ECDSA" && \
-    echo "    ECDSA algorithm support (--with-ecdsa)"
-test "yes" = "$enable_fixed" && \
-    echo "    Allow 'fixed' rrset-order (--enable-fixed-rrset)"
-test "yes" = "$enable_filter" && \
-    echo "    AAAA filtering (--enable-filter-aaaa)"
-test "yes" = "$enable_seccomp" && \
-    echo "    Use libseccomp system call filtering (--enable-seccomp)"
-test "yes" = "$want_backtrace" && \
-    echo "    Print backtrace on crash (--enable-backtrace)"
-test "minimal" = "$want_symtable" && \
-    echo "    Use symbol table for backtrace, named only (--enable-symtable)"
-test "yes" = "$want_symtable" -o "all" = "$want_symtable" && \
-    echo "    Use symbol table for backtrace, all binaries (--enable-symtable=all)"
-test "no" = "$use_libtool" || echo "    Use GNU libtool (--with-libtool)"
-test "yes" = "$want_querytrace" && \
-    echo "    Very verbose query trace logging (--enable-querytrace)"
-test "no" = "$atf" || echo "    Automated Testing Framework (--with-atf)"
-
-echo "    Dynamically loadable zone (DLZ) drivers:"
-test "no" = "$use_dlz_bdb" || \
-    echo "        Berkeley DB (--with-dlz-bdb)"
-test "no" = "$use_dlz_ldap" || \
-    echo "        LDAP (--with-dlz-ldap)"
-test "no" = "$use_dlz_mysql" || \
-    echo "        MySQL (--with-dlz-mysql)"
-test "no" = "$use_dlz_odbc" || \
-    echo "        ODBC (--with-dlz-odbc)"
-test "no" = "$use_dlz_postgres" || \
-    echo "        Postgres (--with-dlz-postgres)"
-test "no" = "$use_dlz_filesystem" || \
-    echo "        Filesystem (--with-dlz-filesystem)"
-test "no" = "$use_dlz_stub" || \
-    echo "        Stub (--with-dlz-stub)"
-test "$use_dlz_bdb $use_dlz_ldap $use_dlz_mysql $use_dlz_odbc $use_dlz_postgres $use_dlz_filesystem $use_dlz_stub" = "no no no no no no no" && echo "        None"
-echo
-
-echo "Features disabled or unavailable on this platform:"
-$use_threads || echo "    Multiprocessing support (--enable-threads)"
-test "no" = "$enable_ipv6" -o "no" = "$found_ipv6" && \
-	echo "    IPv6 support (--enable-ipv6)"
-test "large" = "$use_tuning" || echo "    Large-system tuning (--with-tuning)"
-
-test "no" = "$use_geoip" && echo "    GeoIP access control (--with-geoip)"
-test "no" = "$use_gssapi" && echo "    GSS-API (--with-gssapi)"
-test "no" = "$enable_fetchlimit" && \
-        echo "    Recursive fetch limits for DoS attack mitigation (--enable-fetchlimit)"
-test "no" = "$enable_sit" && echo "    Source Identity Token support (--enable-sit)"
+    if test "yes" = "$OPENSSL_GOST" -o "yes" = "$PKCS11_GOST"; then
+	echo "    GOST algorithm support (encoding: $gosttype) (--with-gost)"
+    fi
+    test "yes" = "$OPENSSL_ECDSA" -o "$PKCS11_ECDSA" && \
+	echo "    ECDSA algorithm support (--with-ecdsa)"
+    test "yes" = "$OPENSSL_ED25519" -o "$PKCS11_ED25519" && \
+	echo "    EDDSA algorithm support (--with-eddsa)"
+    test "yes" = "$enable_fixed" && \
+	echo "    Allow 'fixed' rrset-order (--enable-fixed-rrset)"
+    test "yes" = "$enable_filter" && \
+	echo "    AAAA filtering (--enable-filter-aaaa)"
+    test "yes" = "$enable_seccomp" && \
+	echo "    Use libseccomp system call filtering (--enable-seccomp)"
+    test "yes" = "$want_backtrace" && \
+	echo "    Print backtrace on crash (--enable-backtrace)"
+    test "minimal" = "$want_symtable" && \
+	echo "    Use symbol table for backtrace, named only (--enable-symtable)"
+    test "yes" = "$want_symtable" -o "all" = "$want_symtable" && \
+	echo "    Use symbol table for backtrace, all binaries (--enable-symtable=all)"
+    test "no" = "$use_libtool" || echo "    Use GNU libtool (--with-libtool)"
+    test "yes" = "$want_querytrace" && \
+	echo "    Very verbose query trace logging (--enable-querytrace)"
+    test "no" = "$atf" || echo "    Automated Testing Framework (--with-atf)"
+
+    echo "    Dynamically loadable zone (DLZ) drivers:"
+    test "no" = "$use_dlz_bdb" || \
+	echo "        Berkeley DB (--with-dlz-bdb)"
+    test "no" = "$use_dlz_ldap" || \
+	echo "        LDAP (--with-dlz-ldap)"
+    test "no" = "$use_dlz_mysql" || \
+	echo "        MySQL (--with-dlz-mysql)"
+    test "no" = "$use_dlz_odbc" || \
+	echo "        ODBC (--with-dlz-odbc)"
+    test "no" = "$use_dlz_postgres" || \
+	echo "        Postgres (--with-dlz-postgres)"
+    test "no" = "$use_dlz_filesystem" || \
+	echo "        Filesystem (--with-dlz-filesystem)"
+    test "no" = "$use_dlz_stub" || \
+	echo "        Stub (--with-dlz-stub)"
+    test "$use_dlz_bdb $use_dlz_ldap $use_dlz_mysql $use_dlz_odbc $use_dlz_postgres $use_dlz_filesystem $use_dlz_stub" = "no no no no no no no" && echo "        None"
 
-test "yes" = "$enable_fixed" || \
-    echo "    Allow 'fixed' rrset-order (--enable-fixed-rrset)"
+    echo "------------------------------------------------------------------------"
+
+    echo "Features disabled or unavailable on this platform:"
+    $use_threads || echo "    Multiprocessing support (--enable-threads)"
+    test "no" = "$enable_ipv6" -o "no" = "$found_ipv6" && \
+    	echo "    IPv6 support (--enable-ipv6)"
+    test "large" = "$use_tuning" || echo "    Large-system tuning (--with-tuning)"
+
+    test "no" = "$use_geoip" && echo "    GeoIP access control (--with-geoip)"
+    test "no" = "$use_gssapi" && echo "    GSS-API (--with-gssapi)"
+    test "no" = "$enable_fetchlimit" && \
+            echo "    Recursive fetch limits for DoS attack mitigation (--enable-fetchlimit)"
+    test "no" = "$enable_sit" && echo "    Source Identity Token support (--enable-sit)"
+
+    test "yes" = "$enable_fixed" || \
+        echo "    Allow 'fixed' rrset-order (--enable-fixed-rrset)"
+    if test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11"
+    then
+	echo "    OpenSSL cryptography/DNSSEC (--with-openssl)"
+    elif test "no" = "$use_pkcs11"; then
+	echo "    PKCS#11/Cryptoki support (--with-pkcs11)"
+    fi
+    test "yes" = "$want_native_pkcs11" ||
+	echo "    Native PKCS#11/Cryptoki support (--enable-native-pkcs11)"
+    test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_GOST" -o "yes" = "$PKCS11_GOST" || \
+	echo "    GOST algorithm support (--with-gost)"
+    test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ECDSA" -o "yes" = "$PKCS11_ECDSA" || \
+	echo "    ECDSA algorithm support (--with-ecdsa)"
+    test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
+	echo "    EDDSA algorithm support (--with-eddsa)"
+
+    test "yes" = "$enable_seccomp" || \
+	echo "    Use libseccomp system call filtering (--enable-seccomp)"
+    test "yes" = "$want_backtrace" || \
+	echo "    Print backtrace on crash (--enable-backtrace)"
+    test "yes" = "$want_querytrace" || \
+        echo "    Very verbose query trace logging (--enable-querytrace)"
+
+    test "yes" = "$use_libtool" || echo "    Use GNU libtool (--with-libtool)"
+    test "no" = "$atf" && echo "    Automated Testing Framework (--with-atf)"
+
+    test "X$PYTHON" = "X" && echo "    Python tools (--with-python)"
+    test "X$XMLSTATS" = "X" && echo "    XML statistics (--with-libxml2)"
+    test "X$JSONSTATS" = "X" && echo "    JSON statistics (--with-libjson)"
 
-if test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11"
-then
-    echo "    OpenSSL cryptography/DNSSEC (--with-openssl)"
-elif test "no" = "$use_pkcs11"; then
-    echo "    PKCS#11/Cryptoki support (--with-pkcs11)"
-fi
-test "yes" = "$want_native_pkcs11" ||
-    echo "    Native PKCS#11/Cryptoki support (--enable-native-pkcs11)"
-test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_GOST" -o "yes" = "$PKCS11_GOST" || \
-    echo "    GOST algorithm support (--with-gost)"
-test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ECDSA" -o "yes" = "$PKCS11_ECDSA" || \
-    echo "    ECDSA algorithm support (--with-ecdsa)"
-
-test "yess" = "$enable_seccomp" || \
-    echo "    Use libseccomp system call filtering (--enable-seccomp)"
-test "yes" = "$want_backtrace" || \
-    echo "    Print backtrace on crash (--enable-backtrace)"
-test "yes" = "$want_querytrace" || \
-    echo "    Very verbose query trace logging (--enable-querytrace)"
-
-test "yes" = "$use_libtool" || echo "    Use GNU libtool (--with-libtool)"
-test "no" = "$atf" && echo "    Automated Testing Framework (--with-atf)"
-
-test "X$PYTHON" = "X" && echo "    Python tools (--with-python)"
-test "X$XMLSTATS" = "X" && echo "    XML statistics (--with-libxml2)"
-test "X$JSONSTATS" = "X" && echo "    JSON statistics (--with-libjson)"
-
-if test "X$ac_unrecognized_opts" != "X"; then
-    echo
-    echo "Unrecognized options:"
-    echo "    $ac_unrecognized_opts"
-fi
-if test "$enable_full_report" != "yes"; then
     echo "------------------------------------------------------------------------"
-    echo "For more detail, use --enable-full-report."
+    echo "Configured paths:"
+    echo "    prefix: $prefix"
+    echo "    sysconfdir: $sysconfdir"
+    echo "    localstatedir: $localstatedir"
+
+
+    if test "X$ac_unrecognized_opts" != "X"; then
+	echo
+	echo "Unrecognized options:"
+	echo "    $ac_unrecognized_opts"
+    fi
+
+    if test "yes" != "$enable_full_report"; then
+        echo "------------------------------------------------------------------------"
+        echo "For more detail, use --enable-full-report."
+    fi
+    echo "========================================================================"
+}
+
+if test "yes" != "$silent"; then
+	report
 fi
-echo "========================================================================"
 
 if test "X$CRYPTO" = "X"; then
 cat << \EOF
@@ -24224,31 +24576,6 @@ not have DNSSEC support. Use --with-openssl, or --with-pkcs11 and
 EOF
 fi
 
-if test "X$OPENSSL_WARNING" != "X"; then
-cat << \EOF
-WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
-WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
-WARNING                                                                 WARNING
-WARNING         Your OpenSSL crypto library may be vulnerable to        WARNING
-WARNING         one or more of the the following known security         WARNING
-WARNING         flaws:                                                  WARNING
-WARNING                                                                 WARNING
-WARNING         CAN-2002-0659, CAN-2006-4339, CVE-2006-2937,            WARNING
-WARNING         CVE-2006-2940 and CVE-2015-3193.                        WARNING
-WARNING                                                                 WARNING
-WARNING         It is recommended that you upgrade to OpenSSL           WARNING
-WARNING         version 1.0.2e/1.0.1/1.0.0/0.9.9/0.9.8d/0.9.7l          WARNING
-WARNING		(or greater).                                           WARNING
-WARNING                                                                 WARNING
-WARNING         You can disable this warning by specifying:             WARNING
-WARNING                                                                 WARNING
-WARNING               --disable-openssl-version-check          	        WARNING
-WARNING                                                                 WARNING
-WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
-WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
-EOF
-fi
-
 # Tell Emacs to edit this file in shell mode.
 # Local Variables:
 # mode: sh
diff --git a/usr.sbin/bind/configure.in b/usr.sbin/bind/configure.in
index 900b2dfe387..214aa5fe099 100644
--- a/usr.sbin/bind/configure.in
+++ b/usr.sbin/bind/configure.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004-2017  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2003  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -32,7 +31,7 @@ AC_DIVERT_PUSH(1)dnl
 esyscmd([sed -e 's/^/# /' -e '/Portions of this code/,$d' COPYRIGHT])dnl
 AC_DIVERT_POP()dnl
 
-AC_INIT(BIND, [9.10], [bind9-bugs@isc.org], [], [https://www.isc.org/downloads/BIND/])
+AC_INIT(BIND, [9.10], [info@isc.org], [], [https://www.isc.org/downloads/BIND/])
 AC_PREREQ(2.59)
 
 AC_CONFIG_HEADER(config.h)
@@ -49,7 +48,7 @@ case $build_os in
 sunos*)
     # Just set the maximum command line length for sunos as it otherwise
     # takes a exceptionally long time to work it out. Required for libtool.
-     
+
     lt_cv_sys_max_cmd_len=4096;
     ;;
 esac
@@ -66,7 +65,7 @@ AC_SUBST(CCNOOPT)
 AC_SUBST(BACKTRACECFLAGS)
 
 # Warn if the user specified libbind, which is now deprecated
-AC_ARG_ENABLE(libbind, [  --enable-libbind	  deprecated])
+AC_ARG_ENABLE(libbind, AS_HELP_STRING([--enable-libbind], [deprecated]))
 
 case "$enable_libbind" in
 	yes)
@@ -77,11 +76,17 @@ It is available from http://www.isc.org as a separate download.])
 		;;
 esac
 
-AC_ARG_ENABLE(warn_shadow, [  --enable-warn-shadow	  turn on -Wshadow when compiling])
+AC_ARG_ENABLE(warn_shadow,
+	      AS_HELP_STRING([--enable-warn-shadow],
+			     [turn on -Wshadow when compiling]))
 
-AC_ARG_ENABLE(warn_error, [  --enable-warn-error	  turn on -Werror when compiling])
+AC_ARG_ENABLE(warn_error,
+	      AS_HELP_STRING([--enable-warn-error],
+			    [turn on -Werror when compiling]))
 
-AC_ARG_ENABLE(developer, [  --enable-developer      enable developer build settings])
+AC_ARG_ENABLE(developer,
+	      AS_HELP_STRING([--enable-developer],
+			     [enable developer build settings]))
 XTARGETS=
 case "$enable_developer" in
 yes)
@@ -104,7 +109,9 @@ AC_SUBST(XTARGETS)
 #libseccomp sandboxing
 AC_CHECK_FUNCS(getrandom)
 AC_ARG_ENABLE(seccomp,
-	AS_HELP_STRING([--enable-seccomp],[enable support for libseccomp system call filtering [default=no]]))
+	      AS_HELP_STRING([--enable-seccomp],
+			     [enable support for libseccomp system call
+				 filtering [default=no]]))
 case "$enable_seccomp" in
 	yes)
 	case $host_os in
@@ -139,7 +146,7 @@ case "$enable_seccomp" in
 					return 1;
 				}
 			}
-			ret = 
+			ret =
 			prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
 			if (ret < 0) {
 				switch (errno) {
@@ -154,8 +161,8 @@ case "$enable_seccomp" in
 	return 1;
 	}
 	]
-	, AC_DEFINE([HAVE_LIBSECCOMP], 1, 
-	[Define to use libseccomp system call filtering.])   
+	, AC_DEFINE([HAVE_LIBSECCOMP], 1,
+	[Define to use libseccomp system call filtering.])
 	, []
 	)
 	fi
@@ -224,8 +231,13 @@ AC_SUBST(PERL)
 # If python is unavailable, we simply don't build those.
 #
 AC_ARG_WITH(python,
-[  --with-python=PATH      specify path to python interpreter],
-    use_python="$withval", use_python="unspec")
+	    AS_HELP_STRING([--with-python=PATH],
+			   [specify path to python interpreter]),
+	    use_python="$withval", use_python="unspec")
+AC_ARG_WITH(python-install-dir,
+	    AS_HELP_STRING([--with-python-install-dir=PATH],
+			   [installation directory for Python modules]),
+	    use_python_install_dir="$withval", use_python_install_dir="unspec")
 
 python="python python3 python3.5 python3.4 python3.3 python3.2 python2 python2.7"
 
@@ -253,11 +265,11 @@ case "$use_python" in
 				AC_MSG_CHECKING([python2 version >= 2.7 or python3 version >= 3.2])
 				if ${PYTHON:-false} -c "$testminvers"; then
 					AC_MSG_RESULT([found])
-                                else
-                                        AC_MSG_RESULT([not found])
-                                        unset ac_cv_path_PYTHON
-                                        unset PYTHON
-                                        continue
+				else
+					AC_MSG_RESULT([not found])
+					unset ac_cv_path_PYTHON
+					unset PYTHON
+					continue
 				fi
 				AC_MSG_CHECKING([python module 'argparse'])
 				if ${PYTHON:-false} -c "$testargparse"; then
@@ -270,8 +282,19 @@ case "$use_python" in
                                         continue
 				fi
 			done
-			if test "X$PYTHON" = "X"
+			if test "X$PYTHON" != "X"
 			then
+				case "$use_python_install_dir" in
+				unspec)
+					PYTHON_INSTALL_DIR=""
+					PYTHON_INSTALL_LIB=""
+					;;
+				*)
+					PYTHON_INSTALL_DIR="$use_python_install_dir"
+					PYTHON_INSTALL_LIB="--install-lib=$use_python_install_dir"
+					;;
+				esac
+			else
 				AC_MSG_CHECKING([for python support])
 				case "$use_python" in
 				unspec)
@@ -320,6 +343,8 @@ fi
 AC_SUBST(CHECKDS)
 AC_SUBST(COVERAGE)
 AC_SUBST(PYTHON_TOOLS)
+AC_SUBST(PYTHON_INSTALL_DIR)
+AC_SUBST(PYTHON_INSTALL_LIB)
 
 #
 # Special processing of paths depending on whether --prefix,
@@ -584,9 +609,9 @@ printf("running on %s %s %s for %s\n",
        uts.sysname, uts.release, uts.version, uts.machine);
 ],
 	[AC_MSG_RESULT(yes)
-         AC_DEFINE(HAVE_UNAME)],
-        [AC_MSG_RESULT(no)
-         AC_MSG_WARN([uname is not correctly supported])])
+	 AC_DEFINE(HAVE_UNAME)],
+	[AC_MSG_RESULT(no)
+	 AC_MSG_WARN([uname is not correctly supported])])
 
 #
 # check for GCC noreturn attribute
@@ -626,7 +651,8 @@ AC_SUBST(ISC_PLATFORM_HAVELIFCONF)
 # check if we have kqueue
 #
 AC_ARG_ENABLE(kqueue,
-	[  --enable-kqueue         use BSD kqueue when available [[default=yes]]],
+	      AS_HELP_STRING([--enable-kqueue],
+			     [use BSD kqueue when available [default=yes]]),
 	      want_kqueue="$enableval",  want_kqueue="yes")
 case $want_kqueue in
 yes)
@@ -651,7 +677,8 @@ AC_SUBST(ISC_PLATFORM_HAVEKQUEUE)
 # so we need to try running the code, not just test its existence.
 #
 AC_ARG_ENABLE(epoll,
-[  --enable-epoll          use Linux epoll when available [[default=auto]]],
+	      AS_HELP_STRING([--enable-epoll],
+			     [use Linux epoll when available [default=auto]]),
 	      want_epoll="$enableval",  want_epoll="auto")
 case $want_epoll in
 auto)
@@ -684,7 +711,8 @@ AC_SUBST(ISC_PLATFORM_HAVEEPOLL)
 # check if we support /dev/poll
 #
 AC_ARG_ENABLE(devpoll,
-	[  --enable-devpoll        use /dev/poll when available [[default=yes]]],
+	      AS_HELP_STRING([--enable-devpoll],
+			     [use /dev/poll when available [default=yes]]),
 	      want_devpoll="$enableval",  want_devpoll="yes")
 case $want_devpoll in
 yes)
@@ -751,8 +779,9 @@ AC_C_BIGENDIAN
 GEOIPLINKSRCS=
 GEOIPLINKOBJS=
 AC_ARG_WITH(geoip,
-[  --with-geoip=PATH       Build with GeoIP support (yes|no|path)],
-    use_geoip="$withval", use_geoip="no")
+	    AS_HELP_STRING([--with-geoip=PATH],
+			   [Build with GeoIP support (yes|no|path)]),
+	    use_geoip="$withval", use_geoip="no")
 
 if test "yes" = "$use_geoip"
 then
@@ -843,8 +872,10 @@ AC_SUBST(GEOIPLINKOBJS)
 
 AC_MSG_CHECKING(for GSSAPI library)
 AC_ARG_WITH(gssapi,
-[  --with-gssapi=[[PATH|[/path/]krb5-config]]      Specify path for system-supplied GSSAPI [[default=yes]]],
-    use_gssapi="$withval", use_gssapi="yes")
+	    AS_HELP_STRING([--with-gssapi=[PATH|[/path/]krb5-config]],
+			   [Specify path for system-supplied GSSAPI
+				[default=yes]]),
+	    use_gssapi="$withval", use_gssapi="yes")
 
 # first try using krb5-config, if that does not work then fall back to "yes" method.
 
@@ -960,7 +991,7 @@ case "$use_gssapi" in
 		DNS_GSSAPI_LIBS="-framework Kerberos"
 		AC_MSG_RESULT(framework)
 		;;
-		
+
 	*)
 		AC_MSG_RESULT(looking in $use_gssapi/lib)
 		USE_GSSAPI='-DGSSAPI'
@@ -1121,8 +1152,9 @@ AC_SUBST(DNS_CRYPTO_LIBS)
 #
 AC_MSG_CHECKING(for random device)
 AC_ARG_WITH(randomdev,
-[  --with-randomdev=PATH   Specify path for random device],
-    use_randomdev="$withval", use_randomdev="unspec")
+	    AS_HELP_STRING([--with-randomdev=PATH],
+			   [Specify path for random device]),
+	    use_randomdev="$withval", use_randomdev="unspec")
 
 case "$use_randomdev" in
 	unspec)
@@ -1143,7 +1175,7 @@ case "$use_randomdev" in
 		AC_CHECK_FILE($devrandom,
 			      AC_DEFINE_UNQUOTED(PATH_RANDOMDEV,
 						 "$devrandom"),)
-			      
+
 		;;
 	yes)
 		AC_MSG_ERROR([--with-randomdev must specify a path])
@@ -1254,32 +1286,36 @@ then
 	AC_CHECK_FUNC(pthread_attr_setstacksize,
 		      AC_DEFINE(HAVE_PTHREAD_ATTR_SETSTACKSIZE),)
 
-        AC_ARG_WITH(locktype,
-                [  --with-locktype=ARG     Specify mutex lock type (adaptive or standard)],
-                locktype="$withval", locktype="adaptive")
-
-        case "$locktype" in
-                adaptive)
-                        AC_MSG_CHECKING([for PTHREAD_MUTEX_ADAPTIVE_NP])
-
-                        AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
-                          #define _GNU_SOURCE
-                          #include <pthread.h>
-                        ]], [[
-                          return (PTHREAD_MUTEX_ADAPTIVE_NP);
-                        ]])],
-                        [ AC_MSG_RESULT(using adaptive lock type)
-                          AC_DEFINE([HAVE_PTHREAD_MUTEX_ADAPTIVE_NP], 1,
-                                    [Support for PTHREAD_MUTEX_ADAPTIVE_NP]) ],
-                        [ AC_MSG_RESULT(using standard lock type) ])
-                        ;;
-                standard)
-                        AC_MSG_RESULT(using standard lock type)
-                        ;;
-                *)
-                        AC_MSG_ERROR([You must specify "adaptive" or "standard" for --with-locktype.])
-                        ;;
-        esac
+	AC_ARG_WITH(locktype,
+		    AS_HELP_STRING([--with-locktype=ARG],
+				   [Specify mutex lock type
+					(adaptive or standard)]),
+		    locktype="$withval", locktype="adaptive")
+
+	case "$locktype" in
+		adaptive)
+			AC_MSG_CHECKING([for PTHREAD_MUTEX_ADAPTIVE_NP])
+
+			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
+			  #ifndef _GNU_SOURCE
+			  #define _GNU_SOURCE
+			  #endif
+			  #include <pthread.h>
+			]], [[
+			  return (PTHREAD_MUTEX_ADAPTIVE_NP);
+			]])],
+			[ AC_MSG_RESULT(using adaptive lock type)
+			  AC_DEFINE([HAVE_PTHREAD_MUTEX_ADAPTIVE_NP], 1,
+				    [Support for PTHREAD_MUTEX_ADAPTIVE_NP]) ],
+			[ AC_MSG_RESULT(using standard lock type) ])
+			;;
+		standard)
+			AC_MSG_RESULT(using standard lock type)
+			;;
+		*)
+			AC_MSG_ERROR([You must specify "adaptive" or "standard" for --with-locktype.])
+			;;
+	esac
 
 	AC_CHECK_HEADERS(sched.h)
 
@@ -1342,6 +1378,10 @@ then
 			;;
 	esac
 
+	# Look for functions relating to thread naming
+	AC_CHECK_FUNCS(pthread_setname_np pthread_set_name_np)
+	AC_CHECK_HEADERS([pthread_np.h], [], [], [#include <pthread.h>])
+
 	#
 	# Look for sysconf to allow detection of the number of processors.
 	#
@@ -1363,8 +1403,7 @@ ISC_THREAD_DIR=$thread_dir
 AC_SUBST(ISC_THREAD_DIR)
 
 AC_MSG_CHECKING(for libtool)
-AC_ARG_WITH(libtool,
-	    [  --with-libtool          use GNU libtool],
+AC_ARG_WITH(libtool, AS_HELP_STRING([--with-libtool], [use GNU libtool]),
 	    use_libtool="$withval", use_libtool="no")
 
 case $use_libtool in
@@ -1410,40 +1449,47 @@ AC_SUBST(INSTALL_LIBRARY)
 #  (note it implies both --without-openssl and --with-pkcs11)
 #
 AC_ARG_ENABLE(native-pkcs11,
-	[  --enable-native-pkcs11  use native PKCS11 for all crypto [[default=no]]],
-	want_native_pkcs11="$enableval", want_native_pkcs11="no")
+	      AS_HELP_STRING([--enable-native-pkcs11],
+			     [use native PKCS11 for all crypto [default=no]]),
+	      want_native_pkcs11="$enableval", want_native_pkcs11="no")
 
 #
 # was --with-openssl specified?
 #
 AC_ARG_WITH(openssl,
-[  --with-openssl[=PATH]     Build with OpenSSL [yes|no|path].
-			  (Crypto is required for DNSSEC)],
-    use_openssl="$withval", use_openssl="auto")
+	    AS_HELP_STRING([--with-openssl[=PATH]],
+			   [Build with OpenSSL [yes|no|path].
+				(Crypto is required for DNSSEC)]),
+	    use_openssl="$withval", use_openssl="auto")
 
 #
 # was --with-pkcs11 specified?
 #
 AC_ARG_WITH(pkcs11,
-[  --with-pkcs11[=PATH]      Build with PKCS11 support [yes|no|path]
-			  (PATH is for the PKCS11 provider)],
-   use_pkcs11="$withval", use_pkcs11="auto")
+	    AS_HELP_STRING([--with-pkcs11[=PATH]],
+			   [Build with PKCS11 support [yes|no|path]
+				(PATH is for the PKCS11 provider)]),
+	    use_pkcs11="$withval", use_pkcs11="auto")
 
 #
-# were --with-ecdsa, --with-gost, --with-aes specified
+# were --with-ecdsa, --with-gost, --with-eddsa, --with-aes specified
 #
-AC_ARG_WITH(ecdsa, [  --with-ecdsa            Crypto ECDSA],
+AC_ARG_WITH(ecdsa, AS_HELP_STRING([--with-ecdsa], [Crypto ECDSA]),
 	    with_ecdsa="$withval", with_ecdsa="auto")
-AC_ARG_WITH(gost, [  --with-gost             Crypto GOST [yes|no|raw|asn1].],
+AC_ARG_WITH(gost,
+	    AS_HELP_STRING([--with-gost], [Crypto GOST [yes|no|raw|asn1].]),
 	    with_gost="$withval", with_gost="auto")
-AC_ARG_WITH(aes, [  --with-aes              Crypto AES],
+AC_ARG_WITH(eddsa, AS_HELP_STRING([--with-eddsa], [Crypto EDDSA [yes|all|no].]),
+	    with_eddsa="$withval", with_eddsa="auto")
+AC_ARG_WITH(aes, AS_HELP_STRING([--with-aes], [Crypto AES]),
 	    with_aes="$withval", with_aes="checksit")
 
 #
 # was --enable-openssl-hash specified?
 #
 AC_ARG_ENABLE(openssl-hash,
-	[  --enable-openssl-hash   use OpenSSL for hash functions [[default=no]]],
+	      AS_HELP_STRING([--enable-openssl-hash],
+			     [use OpenSSL for hash functions [default=no]]),
 	want_openssl_hash="$enableval", want_openssl_hash="checksit")
 
 #
@@ -1451,8 +1497,9 @@ AC_ARG_ENABLE(openssl-hash,
 #
 AC_MSG_CHECKING(for Source Identity Token support)
 AC_ARG_ENABLE(sit,
-	[  --enable-sit            enable source identity token [[default=no]]],
-	enable_sit="$enableval", enable_sit="no")
+	      AS_HELP_STRING([--enable-sit],
+			     [enable source identity token [default=no]]),
+	      enable_sit="$enableval", enable_sit="no")
 HAVE_SIT=
 ISC_PLATFORM_USESIT="#undef ISC_PLATFORM_USESIT"
 
@@ -1476,10 +1523,11 @@ AC_SUBST(HAVE_SIT)
 # Source Identity Token algorithm choice
 #
 AC_ARG_WITH(sit-alg,
-	[  --with-sit-alg=ALG      choose the algorithm for SIT [[aes|sha1|sha256]]],
-	with_sit_alg="$withval", with_sit_alg="auto")
+	    AS_HELP_STRING([--with-sit-alg=ALG],
+			   [choose the algorithm for SIT [aes|sha1|sha256]]),
+	    with_sit_alg="$withval", with_sit_alg="auto")
 
-if test "$enable_sit" = "yes"
+if test "yes" = "$enable_sit"
 then
 	case $with_sit_alg in
 		*1)
@@ -1489,21 +1537,21 @@ then
 			with_sit_alg="sha256"
 			;;
 		auto)
-			if test "$with_aes" != "no"
+			if test "no" != "$with_aes"
 			then
 				with_aes="yes"
 			fi
 			;;
 		*)
 			with_sit_alg="aes"
-			if test "$with_aes" != "no"
+			if test "no" != "$with_aes"
 			then
 				with_aes="yes"
 			fi
 			;;
 	esac
 fi
-if test "with_aes" = "checksit"
+if test "checksit" = "$with_aes"
 then
 	with_aes="no"
 fi
@@ -1530,6 +1578,7 @@ then
 fi
 OPENSSL_ECDSA=""
 OPENSSL_GOST=""
+OPENSSL_ED25519=""
 gosttype="raw"
 case "$with_gost" in
 	raw)
@@ -1553,8 +1602,12 @@ case "$use_openssl" in
 		AC_MSG_RESULT(disabled because of native PKCS11)
 		DST_OPENSSL_INC=""
 		CRYPTO="-DPKCS11CRYPTO"
+		OPENSSLECDSALINKOBJS=""
+		OPENSSLECDSALINKSRCS=""
+		OPENSSLEDDSALINKOBJS=""
+		OPENSSLEDDSALINKSRCS=""
 		OPENSSLGOSTLINKOBJS=""
-		OPENSSLGOSTLINKSRS=""
+		OPENSSLGOSTLINKSRCS=""
 		OPENSSLLINKOBJS=""
 		OPENSSLLINKSRCS=""
 		;;
@@ -1562,16 +1615,24 @@ case "$use_openssl" in
 		AC_MSG_RESULT(no)
 		DST_OPENSSL_INC=""
 		CRYPTO=""
+		OPENSSLECDSALINKOBJS=""
+		OPENSSLECDSALINKSRCS=""
+		OPENSSLEDDSALINKOBJS=""
+		OPENSSLEDDSALINKSRCS=""
 		OPENSSLGOSTLINKOBJS=""
-		OPENSSLGOSTLINKSRS=""
+		OPENSSLGOSTLINKSRCS=""
 		OPENSSLLINKOBJS=""
 		OPENSSLLINKSRCS=""
 		;;
 	auto)
 		DST_OPENSSL_INC=""
 		CRYPTO=""
+		OPENSSLECDSALINKOBJS=""
+		OPENSSLECDSALINKSRCS=""
+		OPENSSLEDDSALINKOBJS=""
+		OPENSSLEDDSALINKSRCS=""
 		OPENSSLGOSTLINKOBJS=""
-		OPENSSLGOSTLINKSRS=""
+		OPENSSLGOSTLINKSRCS=""
 		OPENSSLLINKOBJS=""
 		OPENSSLLINKSRCS=""
 		AC_MSG_ERROR(
@@ -1581,7 +1642,7 @@ If you don't want OpenSSL, use --without-openssl])
 	*)
 		if test "yes" = "$want_native_pkcs11"
 		then
-                        AC_MSG_RESULT()
+			AC_MSG_RESULT()
 			AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
 		fi
 		if test "yes" = "$use_openssl"
@@ -1705,43 +1766,21 @@ DSO_METHOD_dlfcn();
 		],
 		[AC_MSG_RESULT(assuming it does work on target platform)]
 		)
-		 
-AC_ARG_ENABLE(openssl-version-check,
-[AC_HELP_STRING([--enable-openssl-version-check],
-	[check OpenSSL version @<:@default=yes@:>@])])
-case "$enable_openssl_version_check" in
-yes|'')
-		AC_MSG_CHECKING(OpenSSL library version)
-		AC_TRY_RUN([
-#include <stdio.h>
-#include <openssl/opensslv.h>
-int main() {
-	if ((OPENSSL_VERSION_NUMBER >= 0x009070cfL &&
-	     OPENSSL_VERSION_NUMBER < 0x00908000L) ||
-	     (OPENSSL_VERSION_NUMBER >= 0x0090804fL &&
-	     OPENSSL_VERSION_NUMBER < 0x10002000L) ||
-	     OPENSSL_VERSION_NUMBER >= 0x1000205fL)
-		return (0);
-	printf("\n\nFound   OPENSSL_VERSION_NUMBER %#010lx\n",
-		OPENSSL_VERSION_NUMBER);
-	printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n"
-	       "Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n"
-	       "Require OPENSSL_VERSION_NUMBER 0x1000000f or greater (1.0.0)\n"
-	       "Require OPENSSL_VERSION_NUMBER 0x1000100f or greater (1.0.1)\n"
-	       "Require OPENSSL_VERSION_NUMBER 0x1000205f or greater (1.0.2e)\n\n");
-	return (1);
-}
-		],
-		[AC_MSG_RESULT(ok)],
-		[AC_MSG_RESULT(not compatible)
-		 OPENSSL_WARNING=yes
-		],
-		[AC_MSG_RESULT(assuming target platform has compatible version)])
-;;
-no)
-	AC_MSG_RESULT(Skipped OpenSSL version check)
-;;
-esac
+
+	AC_MSG_CHECKING(for OpenSSL FIPS mode support)
+	have_fips_mode=""
+	AC_TRY_LINK([#include <openssl/crypto.h>],
+		    [FIPS_mode();],
+		    have_fips_mode=yes,
+		    have_fips_mode=no)
+	if test "x$have_fips_mode" = "xyes"
+	then
+		AC_DEFINE([HAVE_FIPS_MODE], [1],
+			  [Define if OpenSSL provides FIPS_mode()])
+		AC_MSG_RESULT(yes)
+	else
+		AC_MSG_RESULT(no)
+	fi
 
 	AC_MSG_CHECKING(for OpenSSL DSA support)
 	if test -f $use_openssl/include/openssl/dsa.h
@@ -1796,6 +1835,8 @@ int main() {
 	case $have_ecdsa in
 	yes)
 		OPENSSL_ECDSA="yes"
+		OPENSSLECDSALINKOBJS='${OPENSSLECDSALINKOBJS}'
+		OPENSSLECDSALINKSRCS='${OPENSSLECDSALINKSRCS}'
 		AC_DEFINE(HAVE_OPENSSL_ECDSA, 1,
 			  [Define if your OpenSSL version supports ECDSA.])
 		;;
@@ -1869,6 +1910,86 @@ int main() {
 		;;
 	esac
 
+	AC_MSG_CHECKING(for OpenSSL Ed25519 support)
+	have_ed25519=""
+	have_ed448=""
+	AC_TRY_RUN([
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+int main() {
+	EVP_PKEY_CTX *ctx;
+
+	ctx = EVP_PKEY_CTX_new_id(NID_ED25519, NULL);
+	if (ctx == NULL)
+		return (2);
+	return (0);
+}
+],
+	[AC_MSG_RESULT(yes)
+	have_ed25519="yes"],
+	[AC_MSG_RESULT(no)
+	have_ed25519="no"],
+	[AC_MSG_RESULT(using --with-eddsa)])
+	case "$with_eddsa" in
+	yes|all)
+	    case "$have_ed25519" in
+	    no)  AC_MSG_ERROR([eddsa not supported]) ;;
+	    *)  have_ed25519=yes ;;
+	    esac
+	    ;;
+	no)
+	    have_ed25519=no ;;
+	*)
+	    case "$have_ed25519" in
+	    yes|no) ;;
+	    *) AC_MSG_ERROR([need --with-eddsa=[[yes, all or no]]]) ;;
+	    esac
+	    ;;
+	esac
+	case $have_ed25519 in
+	yes)
+		OPENSSL_ED25519="yes"
+		OPENSSLEDDSALINKOBJS='${OPENSSLEDDSALINKOBJS}'
+		OPENSSLEDDSALINKSRCS='${OPENSSLEDDSALINKSRCS}'
+		AC_DEFINE(HAVE_OPENSSL_ED25519, 1,
+			  [Define if your OpenSSL version supports Ed25519.])
+		AC_MSG_CHECKING(for OpenSSL Ed448 support)
+		AC_TRY_RUN([
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+int main() {
+	EVP_PKEY_CTX *ctx;
+
+	ctx = EVP_PKEY_CTX_new_id(NID_ED448, NULL);
+	if (ctx == NULL)
+		return (2);
+	return (0);
+}
+],
+		[AC_MSG_RESULT(yes)
+		have_ed448="yes"],
+		[AC_MSG_RESULT(no)
+		have_ed448="no"],
+		[AC_MSG_RESULT(using --with-eddsa)])
+		case $with_eddsa in
+		all)
+			have_ed448=yes ;;
+		*)
+			;;
+		esac
+		case $have_ed448 in
+		yes)
+			AC_DEFINE(HAVE_OPENSSL_ED448, 1,
+				  [Define if your OpenSSL version supports Ed448.])],
+			;;
+		*)
+			;;
+		esac
+		;;
+	*)
+		;;
+	esac
+
 	have_aes="no"
 	AC_MSG_CHECKING(for OpenSSL AES support)
 	AC_TRY_RUN([
@@ -1891,7 +2012,7 @@ int main() {
 	 have_aes="yes"],
 	[AC_MSG_RESULT(no)])],
 	[AC_MSG_RESULT(using --with-aes)
-         # Expect cross-compiling with a modern OpenSSL
+	 # Expect cross-compiling with a modern OpenSSL
 	 have_aes="evp"])
 
 	ISC_OPENSSL_INC=""
@@ -1905,7 +2026,7 @@ int main() {
 			ISC_OPENSSL_INC="$DST_OPENSSL_INC"
 			ISC_OPENSSL_LIBS="$DST_OPENSSL_LIBS"
 			;;
-		yes)	
+		yes)
 			AC_DEFINE(HAVE_OPENSSL_AES, 1,
 				  [Define if your OpenSSL version supports AES])
 			ISC_OPENSSL_INC="$DST_OPENSSL_INC"
@@ -1931,11 +2052,16 @@ esac
 #
 
 AC_SUBST(DST_OPENSSL_INC)
+AC_SUBST(OPENSSLECDSALINKOBJS)
+AC_SUBST(OPENSSLECDSALINKSRCS)
+AC_SUBST(OPENSSLEDDSALINKOBJS)
+AC_SUBST(OPENSSLEDDSALINKSRCS)
 AC_SUBST(OPENSSLGOSTLINKOBJS)
 AC_SUBST(OPENSSLGOSTLINKSRCS)
 AC_SUBST(OPENSSLLINKOBJS)
 AC_SUBST(OPENSSLLINKSRCS)
 AC_SUBST(OPENSSL_ECDSA)
+AC_SUBST(OPENSSL_ED25519)
 AC_SUBST(OPENSSL_GOST)
 
 DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
@@ -2010,7 +2136,7 @@ case $with_sit_alg in
 			AC_MSG_ERROR("with-sit-alg requires enable-sit");
 		fi
 		AC_MSG_RESULT(aes)
-		if test "$with_aes" != "yes"
+		if test "yes" != "$with_aes"
 		then
 			AC_MSG_ERROR("SIT wants to use unavailable AES");
 		fi
@@ -2169,6 +2295,7 @@ AC_SUBST(PKCS11_PROVIDER)
 
 PKCS11_ECDSA=""
 PKCS11_GOST=""
+PKCS11_ED25519=""
 set_pk11_flavor="no"
 AC_MSG_CHECKING(for native PKCS11)
 
@@ -2202,6 +2329,29 @@ case "$want_native_pkcs11" in
 			AC_MSG_RESULT(disabled)
 			;;
 		esac
+		AC_MSG_CHECKING(for PKCS11 Ed25519)
+		case "$with_eddsa" in
+		yes|all)
+			AC_MSG_RESULT(enabled)
+			PKCS11_ED25519="yes"
+			AC_DEFINE(HAVE_PKCS11_ED25519, 1,
+				  [Define if your PKCS11 provider supports Ed25519.])
+			AC_MSG_CHECKING(for PKCS11 Ed448)
+			case "$with_eddsa" in
+			all)
+				AC_MSG_RESULT(enabled)
+				AC_DEFINE(HAVE_PKCS11_ED448, 1,
+					  [Define if your PKCS11 provider supports Ed448.])
+				;;
+			*)
+				AC_MSG_RESULT(disabled)
+				;;
+			esac
+			;;
+		*)
+			AC_MSG_RESULT(disabled)
+			;;
+		esac
 		AC_MSG_CHECKING(for PKCS11 flavor)
 		case "$PKCS11_PROVIDER" in
 			*nfast*)
@@ -2251,6 +2401,7 @@ AC_SUBST(PKCS11LINKSRCS)
 AC_SUBST(CRYPTO)
 AC_SUBST(PKCS11_ECDSA)
 AC_SUBST(PKCS11_GOST)
+AC_SUBST(PKCS11_ED25519)
 AC_SUBST(PKCS11_TEST)
 
 # for PKCS11 benchmarks
@@ -2261,7 +2412,7 @@ if test "no" = "$have_clock_gt"; then
 	AC_CHECK_LIB(rt,clock_gettime,have_clock_gt=rt,)
 fi
 
-if test "$have_clock_gt" != "no"; then
+if test "no" != "$have_clock_gt"; then
 	AC_DEFINE(HAVE_CLOCK_GETTIME, 1, [Define if clock_gettime is available.])
 fi
 
@@ -2274,8 +2425,9 @@ fi
 #
 AC_MSG_CHECKING(for libxml2 library)
 AC_ARG_WITH(libxml2,
-[  --with-libxml2[=PATH]     build with libxml2 library [yes|no|path]],
-    use_libxml2="$withval", use_libxml2="auto")
+	    AS_HELP_STRING([--with-libxml2[=PATH]],
+			   [build with libxml2 library [yes|no|path]]),
+	    use_libxml2="$withval", use_libxml2="auto")
 
 case "$use_libxml2" in
 	no)
@@ -2329,8 +2481,9 @@ AC_SUBST(XMLSTATS)
 #
 AC_MSG_CHECKING(for json library)
 AC_ARG_WITH(libjson,
-[  --with-libjson[=PATH]     build with libjson0 library [yes|no|path]],
-    use_libjson="$withval", use_libjson="auto")
+	    AS_HELP_STRING([--with-libjson[=PATH]],
+			   [build with libjson0 library [yes|no|path]]),
+	    use_libjson="$withval", use_libjson="auto")
 
 have_libjson=""
 have_libjson_c=""
@@ -2417,7 +2570,7 @@ AC_CHECK_LIB(scf, smf_enable_instance)
 AC_CHECK_FUNC(flockfile, AC_DEFINE(HAVE_FLOCKFILE),)
 AC_CHECK_FUNC(getc_unlocked, AC_DEFINE(HAVE_GETCUNLOCKED),)
 
-# 
+#
 # Indicate what the final decision was regarding threads.
 #
 AC_MSG_CHECKING(whether to build with threads)
@@ -2427,14 +2580,15 @@ else
 	AC_MSG_RESULT(no)
 fi
 
-# 
+#
 # End of pthreads stuff.
 #
 
 #
 # Large File
 #
-AC_ARG_ENABLE(largefile, [  --enable-largefile	  64-bit file support],
+AC_ARG_ENABLE(largefile,
+	      AS_HELP_STRING([--enable-largefile], [64-bit file support]),
 	      want_largefile="yes", want_largefile="no")
 case $want_largefile in
 	yes)
@@ -2586,8 +2740,8 @@ esac
 #
 AC_MSG_CHECKING(whether to use purify)
 AC_ARG_WITH(purify,
-	[  --with-purify[=PATH]      use Rational purify],
-	use_purify="$withval", use_purify="no")
+	    AS_HELP_STRING([--with-purify[=PATH]], [use Rational purify]),
+	    use_purify="$withval", use_purify="no")
 
 case "$use_purify" in
 	no)
@@ -2606,7 +2760,7 @@ case "$use_purify" in
 		PURIFY=""
 		;;
 	*)
-		if test -f $purify_path || test $purify_path = purify; then
+		if test -f "$purify_path" || test purify = "$purify_path"; then
 			AC_MSG_RESULT($purify_path)
 			PURIFYFLAGS="`echo $PURIFYOPTIONS`"
 			PURIFY="$purify_path $PURIFYFLAGS"
@@ -2628,8 +2782,9 @@ AC_SUBST(PURIFY)
 #
 AC_MSG_CHECKING(whether to use gperftools profiler)
 AC_ARG_WITH(gperftools-profiler,
-	[  --with-gperftools-profiler  use gperftools CPU profiler],
-	use_profiler="$withval", use_profiler="no")
+	    AS_HELP_STRING([--with-gperftools-profiler],
+			   [use gperftools CPU profiler]),
+	    use_profiler="$withval", use_profiler="no")
 
 case $use_profiler in
 	yes)
@@ -2648,7 +2803,8 @@ esac
 # glibc-compatible backtrace() function.
 #
 AC_ARG_ENABLE(backtrace,
-[  --enable-backtrace      log stack backtrace on abort [[default=yes]]],
+	      AS_HELP_STRING([--enable-backtrace],
+			     [log stack backtrace on abort [default=yes]]),
 	      want_backtrace="$enableval",  want_backtrace="yes")
 case $want_backtrace in
 yes)
@@ -2664,9 +2820,10 @@ esac
 AC_SUBST(ISC_PLATFORM_USEBACKTRACE)
 
 AC_ARG_ENABLE(symtable,
-[  --enable-symtable       use internal symbol table for backtrace
-			  [[all|minimal(default)|none]]],
-		want_symtable="$enableval",  want_symtable="minimal")
+	      AS_HELP_STRING([--enable-symtable],
+			     [use internal symbol table for backtrace
+			      [all|minimal(default)|none]]),
+	      want_symtable="$enableval",  want_symtable="minimal")
 case $want_symtable in
 yes|all|minimal)     # "yes" is a hidden value equivalent to "minimal"
 	if test "" = "$PERL"
@@ -2684,12 +2841,12 @@ Install perl or explicitly disable the feature by --disable-symtable.])
 		case $host_os in
 		freebsd*|netbsd*|openbsd*|linux*|solaris*|darwin*)
 			MKSYMTBL_PROGRAM="$PERL"
-			if test $want_symtable = all; then
+			if test "all" = "$want_symtable"; then
 				ALWAYS_MAKE_SYMTABLE="yes"
 			fi
 			;;
 		*)
-			if test $want_symtable = yes -o $want_symtable = all
+			if test "yes" = "$want_symtable" -o "all" = "$want_symtable"
 			then
 				AC_MSG_WARN([this system is not known to generate internal symbol table safely; disabling it])
 			fi
@@ -2731,7 +2888,7 @@ AC_SUBST(BIND9_CO_RULE)
 # IPv6
 #
 AC_ARG_ENABLE(ipv6,
-	[  --enable-ipv6           use IPv6 [default=autodetect]])
+	      AS_HELP_STRING([--enable-ipv6], [use IPv6 [default=autodetect]]))
 
 case "$enable_ipv6" in
 	yes|''|autodetect)
@@ -2762,8 +2919,9 @@ AC_TRY_COMPILE([
 #
 AC_MSG_CHECKING(for Kame IPv6 support)
 AC_ARG_WITH(kame,
-	[  --with-kame[=PATH]	  use Kame IPv6 [default path /usr/local/v6]],
-	use_kame="$withval", use_kame="no")
+	    AS_HELP_STRING([--with-kame[=PATH]],
+			   [use Kame IPv6 [default path /usr/local/v6]]),
+	    use_kame="$withval", use_kame="no")
 
 case "$use_kame" in
 	no)
@@ -3037,7 +3195,7 @@ AC_TRY_RUN([
 #include <netinet/in.h>
 #include <arpa/inet.h>
 main() { char a[16]; return (inet_pton(AF_INET, "1.2.3", a) == 1 ? 1 :
-			     inet_pton(AF_INET, "1.2.3.04", a) == 1 ? 1 : 
+			     inet_pton(AF_INET, "1.2.3.04", a) == 1 ? 1 :
 			     (inet_pton(AF_INET6, "::1.2.3.4", a) != 1)); }],
 	[AC_MSG_RESULT(yes)
 	ISC_PLATFORM_NEEDPTON="#undef ISC_PLATFORM_NEEDPTON"],
@@ -3286,14 +3444,15 @@ AC_SUBST(ISC_LWRES_GETNAMEINFOPROTO)
 AC_SUBST(ISC_IRS_GETNAMEINFOSOCKLEN)
 
 AC_ARG_ENABLE(getifaddrs,
-[  --enable-getifaddrs     enable the use of getifaddrs() [[yes|no]].],
-    want_getifaddrs="$enableval",  want_getifaddrs="yes")
+	      AS_HELP_STRING([--enable-getifaddrs],
+			     [enable the use of getifaddrs() [yes|no].]),
+	      want_getifaddrs="$enableval",  want_getifaddrs="yes")
 
 #
 # This interface iteration code for getifaddrs() will fall back to using
 # /proc/net/if_inet6 if getifaddrs() in glibc doesn't return any IPv6
 # addresses.
-# 
+#
 case $want_getifaddrs in
 glibc)
 AC_MSG_WARN("--enable-getifaddrs=glibc is no longer required")
@@ -3360,9 +3519,9 @@ AC_SUBST(GENRANDOMLIB)
 
 AC_CHECK_FUNC(strlcpy,
 	[ISC_PLATFORM_NEEDSTRLCPY="#undef ISC_PLATFORM_NEEDSTRLCPY"
-         LWRES_PLATFORM_NEEDSTRLCPY="#undef LWRES_PLATFORM_NEEDSTRLCPY"],
+	 LWRES_PLATFORM_NEEDSTRLCPY="#undef LWRES_PLATFORM_NEEDSTRLCPY"],
 	[ISC_PLATFORM_NEEDSTRLCPY="#define ISC_PLATFORM_NEEDSTRLCPY 1"
-         LWRES_PLATFORM_NEEDSTRLCPY="#define LWRES_PLATFORM_NEEDSTRLCPY 1"])
+	 LWRES_PLATFORM_NEEDSTRLCPY="#define LWRES_PLATFORM_NEEDSTRLCPY 1"])
 AC_SUBST(ISC_PLATFORM_NEEDSTRLCPY)
 AC_SUBST(LWRES_PLATFORM_NEEDSTRLCPY)
 
@@ -3378,8 +3537,9 @@ AC_SUBST(ISC_PLATFORM_NEEDSTRCASESTR)
 
 AC_SUBST(READLINE_LIB)
 AC_ARG_WITH(readline,
-	[  --with-readline[=LIBSPEC]    specify readline library [default auto]],
-	use_readline="$withval", use_readline="auto")
+	    AS_HELP_STRING([--with-readline[=LIBSPEC]],
+			   [specify readline library [default auto]]),
+	    use_readline="$withval", use_readline="auto")
 case "$use_readline" in
 no)	;;
 *)
@@ -3415,7 +3575,7 @@ no)	;;
 			break
 		fi
 	done
-	if test "$use_readline" != "auto" &&
+	if test "auto" != "$use_readline" &&
 	   test "X$READLINE_LIB" = "X"
 	then
 		AC_MSG_ERROR([The readline library was not found.])
@@ -3423,7 +3583,7 @@ no)	;;
 	LIBS="$saved_LIBS"
 	;;
 esac
-if test yes = "$ac_cv_func_readline"
+if test "yes" = "$ac_cv_func_readline"
 then
 	case "$READLINE_LIB" in
 	*edit*)
@@ -3465,24 +3625,26 @@ AC_CHECK_FUNC(vsnprintf, [],
 AC_MSG_CHECKING(printf for %z support)
 AC_TRY_RUN([
 #include <stdio.h>
+
+int
 main() {
-        size_t j = 0;
-        char buf[100];
-        buf[0] = 0;
-        sprintf(buf, "%zu", j);
-        exit(strcmp(buf, "0") != 0);
+	size_t j = 0;
+	char buf[100];
+	buf[0] = 0;
+	sprintf(buf, "%zu", j);
+	return ((buf[0] == '0' && buf[1] == '\0') ? 0 : 1);
 }
 ],
-        [AC_MSG_RESULT(yes)],
-        [AC_MSG_RESULT(no)
+	[AC_MSG_RESULT(yes)],
+	[AC_MSG_RESULT(no)
 	ISC_PRINT_OBJS="print.$O"
 	ISC_PRINT_SRCS="print.c"
-        ISC_PLATFORM_NEEDPRINTF='#define ISC_PLATFORM_NEEDPRINTF 1'
-        ISC_PLATFORM_NEEDFPRINTF='#define ISC_PLATFORM_NEEDFPRINTF 1'
-        ISC_PLATFORM_NEEDFSRINTF='#define ISC_PLATFORM_NEEDSPRINTF 1'
+	ISC_PLATFORM_NEEDPRINTF='#define ISC_PLATFORM_NEEDPRINTF 1'
+	ISC_PLATFORM_NEEDFPRINTF='#define ISC_PLATFORM_NEEDFPRINTF 1'
+	ISC_PLATFORM_NEEDFSRINTF='#define ISC_PLATFORM_NEEDSPRINTF 1'
 	ISC_PLATFORM_NEEDVSNPRINTF="#define ISC_PLATFORM_NEEDVSNPRINTF 1"
 	LWRES_PLATFORM_NEEDVSNPRINTF="#define LWRES_PLATFORM_NEEDVSNPRINTF 1"],
-        [AC_MSG_RESULT(assuming target platform supports %z)])
+	[AC_MSG_RESULT(assuming target platform supports %z)])
 
 AC_SUBST(ISC_PLATFORM_NEEDPRINTF)
 AC_SUBST(ISC_PLATFORM_NEEDFPRINTF)
@@ -3501,7 +3663,8 @@ AC_CHECK_FUNC(strerror, AC_DEFINE(HAVE_STRERROR))
 # Use our own SPNEGO implementation?
 #
 AC_ARG_ENABLE(isc-spnego,
-	[  --disable-isc-spnego    use SPNEGO from GSSAPI library])
+	      AS_HELP_STRING([--disable-isc-spnego],
+			     [use SPNEGO from GSSAPI library]))
 
 if test -n "$USE_GSSAPI"
 then
@@ -3546,7 +3709,7 @@ main() {
 	sprintf(buf, "%lld", j);
 	exit((sizeof(long long int) != sizeof(long int))? 0 :
 	     (strcmp(buf, "0") != 0));
-} 
+}
 ],
 	[AC_MSG_RESULT(ll)
 	ISC_PLATFORM_QUADFORMAT='#define ISC_PLATFORM_QUADFORMAT "ll"'
@@ -3566,8 +3729,7 @@ AC_SUBST(LWRES_PLATFORM_QUADFORMAT)
 #
 # Note it is very recommended to *not* disable chroot(),
 # this is only because chroot() was made obsolete by Posix.
-AC_ARG_ENABLE(chroot,
-	[  --disable-chroot        disable chroot])
+AC_ARG_ENABLE(chroot, AS_HELP_STRING([--disable-chroot], [disable chroot]))
 case "$enable_chroot" in
 	yes|'')
 		AC_CHECK_FUNCS(chroot)
@@ -3576,7 +3738,8 @@ case "$enable_chroot" in
 		;;
 esac
 AC_ARG_ENABLE(linux-caps,
-	[  --disable-linux-caps	  disable linux capabilities])
+	      AS_HELP_STRING([--disable-linux-caps],
+			     [disable linux capabilities]))
 case "$enable_linux_caps" in
 	yes|'')
 		AC_CHECK_HEADERS(linux/types.h)
@@ -3632,9 +3795,9 @@ AC_DEFINE(NEED_OPTARG, 1, [Defined if extern char *optarg is not declared.])])
 AC_MSG_CHECKING(st_mtim.tv_nsec)
 AC_TRY_COMPILE([#include <sys/fcntl.h>],[struct stat s; return(s.st_mtim.tv_nsec);],
 	[AC_MSG_RESULT(yes)
-        ISC_PLATFORM_HAVESTATNSEC="#define ISC_PLATFORM_HAVESTATNSEC 1"],
+	ISC_PLATFORM_HAVESTATNSEC="#define ISC_PLATFORM_HAVESTATNSEC 1"],
 	[AC_MSG_RESULT(no)
-        ISC_PLATFORM_HAVESTATNSEC="#undef ISC_PLATFORM_HAVESTATNSEC"])
+	ISC_PLATFORM_HAVESTATNSEC="#undef ISC_PLATFORM_HAVESTATNSEC"])
 AC_SUBST(ISC_PLATFORM_HAVESTATNSEC)
 
 #
@@ -3832,22 +3995,38 @@ yes)
 esac
 AC_SUBST(ISC_PLATFORM_HAVEIFNAMETOINDEX)
 
-AC_CHECK_FUNCS(nanosleep usleep)
+AC_CHECK_FUNCS(nanosleep usleep explicit_bzero)
 
 #
 # Machine architecture dependent features
 #
+have_stdatomic=no
+AC_MSG_CHECKING(for usable stdatomic.h)
+AC_TRY_COMPILE([
+#include <stdio.h>
+#include <stdatomic.h>
+],
+[
+atomic_int_fast32_t val = 0; atomic_fetch_add_explicit(&val, 1, memory_order_relaxed);
+],
+        [AC_MSG_RESULT(yes)
+	 have_stdatomic=yes
+	 ISC_PLATFORM_HAVESTDATOMIC="#define ISC_PLATFORM_HAVESTDATOMIC 1"],
+	[AC_MSG_RESULT(no)
+	 have_stdatomic=no
+	 ISC_PLATFORM_HAVESTDATOMIC="#undef ISC_PLATFORM_HAVESTDATOMIC"])
+
 AC_ARG_ENABLE(atomic,
-	[  --enable-atomic	  enable machine specific atomic operations
-			  [[default=autodetect]]],
-			enable_atomic="$enableval",
-			enable_atomic="autodetect")
+	      AS_HELP_STRING([--enable-atomic],
+			     [enable machine specific atomic operations
+				[default=autodetect]]),
+	      enable_atomic="$enableval", enable_atomic="autodetect")
 case "$enable_atomic" in
 	yes|''|autodetect)
 		case "$host" in
 		powerpc-ibm-aix*)
 			if test "X$GCC" = "Xyes"; then
-				AC_MSG_CHECKING([if asm("isc"); works])
+				AC_MSG_CHECKING([if asm("ics"); works])
 				AC_TRY_COMPILE(,[
 				main() { asm("ics"); exit(0); }
 				],
@@ -3879,11 +4058,28 @@ case "$enable_atomic" in
 		esac
 		;;
 	no)
+		have_stdatomic=no
+		ISC_PLATFORM_HAVESTDATOMIC="#undef ISC_PLATFORM_HAVESTDATOMIC"
 		use_atomic=no
 		arch=noatomic
 		;;
 esac
 
+if test "X$have_stdatomic" = "Xyes"; then
+    AC_MSG_CHECKING(if -latomic is needed to use 64-bit stdatomic.h primitives)
+    AC_LINK_IFELSE(
+	[AC_LANG_PROGRAM([#include <stdatomic.h>],
+			 [atomic_int_fast64_t val = 0; atomic_fetch_add_explicit(&val, 1, memory_order_relaxed);])],
+	[AC_MSG_RESULT(no)
+	 ISC_ATOMIC_LIBS=""],
+	[AC_MSG_RESULT(yes)
+	 ISC_ATOMIC_LIBS="-latomic"]
+    )
+    LIBS="$LIBS $ISC_ATOMIC_LIBS"
+fi
+
+AC_SUBST(ISC_PLATFORM_HAVESTDATOMIC)
+
 ISC_PLATFORM_USEOSFASM="#undef ISC_PLATFORM_USEOSFASM"
 ISC_PLATFORM_USEGCCASM="#undef ISC_PLATFORM_USEGCCASM"
 ISC_PLATFORM_USESTDASM="#undef ISC_PLATFORM_USESTDASM"
@@ -3962,7 +4158,7 @@ if test "yes" = "$have_atomic"; then
 	else
 		case "$host" in
 		alpha*-dec-osf*)
-			# Tru64 compiler has its own syntax for inline 
+			# Tru64 compiler has its own syntax for inline
 			# assembly.
 			AC_TRY_COMPILE(, [
 #ifndef __DECC
@@ -4042,16 +4238,16 @@ AC_SUBST(ISC_ARCH_DIR)
 #
 AC_MSG_CHECKING([compiler support for __builtin_expect])
 AC_TRY_LINK(, [
-        return (__builtin_expect(1, 1) ? 1 : 0);
+	return (__builtin_expect(1, 1) ? 1 : 0);
 ], [
-        have_builtin_expect=yes
-        AC_MSG_RESULT(yes)
+	have_builtin_expect=yes
+	AC_MSG_RESULT(yes)
 ], [
-        have_builtin_expect=no
-        AC_MSG_RESULT(no)
+	have_builtin_expect=no
+	AC_MSG_RESULT(no)
 ])
 if test "yes" = "$have_builtin_expect"; then
-        AC_DEFINE(HAVE_BUILTIN_EXPECT, 1, [Define to 1 if the compiler supports __builtin_expect.])
+	AC_DEFINE(HAVE_BUILTIN_EXPECT, 1, [Define to 1 if the compiler supports __builtin_expect.])
 fi
 
 #
@@ -4059,25 +4255,25 @@ fi
 #
 AC_MSG_CHECKING([compiler support for __builtin_clz])
 AC_TRY_LINK(, [
-        return (__builtin_clz(0xff) == 24 ? 1 : 0);
+	return (__builtin_clz(0xff) == 24 ? 1 : 0);
 ], [
-        have_builtin_clz=yes
-        AC_MSG_RESULT(yes)
+	have_builtin_clz=yes
+	AC_MSG_RESULT(yes)
 ], [
-        have_builtin_clz=no
-        AC_MSG_RESULT(no)
+	have_builtin_clz=no
+	AC_MSG_RESULT(no)
 ])
 if test "yes" = "$have_builtin_clz"; then
-        AC_DEFINE(HAVE_BUILTIN_CLZ, 1, [Define to 1 if the compiler supports __builtin_clz.])
+	AC_DEFINE(HAVE_BUILTIN_CLZ, 1, [Define to 1 if the compiler supports __builtin_clz.])
 fi
 
 #
 # Activate "rrset-order fixed" or not?
 #
 AC_ARG_ENABLE(fixed-rrset,
-	[  --enable-fixed-rrset    enable fixed rrset ordering [[default=no]]],
-			enable_fixed="$enableval",
-			enable_fixed="no")
+	      AS_HELP_STRING([--enable-fixed-rrset],
+			     [enable fixed rrset ordering [default=no]]),
+	      enable_fixed="$enableval", enable_fixed="no")
 case "$enable_fixed" in
 	yes)
 		AC_DEFINE(DNS_RDATASET_FIXED, 1,
@@ -4093,9 +4289,9 @@ esac
 # Enable response policy rewriting using NS IP addresses
 #
 AC_ARG_ENABLE(rpz-nsip,
-	[  --disable-rpz-nsip	  disable rpz-nsip rules [[default=enabled]]],
-			enable_nsip="$enableval",
-			enable_nsip="yes")
+	      AS_HELP_STRING([--disable-rpz-nsip],
+			     [disable rpz nsip rules [default=enabled]]),
+	      enable_nsip="$enableval", enable_nsip="yes")
 case "$enable_nsip" in
 	yes)
 		AC_DEFINE(ENABLE_RPZ_NSIP, 1,
@@ -4111,9 +4307,9 @@ esac
 # Enable response policy rewriting using NS name
 #
 AC_ARG_ENABLE(rpz-nsdname,
-	[  --disable-rpz-nsdname	  disable rpz-nsdname rules [[default=enabled]]],
-			enable_nsdname="$enableval",
-			enable_nsdname="yes")
+	      AS_HELP_STRING([--disable-rpz-nsdname],
+			     [disable rpz nsdname rules [default=enabled]]),
+	      enable_nsdname="$enableval", enable_nsdname="yes")
 case "$enable_nsdname" in
 	yes)
 		AC_DEFINE(ENABLE_RPZ_NSDNAME, 1,
@@ -4129,9 +4325,9 @@ esac
 # Activate recursive fetch limits
 #
 AC_ARG_ENABLE(fetchlimit,
-	[  --enable-fetchlimit     enable recursive fetch limits [[default=no]]],
-			enable_fetchlimit="$enableval",
-			enable_fetchlimit="no")
+	      AS_HELP_STRING([--enable-fetchlimit],
+			     [enable recursive fetch limits [default=no]]),
+	      enable_fetchlimit="$enableval", enable_fetchlimit="no")
 case "$enable_fetchlimit" in
 	yes)
 		AC_DEFINE(ENABLE_FETCHLIMIT, 1,
@@ -4147,9 +4343,9 @@ esac
 # Activate "filter-aaaa" or not?
 #
 AC_ARG_ENABLE(filter-aaaa,
-	[  --enable-filter-aaaa    enable filtering of AAAA records [[default=no]]],
-			enable_filter="$enableval",
-			enable_filter="no")
+	      AS_HELP_STRING([--enable-filter-aaaa],
+			     [enable filtering of AAAA records [default=no]]),
+	      enable_filter="$enableval", enable_filter="no")
 case "$enable_filter" in
 	yes)
 		AC_DEFINE(ALLOW_FILTER_AAAA, 1,
@@ -4214,6 +4410,13 @@ AC_PATH_PROGS(W3M, w3m, w3m)
 AC_SUBST(W3M)
 
 #
+# Look for pandoc
+#
+AC_PATH_PROG(PANDOC, pandoc, pandoc)
+AC_SUBST(PANDOC)
+
+
+#
 # Look for xsltproc (libxslt)
 #
 
@@ -4248,11 +4451,11 @@ AC_SUBST(CURL)
 #   NOM_PATH_FILE(VARIABLE, FILENAME, DIRECTORIES)
 #
 # If the file FILENAME is found in one of the DIRECTORIES, the shell
-# variable VARIABLE is defined to its absolute pathname.  Otherwise, 
+# variable VARIABLE is defined to its absolute pathname.  Otherwise,
 # it is set to FILENAME, with no directory prefix (that's not terribly
 # useful, but looks less confusing in substitutions than leaving it
 # empty).  The variable VARIABLE will be substituted into output files.
-# 
+#
 
 AC_DEFUN(NOM_PATH_FILE, [
 $1=""
@@ -4283,7 +4486,8 @@ AC_SUBST($1)
 #
 AC_MSG_CHECKING(for Docbook-XSL path)
 AC_ARG_WITH(docbook-xsl,
-[  --with-docbook-xsl=PATH specify path for Docbook-XSL stylesheets],
+	    AS_HELP_STRING([--with-docbook-xsl[=PATH]],
+			   [specify path for Docbook-XSL stylesheets]),
    docbook_path="$withval", docbook_path="auto")
 case "$docbook_path" in
 auto)
@@ -4321,8 +4525,9 @@ NOM_PATH_FILE(XSLT_DBLATEX_FASTBOOK, xsl/latex_book_fast.xsl, $dblatex_xsl_trees
 # IDN support
 #
 AC_ARG_WITH(idn,
-	[  --with-idn[=MPREFIX]      enable IDN support using idnkit [default PREFIX]],
-	use_idn="$withval", use_idn="no")
+	    AS_HELP_STRING([--with-idn[=MPREFIX]],
+			   [enable IDN support using idnkit [default PREFIX]]),
+	    use_idn="$withval", use_idn="no")
 case "$use_idn" in
 yes)
 	if test X$prefix = XNONE ; then
@@ -4341,8 +4546,9 @@ esac
 iconvinc=
 iconvlib=
 AC_ARG_WITH(libiconv,
-	[  --with-libiconv[=IPREFIX] GNU libiconv are in IPREFIX [default PREFIX]],
-	use_libiconv="$withval", use_libiconv="no")
+	    AS_HELP_STRING([--with-libiconv[=IPREFIX]],
+			   [GNU libiconv are in IPREFIX [default PREFIX]]),
+	    use_libiconv="$withval", use_libiconv="no")
 case "$use_libiconv" in
 yes)
 	if test X$prefix = XNONE ; then
@@ -4360,8 +4566,9 @@ no)
 esac
 
 AC_ARG_WITH(iconv,
-	[  --with-iconv[=LIBSPEC]    specify iconv library [default -liconv]],
-	iconvlib="$withval")
+	    AS_HELP_STRING([--with-iconv[=LIBSPEC]],
+			   [specify iconv library [default -liconv]]),
+	    iconvlib="$withval")
 case "$iconvlib" in
 no)
 	iconvlib=
@@ -4372,17 +4579,17 @@ yes)
 esac
 
 AC_ARG_WITH(idnlib,
-	[  --with-idnlib=ARG       specify libidnkit],
-	idnlib="$withval", idnlib="no")
+	    AS_HELP_STRING([--with-idnlib=ARG], [specify libidnkit]),
+	    idnlib="$withval", idnlib="no")
 if test "yes" = "$idnlib"; then
 	AC_MSG_ERROR([You must specify ARG for --with-idnlib.])
 fi
 
 IDNLIBS=
-if test "$use_idn" != no; then
+if test "no" != "$use_idn"; then
 	AC_DEFINE(WITH_IDN, 1, [define if idnkit support is to be included.])
 	STD_CINCLUDES="$STD_CINCLUDES -I$idn_path/include"
-	if test "$idnlib" != no; then
+	if test "no" != "$idnlib"; then
 		IDNLIBS="$idnlib $iconvlib"
 	else
 		IDNLIBS="-L$idn_path/lib -lidnkit $iconvlib"
@@ -4394,9 +4601,9 @@ AC_SUBST(IDNLIBS)
 # Check whether to build Automated Test Framework unit tests
 #
 AC_ARG_WITH(atf,
-	[  --with-atf=ARG          support Automated Test Framework],
-	atf="$withval", atf="no")
-if test yes = "$atf"; then
+	    AS_HELP_STRING([--with-atf],[support Automated Test Framework]),
+	    atf="$withval", atf="no")
+if test "yes" = "$atf"; then
 	atf=`pwd`/unit/atf
 	ATFBUILD=atf-src
 	AC_SUBST(ATFBUILD)
@@ -4409,13 +4616,13 @@ if test yes = "$atf"; then
 		 *) srcdir="../../$srcdir";;
 		 esac
 		 ${SHELL} "${srcdir}${srcdir:+/unit/atf-src/}./configure" --enable-tools --disable-shared MISSING=: --prefix $atfdir;
-		) ],
+		) || AC_MSG_ERROR([Failed to configure ATF.]) ],
 		[atfdir=`pwd`/unit/atf])
 	AC_MSG_RESULT(building ATF from bind9/unit/atf-src)
 fi
 
 ATFLIBS=
-if test "$atf" != no; then
+if test "no" != "$atf"; then
 	AC_DEFINE(ATF_TEST, 1, [define if ATF unit tests are to be built.])
 	STD_CINCLUDES="$STD_CINCLUDES -I$atf/include"
 	ATFBIN="$atf/bin"
@@ -4433,8 +4640,9 @@ AC_CHECK_FUNCS(setlocale)
 # was --with-tuning specified?
 #
 AC_ARG_WITH(tuning,
-	[  --with-tuning=ARG       Specify server tuning (large or default)],
-	use_tuning="$withval", use_tuning="no")
+	    AS_HELP_STRING([--with-tuning=ARG],
+			   [Specify server tuning (large or default)]),
+	    use_tuning="$withval", use_tuning="no")
 
 case "$use_tuning" in
 	large)
@@ -4456,8 +4664,10 @@ esac
 # was --enable-querytrace specified?
 #
 AC_ARG_ENABLE(querytrace,
-	[  --enable-querytrace     enable very verbose query trace logging [[default=no]]],
-	want_querytrace="$enableval", want_querytrace="no")
+	      AS_HELP_STRING([--enable-querytrace],
+			     [enable very verbose query trace logging
+				[default=no]]),
+	      want_querytrace="$enableval", want_querytrace="no")
 
 AC_MSG_CHECKING([whether to enable query trace logging])
 case "$want_querytrace" in
@@ -4588,7 +4798,7 @@ DLZ_DRIVER_SRCS=""
 DLZ_DRIVER_OBJS=""
 DLZ_SYSTEM_TEST=""
 
-# 
+#
 # Configure support for building a shared library object
 #
 # Even when libtool is available it can't always be relied upon
@@ -4603,8 +4813,9 @@ SO_LD=""
 SO_TARGETS=""
 
 AC_ARG_WITH(dlopen,
-	[  --with-dlopen=ARG       support dynamically loadable DLZ drivers],
-	dlopen="$withval", dlopen="yes")
+	    AS_HELP_STRING([--with-dlopen=ARG],
+			   [support dynamically loadable DLZ drivers]),
+	    dlopen="$withval", dlopen="yes")
 
 case $host in
 	*-sunos*) dlopen="no"
@@ -4727,8 +4938,8 @@ if test "yes" = "$cross_compiling"; then
 	BUILD_LDFLAGS="$BUILD_LDFLAGS"
 	BUILD_LIBS="$BUILD_LIBS"
 else
-	BUILD_CC="$CC" 
-	BUILD_CFLAGS="$CFLAGS" 
+	BUILD_CC="$CC"
+	BUILD_CFLAGS="$CFLAGS"
 	BUILD_CPPFLAGS="$CPPFLAGS $GEN_NEED_OPTARG"
 	BUILD_LDFLAGS="$LDFLAGS"
 	BUILD_LIBS="$LIBS"
@@ -4938,187 +5149,187 @@ AC_OUTPUT
 # Now that the Makefiles exist we can ensure that everything is rebuilt.
 #
 AC_ARG_WITH(make-clean,
-[  --with-make-clean       run "make clean" at end of configure [[yes|no]]],
-    make_clean="$withval", make_clean="yes")
+	    AS_HELP_STRING([--with-make-clean],
+			   [run "make clean" at end of configure [yes|no]]),
+	    make_clean="$withval", make_clean="yes")
 case "$make_clean" in
 yes)
-	if test "$no_create" != "yes"
+	if test "yes" != "$no_create"
 	then
-		make clean
+		if test "yes" = "$silent"
+		then
+			make clean > /dev/null
+		else
+			make clean
+		fi
 	fi
 	;;
 esac
 
 AC_ARG_ENABLE(full-report,
-	[  --enable-full-report	  report values of all configure options])
+	      AS_HELP_STRING([--enable-full-report],
+			     [report values of all configure options]))
 
-echo "========================================================================"
-echo "Configuration summary:"
-echo "------------------------------------------------------------------------"
-echo "Optional features enabled:"
-if $use_threads; then
-    echo "    Multiprocessing support (--enable-threads)"
-    if test "yes" = "$enable_full_report" -o "standard" = "$locktype"; then
-        echo "        Mutex lock type: $locktype"
+report() {
+    echo "========================================================================"
+    echo "Configuration summary:"
+    echo "------------------------------------------------------------------------"
+    echo "Optional features enabled:"
+    if $use_threads; then
+	echo "    Multiprocessing support (--enable-threads)"
+	if test "yes" = "$enable_full_report" -o "standard" = "$locktype"; then
+	    echo "        Mutex lock type: $locktype"
+	fi
     fi
-fi
-test "large" = "$use_tuning" && echo "    Large-system tuning (--with-tuning)"
-test "no" = "$use_geoip" || echo "    GeoIP access control (--with-geoip)"
-test "no" = "$use_gssapi" || echo "    GSS-API (--with-gssapi)"
-test "yes" = "$enable_fetchlimit" && \
-    echo "    Recursive fetch limits for DoS attack mitigation (--enable-fetchlimit)"
-if test "no" = "$enable_sit"; then
-    echo "    Source Identity Token support (--enable-sit)"
-    if test "yes" = "$enable_full_report" -o "aes" = "$with_sit_alg"; then
-	echo "        Algorithm: $with_sit_alg"
+    test "large" = "$use_tuning" && echo "    Large-system tuning (--with-tuning)"
+    test "no" = "$use_geoip" || echo "    GeoIP access control (--with-geoip)"
+    test "no" = "$use_gssapi" || echo "    GSS-API (--with-gssapi)"
+    test "yes" = "$enable_fetchlimit" && \
+        echo "    Recursive fetch limits for DoS attack mitigation (--enable-fetchlimit)"
+    if test "no" = "$enable_sit"; then
+        echo "    Source Identity Token support (--enable-sit)"
+        if test "yes" = "$enable_full_report" -o "aes" = "$with_sit_alg"; then
+            echo "        Algorithm: $with_sit_alg"
+        fi
     fi
-fi
 
-# these lines are only printed if run with --enable-full-report 
-if test "yes" = "$enable_full_report"; then
-    test "no" = "$enable_ipv6" -o "no" = "$found_ipv6" || \
-	echo "    IPv6 support (--enable-ipv6)"
-    test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
-	    echo "    OpenSSL cryptography/DNSSEC (--with-openssl)"
-    test "X$PYTHON" = "X" || echo "    Python tools (--with-python)"
-    test "X$XMLSTATS" = "X" || echo "    XML statistics (--with-libxml2)"
-    test "X$JSONSTATS" = "X" || echo "    JSON statistics (--with-libjson)"
-fi
+    # these lines are only printed if run with --enable-full-report
+    if test "yes" = "$enable_full_report"; then
+        test "no" = "$enable_ipv6" -o "no" = "$found_ipv6" || \
+            echo "    IPv6 support (--enable-ipv6)"
+        test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11" || \
+                echo "    OpenSSL cryptography/DNSSEC (--with-openssl)"
+        test "X$PYTHON" = "X" || echo "    Python tools (--with-python)"
+        test "X$XMLSTATS" = "X" || echo "    XML statistics (--with-libxml2)"
+        test "X$JSONSTATS" = "X" || echo "    JSON statistics (--with-libjson)"
+    fi
 
-if test "$use_pkcs11" != "no"; then
-    if test "yes" = "$want_native_pkcs11"; then
-	echo "    Native PKCS#11/Cryptoki support (--enable-native-pkcs11)"
-    else
-	echo "    PKCS#11/Cryptoki support using OpenSSL (--with-pkcs11)"
+    if test "no" != "$use_pkcs11"; then
+	if test "yes" = "$want_native_pkcs11"; then
+	    echo "    Native PKCS#11/Cryptoki support (--enable-native-pkcs11)"
+	else
+	    echo "    PKCS#11/Cryptoki support using OpenSSL (--with-pkcs11)"
+	fi
+	echo "        Provider library: $PKCS11_PROVIDER"
     fi
-    echo "        Provider library: $PKCS11_PROVIDER"
-fi
-if test "yes" = "$OPENSSL_GOST" -o "yes" = "$PKCS11_GOST"; then
-    echo "    GOST algorithm support (encoding: $gosttype) (--with-gost)"
-fi
-test "yes" = "$OPENSSL_ECDSA" -o "$PKCS11_ECDSA" && \
-    echo "    ECDSA algorithm support (--with-ecdsa)"
-test "yes" = "$enable_fixed" && \
-    echo "    Allow 'fixed' rrset-order (--enable-fixed-rrset)"
-test "yes" = "$enable_filter" && \
-    echo "    AAAA filtering (--enable-filter-aaaa)"
-test "yes" = "$enable_seccomp" && \
-    echo "    Use libseccomp system call filtering (--enable-seccomp)"
-test "yes" = "$want_backtrace" && \
-    echo "    Print backtrace on crash (--enable-backtrace)"
-test "minimal" = "$want_symtable" && \
-    echo "    Use symbol table for backtrace, named only (--enable-symtable)"
-test "yes" = "$want_symtable" -o "all" = "$want_symtable" && \
-    echo "    Use symbol table for backtrace, all binaries (--enable-symtable=all)"
-test "no" = "$use_libtool" || echo "    Use GNU libtool (--with-libtool)"
-test "yes" = "$want_querytrace" && \
-    echo "    Very verbose query trace logging (--enable-querytrace)"
-test "no" = "$atf" || echo "    Automated Testing Framework (--with-atf)"
-
-echo "    Dynamically loadable zone (DLZ) drivers:"
-test "no" = "$use_dlz_bdb" || \
-    echo "        Berkeley DB (--with-dlz-bdb)"
-test "no" = "$use_dlz_ldap" || \
-    echo "        LDAP (--with-dlz-ldap)"
-test "no" = "$use_dlz_mysql" || \
-    echo "        MySQL (--with-dlz-mysql)"
-test "no" = "$use_dlz_odbc" || \
-    echo "        ODBC (--with-dlz-odbc)"
-test "no" = "$use_dlz_postgres" || \
-    echo "        Postgres (--with-dlz-postgres)"
-test "no" = "$use_dlz_filesystem" || \
-    echo "        Filesystem (--with-dlz-filesystem)"
-test "no" = "$use_dlz_stub" || \
-    echo "        Stub (--with-dlz-stub)"
-test "$use_dlz_bdb $use_dlz_ldap $use_dlz_mysql $use_dlz_odbc $use_dlz_postgres $use_dlz_filesystem $use_dlz_stub" = "no no no no no no no" && echo "        None"
-echo
-
-echo "Features disabled or unavailable on this platform:"
-$use_threads || echo "    Multiprocessing support (--enable-threads)"
-test "no" = "$enable_ipv6" -o "no" = "$found_ipv6" && \
-	echo "    IPv6 support (--enable-ipv6)"
-test "large" = "$use_tuning" || echo "    Large-system tuning (--with-tuning)"
-
-test "no" = "$use_geoip" && echo "    GeoIP access control (--with-geoip)"
-test "no" = "$use_gssapi" && echo "    GSS-API (--with-gssapi)"
-test "no" = "$enable_fetchlimit" && \
-        echo "    Recursive fetch limits for DoS attack mitigation (--enable-fetchlimit)"
-test "no" = "$enable_sit" && echo "    Source Identity Token support (--enable-sit)"
+    if test "yes" = "$OPENSSL_GOST" -o "yes" = "$PKCS11_GOST"; then
+	echo "    GOST algorithm support (encoding: $gosttype) (--with-gost)"
+    fi
+    test "yes" = "$OPENSSL_ECDSA" -o "$PKCS11_ECDSA" && \
+	echo "    ECDSA algorithm support (--with-ecdsa)"
+    test "yes" = "$OPENSSL_ED25519" -o "$PKCS11_ED25519" && \
+	echo "    EDDSA algorithm support (--with-eddsa)"
+    test "yes" = "$enable_fixed" && \
+	echo "    Allow 'fixed' rrset-order (--enable-fixed-rrset)"
+    test "yes" = "$enable_filter" && \
+	echo "    AAAA filtering (--enable-filter-aaaa)"
+    test "yes" = "$enable_seccomp" && \
+	echo "    Use libseccomp system call filtering (--enable-seccomp)"
+    test "yes" = "$want_backtrace" && \
+	echo "    Print backtrace on crash (--enable-backtrace)"
+    test "minimal" = "$want_symtable" && \
+	echo "    Use symbol table for backtrace, named only (--enable-symtable)"
+    test "yes" = "$want_symtable" -o "all" = "$want_symtable" && \
+	echo "    Use symbol table for backtrace, all binaries (--enable-symtable=all)"
+    test "no" = "$use_libtool" || echo "    Use GNU libtool (--with-libtool)"
+    test "yes" = "$want_querytrace" && \
+	echo "    Very verbose query trace logging (--enable-querytrace)"
+    test "no" = "$atf" || echo "    Automated Testing Framework (--with-atf)"
+
+    echo "    Dynamically loadable zone (DLZ) drivers:"
+    test "no" = "$use_dlz_bdb" || \
+	echo "        Berkeley DB (--with-dlz-bdb)"
+    test "no" = "$use_dlz_ldap" || \
+	echo "        LDAP (--with-dlz-ldap)"
+    test "no" = "$use_dlz_mysql" || \
+	echo "        MySQL (--with-dlz-mysql)"
+    test "no" = "$use_dlz_odbc" || \
+	echo "        ODBC (--with-dlz-odbc)"
+    test "no" = "$use_dlz_postgres" || \
+	echo "        Postgres (--with-dlz-postgres)"
+    test "no" = "$use_dlz_filesystem" || \
+	echo "        Filesystem (--with-dlz-filesystem)"
+    test "no" = "$use_dlz_stub" || \
+	echo "        Stub (--with-dlz-stub)"
+    test "$use_dlz_bdb $use_dlz_ldap $use_dlz_mysql $use_dlz_odbc $use_dlz_postgres $use_dlz_filesystem $use_dlz_stub" = "no no no no no no no" && echo "        None"
 
-test "yes" = "$enable_fixed" || \
-    echo "    Allow 'fixed' rrset-order (--enable-fixed-rrset)"
+    echo "------------------------------------------------------------------------"
+
+    echo "Features disabled or unavailable on this platform:"
+    $use_threads || echo "    Multiprocessing support (--enable-threads)"
+    test "no" = "$enable_ipv6" -o "no" = "$found_ipv6" && \
+    	echo "    IPv6 support (--enable-ipv6)"
+    test "large" = "$use_tuning" || echo "    Large-system tuning (--with-tuning)"
+
+    test "no" = "$use_geoip" && echo "    GeoIP access control (--with-geoip)"
+    test "no" = "$use_gssapi" && echo "    GSS-API (--with-gssapi)"
+    test "no" = "$enable_fetchlimit" && \
+            echo "    Recursive fetch limits for DoS attack mitigation (--enable-fetchlimit)"
+    test "no" = "$enable_sit" && echo "    Source Identity Token support (--enable-sit)"
+
+    test "yes" = "$enable_fixed" || \
+        echo "    Allow 'fixed' rrset-order (--enable-fixed-rrset)"
+    if test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11"
+    then
+	echo "    OpenSSL cryptography/DNSSEC (--with-openssl)"
+    elif test "no" = "$use_pkcs11"; then
+	echo "    PKCS#11/Cryptoki support (--with-pkcs11)"
+    fi
+    test "yes" = "$want_native_pkcs11" ||
+	echo "    Native PKCS#11/Cryptoki support (--enable-native-pkcs11)"
+    test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_GOST" -o "yes" = "$PKCS11_GOST" || \
+	echo "    GOST algorithm support (--with-gost)"
+    test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ECDSA" -o "yes" = "$PKCS11_ECDSA" || \
+	echo "    ECDSA algorithm support (--with-ecdsa)"
+    test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ED25519" -o "yes" = "$PKCS11_ED25519" || \
+	echo "    EDDSA algorithm support (--with-eddsa)"
+
+    test "yes" = "$enable_seccomp" || \
+	echo "    Use libseccomp system call filtering (--enable-seccomp)"
+    test "yes" = "$want_backtrace" || \
+	echo "    Print backtrace on crash (--enable-backtrace)"
+    test "yes" = "$want_querytrace" || \
+        echo "    Very verbose query trace logging (--enable-querytrace)"
+
+    test "yes" = "$use_libtool" || echo "    Use GNU libtool (--with-libtool)"
+    test "no" = "$atf" && echo "    Automated Testing Framework (--with-atf)"
+
+    test "X$PYTHON" = "X" && echo "    Python tools (--with-python)"
+    test "X$XMLSTATS" = "X" && echo "    XML statistics (--with-libxml2)"
+    test "X$JSONSTATS" = "X" && echo "    JSON statistics (--with-libjson)"
 
-if test "X$CRYPTO" = "X" -o "yes" = "$want_native_pkcs11"
-then
-    echo "    OpenSSL cryptography/DNSSEC (--with-openssl)"
-elif test "no" = "$use_pkcs11"; then
-    echo "    PKCS#11/Cryptoki support (--with-pkcs11)"
-fi
-test "yes" = "$want_native_pkcs11" ||
-    echo "    Native PKCS#11/Cryptoki support (--enable-native-pkcs11)"
-test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_GOST" -o "yes" = "$PKCS11_GOST" || \
-    echo "    GOST algorithm support (--with-gost)"
-test "X$CRYPTO" = "X" -o "yes" = "$OPENSSL_ECDSA" -o "yes" = "$PKCS11_ECDSA" || \
-    echo "    ECDSA algorithm support (--with-ecdsa)"
-
-test "yess" = "$enable_seccomp" || \
-    echo "    Use libseccomp system call filtering (--enable-seccomp)"
-test "yes" = "$want_backtrace" || \
-    echo "    Print backtrace on crash (--enable-backtrace)"
-test "yes" = "$want_querytrace" || \
-    echo "    Very verbose query trace logging (--enable-querytrace)"
-
-test "yes" = "$use_libtool" || echo "    Use GNU libtool (--with-libtool)"
-test "no" = "$atf" && echo "    Automated Testing Framework (--with-atf)"
-
-test "X$PYTHON" = "X" && echo "    Python tools (--with-python)"
-test "X$XMLSTATS" = "X" && echo "    XML statistics (--with-libxml2)"
-test "X$JSONSTATS" = "X" && echo "    JSON statistics (--with-libjson)"
-
-if test "X$ac_unrecognized_opts" != "X"; then
-    echo
-    echo "Unrecognized options:"
-    echo "    $ac_unrecognized_opts"
-fi
-if test "$enable_full_report" != "yes"; then
     echo "------------------------------------------------------------------------"
-    echo "For more detail, use --enable-full-report."
+    echo "Configured paths:"
+    echo "    prefix: $prefix"
+    echo "    sysconfdir: $sysconfdir"
+    echo "    localstatedir: $localstatedir"
+
+
+    if test "X$ac_unrecognized_opts" != "X"; then
+	echo
+	echo "Unrecognized options:"
+	echo "    $ac_unrecognized_opts"
+    fi
+
+    if test "yes" != "$enable_full_report"; then
+        echo "------------------------------------------------------------------------"
+        echo "For more detail, use --enable-full-report."
+    fi
+    echo "========================================================================"
+}
+
+if test "yes" != "$silent"; then
+	report
 fi
-echo "========================================================================"
 
 if test "X$CRYPTO" = "X"; then
-cat << \EOF                                                             
+cat << \EOF
 BIND 9 is being built without cryptography support. This means it will
 not have DNSSEC support. Use --with-openssl, or --with-pkcs11 and
 --enable-native-pkcs11 to enable cryptography.
 EOF
 fi
 
-if test "X$OPENSSL_WARNING" != "X"; then
-cat << \EOF
-WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
-WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
-WARNING                                                                 WARNING
-WARNING         Your OpenSSL crypto library may be vulnerable to        WARNING
-WARNING         one or more of the the following known security         WARNING
-WARNING         flaws:                                                  WARNING
-WARNING                                                                 WARNING
-WARNING         CAN-2002-0659, CAN-2006-4339, CVE-2006-2937,            WARNING
-WARNING         CVE-2006-2940 and CVE-2015-3193.                        WARNING
-WARNING                                                                 WARNING
-WARNING         It is recommended that you upgrade to OpenSSL           WARNING
-WARNING         version 1.0.2e/1.0.1/1.0.0/0.9.9/0.9.8d/0.9.7l          WARNING
-WARNING		(or greater).                                           WARNING
-WARNING                                                                 WARNING
-WARNING         You can disable this warning by specifying:             WARNING
-WARNING                                                                 WARNING
-WARNING               --disable-openssl-version-check          	        WARNING
-WARNING                                                                 WARNING
-WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
-WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
-EOF
-fi
-
 # Tell Emacs to edit this file in shell mode.
 # Local Variables:
 # mode: sh
diff --git a/usr.sbin/bind/isc-config.sh.1 b/usr.sbin/bind/isc-config.sh.1
index a17bf0b5f6d..65d8cf9780e 100644
--- a/usr.sbin/bind/isc-config.sh.1
+++ b/usr.sbin/bind/isc-config.sh.1
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -99,5 +99,5 @@ returns an exit status of 1 if invoked with invalid arguments or no arguments at
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/usr.sbin/bind/isc-config.sh.docbook b/usr.sbin/bind/isc-config.sh.docbook
index f965e94bea4..569179fad2b 100644
--- a/usr.sbin/bind/isc-config.sh.docbook
+++ b/usr.sbin/bind/isc-config.sh.docbook
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2009, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -36,6 +36,7 @@
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
   </docinfo>
diff --git a/usr.sbin/bind/isc-config.sh.html b/usr.sbin/bind/isc-config.sh.html
index 86e5856de08..b6302f4bbb3 100644
--- a/usr.sbin/bind/isc-config.sh.html
+++ b/usr.sbin/bind/isc-config.sh.html
@@ -1,6 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2009, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2009, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/isc-config.sh.in b/usr.sbin/bind/isc-config.sh.in
index ffeea5653e7..eb4f428b146 100644
--- a/usr.sbin/bind/isc-config.sh.in
+++ b/usr.sbin/bind/isc-config.sh.in
@@ -1,7 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2004, 2007, 2012, 2013, 2015  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: isc-config.sh.in,v 1.2 2019/12/16 16:16:22 deraadt Exp $
+# $Id: isc-config.sh.in,v 1.3 2019/12/17 01:46:31 sthen Exp $
 
 prefix=@prefix@
 exec_prefix=@exec_prefix@
@@ -161,7 +160,7 @@ if test x"$echo_libs" = x"true"; then
 		libs="$libs -lisccc"
 	fi
 	if test x"$libisc" = x"true" ; then
-		libs="$libs -lisc"
+		libs="$libs -lisc @ISC_OPENSSL_LIBS@"
 		needothers=true
 	fi
 	if test x"$needothers" = x"true" ; then
diff --git a/usr.sbin/bind/lib/Makefile.in b/usr.sbin/bind/lib/Makefile.in
index 257757111e0..0fa06ea9ec0 100644
--- a/usr.sbin/bind/lib/Makefile.in
+++ b/usr.sbin/bind/lib/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2007, 2012-2014  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001, 2003  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.4 2019/12/16 16:16:23 deraadt Exp $
+# $Id: Makefile.in,v 1.5 2019/12/17 01:46:31 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -23,7 +22,7 @@ top_srcdir =	@top_srcdir@
 # Attempt to disable parallel processing.
 .NOTPARALLEL:
 .NO_PARALLEL:
-SUBDIRS =	isc isccc dns isccfg bind9 lwres irs tests samples
+SUBDIRS =	isc isccc dns isccfg bind9 lwres irs samples
 TARGETS =
 
 @BIND9_MAKE_RULES@
diff --git a/usr.sbin/bind/lib/bind9/Makefile.in b/usr.sbin/bind/lib/bind9/Makefile.in
index 311b9eff50e..04bca502800 100644
--- a/usr.sbin/bind/lib/bind9/Makefile.in
+++ b/usr.sbin/bind/lib/bind9/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2007, 2009, 2012, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:23 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:31 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -26,7 +25,7 @@ VERSION=@BIND9_VERSION@
 @BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	-I. ${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISC_INCLUDES} \
-		@ISC_OPENSSL_INC@ ${ISCCFG_INCLUDES}
+		${ISCCFG_INCLUDES} @ISC_OPENSSL_INC@
 
 CDEFINES =	@CRYPTO@
 CWARNINGS =
diff --git a/usr.sbin/bind/lib/bind9/api b/usr.sbin/bind/lib/bind9/api
index 441f18d8833..27fce2847b3 100644
--- a/usr.sbin/bind/lib/bind9/api
+++ b/usr.sbin/bind/lib/bind9/api
@@ -2,10 +2,12 @@
 # 9.6: 50-59, 110-119
 # 9.7: 60-79
 # 9.8: 80-89, 120-129
-# 9.9: 90-109
-# 9.9-sub: 130-139
-# 9.10: 140-149, 170-179
-# 9.11: 160-169
-LIBINTERFACE = 140
-LIBREVISION = 12
+# 9.9: 90-109, 170-179
+# 9.9-sub: 130-139, 150-159, 200-209
+# 9.10: 140-149, 190-199
+# 9.10-sub: 180-189
+# 9.11: 160-169,1100-1199
+# 9.12: 1200-1299
+LIBINTERFACE = 141
+LIBREVISION = 4
 LIBAGE = 0
diff --git a/usr.sbin/bind/lib/bind9/check.c b/usr.sbin/bind/lib/bind9/check.c
index 5637e008834..02b00452a9d 100644
--- a/usr.sbin/bind/lib/bind9/check.c
+++ b/usr.sbin/bind/lib/bind9/check.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -57,6 +56,7 @@
 #include <dns/rdatatype.h>
 #include <dns/rrl.h>
 #include <dns/secalg.h>
+#include <dns/ssu.h>
 
 #include <dst/dst.h>
 
@@ -65,6 +65,20 @@
 
 #include <bind9/check.h>
 
+#define INITNAME(A,B) { \
+		DNS_NAME_MAGIC, \
+		A, sizeof(A), sizeof(B), \
+		DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE, \
+		B, NULL, { (void *)-1, (void *)-1}, \
+		{NULL, NULL} \
+}
+
+static unsigned char dlviscorg_ndata[] = "\003dlv\003isc\003org";
+static unsigned char dlviscorg_offsets[] = { 0, 4, 8, 12 };
+
+static const dns_name_t dlviscorg =
+	INITNAME(dlviscorg_ndata, dlviscorg_offsets);
+
 static isc_result_t
 fileexist(const cfg_obj_t *obj, isc_symtab_t *symtab, isc_boolean_t writeable,
 	  isc_log_t *logctxlogc);
@@ -1135,9 +1149,16 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
 			 * is missing, skip remaining tests
 			 */
 			if (cfg_obj_isvoid(anchor)) {
-				if (!strcasecmp(dlv, "no") ||
-				    !strcasecmp(dlv, "auto"))
+				if (!strcasecmp(dlv, "no")) {
+					continue;
+				}
+				if (!strcasecmp(dlv, "auto")) {
+					cfg_obj_log(obj, logctx,
+						    ISC_LOG_WARNING,
+						    "dnssec-lookaside 'auto' "
+						    "is no longer supported");
 					continue;
+				}
 			}
 
 			tresult = dns_name_fromstring(name, dlv, 0, NULL);
@@ -1150,7 +1171,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
 			if (symtab != NULL) {
 				tresult = nameexist(obj, dlv, 1, symtab,
 						    "dnssec-lookaside '%s': "
-						    "already exists previous "
+						    "already exists; previous "
 						    "definition: %s:%u",
 						    logctx, mctx);
 				if (tresult != ISC_R_SUCCESS &&
@@ -1170,23 +1191,30 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
 					result = ISC_R_FAILURE;
 			}
 
-			if (!cfg_obj_isvoid(anchor)) {
-				dlv = cfg_obj_asstring(anchor);
-				tresult = check_name(dlv);
-				if (tresult != ISC_R_SUCCESS) {
-					cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-						    "bad domain name '%s'",
-						    dlv);
-					if (result == ISC_R_SUCCESS)
-						result = tresult;
-				}
-			} else {
+			if (cfg_obj_isvoid(anchor)) {
 				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-					"dnssec-lookaside requires "
-					"either 'auto' or 'no', or a "
-					"domain and trust anchor");
+					    "dnssec-lookaside requires "
+					    "either or 'no' or a "
+					    "domain and trust anchor");
 				if (result == ISC_R_SUCCESS)
 					result = ISC_R_FAILURE;
+				continue;
+			}
+
+			dlv = cfg_obj_asstring(anchor);
+			tresult = dns_name_fromstring(name, dlv, 0, NULL);
+			if (tresult != ISC_R_SUCCESS) {
+				cfg_obj_log(anchor, logctx, ISC_LOG_ERROR,
+					    "bad domain name '%s'", dlv);
+				if (result == ISC_R_SUCCESS)
+					result = tresult;
+				continue;
+			}
+			if (dns_name_equal(&dlviscorg, name)) {
+				cfg_obj_log(anchor, logctx, ISC_LOG_WARNING,
+					    "dlv.isc.org has been shut down: "
+					    "dnssec-lookaside ignored");
+				continue;
 			}
 		}
 
@@ -1424,23 +1452,23 @@ validate_masters(const cfg_obj_t *obj, const cfg_obj_t *config,
 		}
 		/* Grow stack? */
 		if (stackcount == pushed) {
-			void * new;
+			void * newstack;
 			isc_uint32_t newlen = stackcount + 16;
 			size_t newsize, oldsize;
 
 			newsize = newlen * sizeof(*stack);
 			oldsize = stackcount * sizeof(*stack);
-			new = isc_mem_get(mctx, newsize);
-			if (new == NULL)
+			newstack = isc_mem_get(mctx, newsize);
+			if (newstack == NULL)
 				goto cleanup;
 			if (stackcount != 0) {
 				void *ptr;
 
 				DE_CONST(stack, ptr);
-				memmove(new, stack, oldsize);
+				memmove(newstack, stack, oldsize);
 				isc_mem_put(mctx, ptr, oldsize);
 			}
-			stack = new;
+			stack = newstack;
 			stackcount = newlen;
 		}
 		stack[pushed++] = cfg_list_next(element);
@@ -1468,9 +1496,9 @@ check_update_policy(const cfg_obj_t *policy, isc_log_t *logctx) {
 	isc_result_t tresult;
 	const cfg_listelt_t *element;
 	const cfg_listelt_t *element2;
-	dns_fixedname_t fixed;
+	dns_fixedname_t fixed_id, fixed_name;
+	dns_name_t *id, *name;
 	const char *str;
-	isc_buffer_t b;
 
 	/* Check for "update-policy local;" */
 	if (cfg_obj_isstring(policy) &&
@@ -1487,27 +1515,36 @@ check_update_policy(const cfg_obj_t *policy, isc_log_t *logctx) {
 		const cfg_obj_t *matchtype = cfg_tuple_get(stmt, "matchtype");
 		const cfg_obj_t *dname = cfg_tuple_get(stmt, "name");
 		const cfg_obj_t *typelist = cfg_tuple_get(stmt, "types");
+		dns_ssumatchtype_t mtype;
+
+		dns_fixedname_init(&fixed_id);
+		dns_fixedname_init(&fixed_name);
+		id = dns_fixedname_name(&fixed_id);
+		name = dns_fixedname_name(&fixed_name);
+
+		tresult = dns_ssu_mtypefromstring(cfg_obj_asstring(matchtype),
+						  &mtype);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(identity, logctx, ISC_LOG_ERROR,
+				    "has a bad match-type");
+		}
 
-		dns_fixedname_init(&fixed);
 		str = cfg_obj_asstring(identity);
-		isc_buffer_constinit(&b, str, strlen(str));
-		isc_buffer_add(&b, strlen(str));
-		tresult = dns_name_fromtext(dns_fixedname_name(&fixed), &b,
-					    dns_rootname, 0, NULL);
+		tresult = dns_name_fromstring(id, str, 1, NULL);
 		if (tresult != ISC_R_SUCCESS) {
 			cfg_obj_log(identity, logctx, ISC_LOG_ERROR,
 				    "'%s' is not a valid name", str);
 			result = tresult;
 		}
 
+		/*
+		 * There is no name field for subzone.
+		 */
 		if (tresult == ISC_R_SUCCESS &&
-		    strcasecmp(cfg_obj_asstring(matchtype), "zonesub") != 0) {
-			dns_fixedname_init(&fixed);
+		    mtype != dns_ssumatchtype_subdomain)
+		{
 			str = cfg_obj_asstring(dname);
-			isc_buffer_constinit(&b, str, strlen(str));
-			isc_buffer_add(&b, strlen(str));
-			tresult = dns_name_fromtext(dns_fixedname_name(&fixed),
-						    &b, dns_rootname, 0, NULL);
+			tresult = dns_name_fromstring(name, str, 0, NULL);
 			if (tresult != ISC_R_SUCCESS) {
 				cfg_obj_log(dname, logctx, ISC_LOG_ERROR,
 					    "'%s' is not a valid name", str);
@@ -1516,13 +1553,55 @@ check_update_policy(const cfg_obj_t *policy, isc_log_t *logctx) {
 		}
 
 		if (tresult == ISC_R_SUCCESS &&
-		    strcasecmp(cfg_obj_asstring(matchtype), "wildcard") == 0 &&
-		    !dns_name_iswildcard(dns_fixedname_name(&fixed))) {
+		    mtype == dns_ssumatchtype_wildcard &&
+		    !dns_name_iswildcard(name))
+		{
 			cfg_obj_log(identity, logctx, ISC_LOG_ERROR,
 				    "'%s' is not a wildcard", str);
 			result = ISC_R_FAILURE;
 		}
 
+		/*
+		 * For some match types, the name should be a placeholder
+		 * value, either "." or the same as identity.
+		 */
+		switch (mtype) {
+		case dns_ssumatchtype_self:
+		case dns_ssumatchtype_selfsub:
+		case dns_ssumatchtype_selfwild:
+			if (tresult == ISC_R_SUCCESS &&
+			    (!dns_name_equal(id, name) &&
+			     !dns_name_equal(dns_rootname, name))) {
+				cfg_obj_log(identity, logctx, ISC_LOG_ERROR,
+					    "identity and name fields are not "
+					    "the same");
+				result = ISC_R_FAILURE;
+			}
+			break;
+		case dns_ssumatchtype_selfkrb5:
+		case dns_ssumatchtype_selfms:
+		case dns_ssumatchtype_subdomainms:
+		case dns_ssumatchtype_subdomainkrb5:
+		case dns_ssumatchtype_tcpself:
+		case dns_ssumatchtype_6to4self:
+			if (tresult == ISC_R_SUCCESS &&
+			    !dns_name_equal(dns_rootname, name)) {
+				cfg_obj_log(identity, logctx, ISC_LOG_ERROR,
+					    "name field not set to "
+					    "placeholder value '.'");
+				result = ISC_R_FAILURE;
+			}
+			break;
+		case dns_ssumatchtype_name:
+		case dns_ssumatchtype_subdomain:
+		case dns_ssumatchtype_wildcard:
+		case dns_ssumatchtype_external:
+		case dns_ssumatchtype_local:
+			break;
+		default:
+			INSIST(0);
+		}
+
 		for (element2 = cfg_list_first(typelist);
 		     element2 != NULL;
 		     element2 = cfg_list_next(element2))
@@ -1554,6 +1633,7 @@ check_update_policy(const cfg_obj_t *policy, isc_log_t *logctx) {
 #define DELEGATIONZONE	32
 #define STATICSTUBZONE	64
 #define REDIRECTZONE	128
+#define INVIEWZONE	256
 #define STREDIRECTZONE	0	/* Set to REDIRECTZONE to allow xfr-in. */
 #define CHECKACL	512
 
@@ -1588,14 +1668,17 @@ check_nonzero(const cfg_obj_t *options, isc_log_t *logctx) {
 static isc_result_t
 check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	       const cfg_obj_t *config, isc_symtab_t *symtab,
-	       isc_symtab_t *files, dns_rdataclass_t defclass,
+	       isc_symtab_t *files, isc_symtab_t *inview,
+	       const char *viewname, dns_rdataclass_t defclass,
 	       cfg_aclconfctx_t *actx, isc_log_t *logctx, isc_mem_t *mctx)
 {
 	const char *znamestr;
-	const char *typestr;
+	const char *typestr = NULL;
+	const char *target = NULL;
 	unsigned int ztype;
 	const cfg_obj_t *zoptions, *goptions = NULL;
 	const cfg_obj_t *obj = NULL;
+	const cfg_obj_t *inviewobj = NULL;
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
 	unsigned int i;
@@ -1694,65 +1777,51 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	if (config != NULL)
 		cfg_map_get(config, "options", &goptions);
 
-	obj = NULL;
-	(void)cfg_map_get(zoptions, "in-view", &obj);
-	if (obj != NULL) {
-		const cfg_obj_t *fwd = NULL;
-		unsigned int maxopts = 1;
-		(void)cfg_map_get(zoptions, "forward", &fwd);
-		if (fwd != NULL)
-			maxopts++;
-		fwd = NULL;
-		(void)cfg_map_get(zoptions, "forwarders", &fwd);
-		if (fwd != NULL)
-			maxopts++;
-		if (cfg_map_count(zoptions) > maxopts) {
+	inviewobj = NULL;
+	(void)cfg_map_get(zoptions, "in-view", &inviewobj);
+	if (inviewobj != NULL) {
+		target = cfg_obj_asstring(inviewobj);
+		ztype = INVIEWZONE;
+	} else {
+		obj = NULL;
+		(void)cfg_map_get(zoptions, "type", &obj);
+		if (obj == NULL) {
 			cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
-				    "zone '%s': 'in-view' used "
-				    "with incompatible zone options",
-				    znamestr);
+				    "zone '%s': type not present", znamestr);
 			return (ISC_R_FAILURE);
 		}
-		return (ISC_R_SUCCESS);
-	}
 
-	obj = NULL;
-	(void)cfg_map_get(zoptions, "type", &obj);
-	if (obj == NULL) {
-		cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
-			    "zone '%s': type not present", znamestr);
-		return (ISC_R_FAILURE);
-	}
+		typestr = cfg_obj_asstring(obj);
+		if (strcasecmp(typestr, "master") == 0) {
+			ztype = MASTERZONE;
+		} else if (strcasecmp(typestr, "slave") == 0) {
+			ztype = SLAVEZONE;
+		} else if (strcasecmp(typestr, "stub") == 0) {
+			ztype = STUBZONE;
+		} else if (strcasecmp(typestr, "static-stub") == 0) {
+			ztype = STATICSTUBZONE;
+		} else if (strcasecmp(typestr, "forward") == 0) {
+			ztype = FORWARDZONE;
+		} else if (strcasecmp(typestr, "hint") == 0) {
+			ztype = HINTZONE;
+		} else if (strcasecmp(typestr, "delegation-only") == 0) {
+			ztype = DELEGATIONZONE;
+		} else if (strcasecmp(typestr, "redirect") == 0) {
+			ztype = REDIRECTZONE;
+		} else {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "zone '%s': invalid type %s",
+				    znamestr, typestr);
+			return (ISC_R_FAILURE);
+		}
 
-	typestr = cfg_obj_asstring(obj);
-	if (strcasecmp(typestr, "master") == 0)
-		ztype = MASTERZONE;
-	else if (strcasecmp(typestr, "slave") == 0)
-		ztype = SLAVEZONE;
-	else if (strcasecmp(typestr, "stub") == 0)
-		ztype = STUBZONE;
-	else if (strcasecmp(typestr, "static-stub") == 0)
-		ztype = STATICSTUBZONE;
-	else if (strcasecmp(typestr, "forward") == 0)
-		ztype = FORWARDZONE;
-	else if (strcasecmp(typestr, "hint") == 0)
-		ztype = HINTZONE;
-	else if (strcasecmp(typestr, "delegation-only") == 0)
-		ztype = DELEGATIONZONE;
-	else if (strcasecmp(typestr, "redirect") == 0)
-		ztype = REDIRECTZONE;
-	else {
-		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-			    "zone '%s': invalid type %s",
-			    znamestr, typestr);
-		return (ISC_R_FAILURE);
+		if (ztype == REDIRECTZONE && strcmp(znamestr, ".") != 0) {
+			cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
+				    "redirect zones must be called \".\"");
+			return (ISC_R_FAILURE);
+		}
 	}
 
-	if (ztype == REDIRECTZONE && strcmp(znamestr, ".") != 0) {
-		cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
-			    "redirect zones must be called \".\"");
-		return (ISC_R_FAILURE);
-	}
 	obj = cfg_tuple_get(zconfig, "class");
 	if (cfg_obj_isstring(obj)) {
 		isc_textregion_t r;
@@ -1773,6 +1842,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 				    znamestr, r.base);
 			return (ISC_R_FAILURE);
 		}
+	} else {
+		zclass = defclass;
 	}
 
 	/*
@@ -1790,7 +1861,9 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 			    "zone '%s': is not a valid name", znamestr);
 		result = ISC_R_FAILURE;
 	} else {
-		char namebuf[DNS_NAME_FORMATSIZE];
+		char namebuf[DNS_NAME_FORMATSIZE + 128];
+		char *tmp = namebuf;
+		size_t len = sizeof(namebuf);
 
 		zname = dns_fixedname_name(&fixedname);
 		dns_name_format(zname, namebuf, sizeof(namebuf));
@@ -1806,6 +1879,79 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 			rfc1918 = ISC_TRUE;
 		else if (dns_name_isula(zname))
 			ula = ISC_TRUE;
+		tmp += strlen(tmp);
+		len -= strlen(tmp);
+		(void)snprintf(tmp, len, "%u/%s", zclass,
+			       (ztype == INVIEWZONE) ? target :
+				(viewname != NULL) ? viewname : "_default");
+		switch (ztype) {
+		case INVIEWZONE:
+			tresult = isc_symtab_lookup(inview, namebuf, 0, NULL);
+			if (tresult != ISC_R_SUCCESS) {
+				cfg_obj_log(inviewobj, logctx, ISC_LOG_ERROR,
+					    "'in-view' zone '%s' "
+					    "does not exist in view '%s', "
+					    "or view '%s' is not yet defined",
+					    znamestr, target, target);
+				if (result == ISC_R_SUCCESS) {
+					result = tresult;
+				}
+			}
+			break;
+
+		case FORWARDZONE:
+		case REDIRECTZONE:
+		case DELEGATIONZONE:
+			break;
+
+		case MASTERZONE:
+		case SLAVEZONE:
+		case HINTZONE:
+		case STUBZONE:
+		case STATICSTUBZONE:
+			tmp = isc_mem_strdup(mctx, namebuf);
+			if (tmp != NULL) {
+				isc_symvalue_t symvalue;
+
+				symvalue.as_cpointer = NULL;
+				tresult = isc_symtab_define(inview, tmp, 1,
+					   symvalue, isc_symexists_replace);
+				if (tresult == ISC_R_NOMEMORY) {
+					isc_mem_free(mctx, tmp);
+				}
+				if (result == ISC_R_SUCCESS &&
+				    tresult != ISC_R_SUCCESS)
+					result = tresult;
+			} else if (result != ISC_R_SUCCESS) {
+				result = ISC_R_NOMEMORY;
+			}
+			break;
+
+		default:
+			INSIST(0);
+		}
+	}
+
+	if (ztype == INVIEWZONE) {
+		const cfg_obj_t *fwd = NULL;
+		unsigned int maxopts = 1;
+
+		(void)cfg_map_get(zoptions, "forward", &fwd);
+		if (fwd != NULL)
+			maxopts++;
+		fwd = NULL;
+		(void)cfg_map_get(zoptions, "forwarders", &fwd);
+		if (fwd != NULL)
+			maxopts++;
+		if (cfg_map_count(zoptions) > maxopts) {
+			cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
+				    "zone '%s': 'in-view' used "
+				    "with incompatible zone options",
+				    znamestr);
+			if (result == ISC_R_SUCCESS)
+				result = ISC_R_FAILURE;
+		}
+		return (result);
 	}
 
 	/*
@@ -2665,9 +2811,13 @@ check_servers(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	return (result);
 }
 
+#define ROOT_KSK_2010	0x1
+#define ROOT_KSK_2017	0x2
+#define DLV_KSK_KEY	0x4
+
 static isc_result_t
 check_trusted_key(const cfg_obj_t *key, isc_boolean_t managed,
-		  isc_log_t *logctx)
+		  unsigned int *keyflags, isc_log_t *logctx)
 {
 	const char *keystr, *keynamestr;
 	dns_fixedname_t fkeyname;
@@ -2745,6 +2895,128 @@ check_trusted_key(const cfg_obj_t *key, isc_boolean_t managed,
 				    keynamestr);
 	}
 
+	if (result == ISC_R_SUCCESS && dns_name_equal(keyname, dns_rootname)) {
+		static const unsigned char root_ksk_2010[] = {
+			0x03, 0x01, 0x00, 0x01, 0xa8, 0x00, 0x20, 0xa9,
+			0x55, 0x66, 0xba, 0x42, 0xe8, 0x86, 0xbb, 0x80,
+			0x4c, 0xda, 0x84, 0xe4, 0x7e, 0xf5, 0x6d, 0xbd,
+			0x7a, 0xec, 0x61, 0x26, 0x15, 0x55, 0x2c, 0xec,
+			0x90, 0x6d, 0x21, 0x16, 0xd0, 0xef, 0x20, 0x70,
+			0x28, 0xc5, 0x15, 0x54, 0x14, 0x4d, 0xfe, 0xaf,
+			0xe7, 0xc7, 0xcb, 0x8f, 0x00, 0x5d, 0xd1, 0x82,
+			0x34, 0x13, 0x3a, 0xc0, 0x71, 0x0a, 0x81, 0x18,
+			0x2c, 0xe1, 0xfd, 0x14, 0xad, 0x22, 0x83, 0xbc,
+			0x83, 0x43, 0x5f, 0x9d, 0xf2, 0xf6, 0x31, 0x32,
+			0x51, 0x93, 0x1a, 0x17, 0x6d, 0xf0, 0xda, 0x51,
+			0xe5, 0x4f, 0x42, 0xe6, 0x04, 0x86, 0x0d, 0xfb,
+			0x35, 0x95, 0x80, 0x25, 0x0f, 0x55, 0x9c, 0xc5,
+			0x43, 0xc4, 0xff, 0xd5, 0x1c, 0xbe, 0x3d, 0xe8,
+			0xcf, 0xd0, 0x67, 0x19, 0x23, 0x7f, 0x9f, 0xc4,
+			0x7e, 0xe7, 0x29, 0xda, 0x06, 0x83, 0x5f, 0xa4,
+			0x52, 0xe8, 0x25, 0xe9, 0xa1, 0x8e, 0xbc, 0x2e,
+			0xcb, 0xcf, 0x56, 0x34, 0x74, 0x65, 0x2c, 0x33,
+			0xcf, 0x56, 0xa9, 0x03, 0x3b, 0xcd, 0xf5, 0xd9,
+			0x73, 0x12, 0x17, 0x97, 0xec, 0x80, 0x89, 0x04,
+			0x1b, 0x6e, 0x03, 0xa1, 0xb7, 0x2d, 0x0a, 0x73,
+			0x5b, 0x98, 0x4e, 0x03, 0x68, 0x73, 0x09, 0x33,
+			0x23, 0x24, 0xf2, 0x7c, 0x2d, 0xba, 0x85, 0xe9,
+			0xdb, 0x15, 0xe8, 0x3a, 0x01, 0x43, 0x38, 0x2e,
+			0x97, 0x4b, 0x06, 0x21, 0xc1, 0x8e, 0x62, 0x5e,
+			0xce, 0xc9, 0x07, 0x57, 0x7d, 0x9e, 0x7b, 0xad,
+			0xe9, 0x52, 0x41, 0xa8, 0x1e, 0xbb, 0xe8, 0xa9,
+			0x01, 0xd4, 0xd3, 0x27, 0x6e, 0x40, 0xb1, 0x14,
+			0xc0, 0xa2, 0xe6, 0xfc, 0x38, 0xd1, 0x9c, 0x2e,
+			0x6a, 0xab, 0x02, 0x64, 0x4b, 0x28, 0x13, 0xf5,
+			0x75, 0xfc, 0x21, 0x60, 0x1e, 0x0d, 0xee, 0x49,
+			0xcd, 0x9e, 0xe9, 0x6a, 0x43, 0x10, 0x3e, 0x52,
+			0x4d, 0x62, 0x87, 0x3d };
+		static const unsigned char root_ksk_2017[] = {
+			0x03, 0x01, 0x00, 0x01, 0xac, 0xff, 0xb4, 0x09,
+			0xbc, 0xc9, 0x39, 0xf8, 0x31, 0xf7, 0xa1, 0xe5,
+			0xec, 0x88, 0xf7, 0xa5, 0x92, 0x55, 0xec, 0x53,
+			0x04, 0x0b, 0xe4, 0x32, 0x02, 0x73, 0x90, 0xa4,
+			0xce, 0x89, 0x6d, 0x6f, 0x90, 0x86, 0xf3, 0xc5,
+			0xe1, 0x77, 0xfb, 0xfe, 0x11, 0x81, 0x63, 0xaa,
+			0xec, 0x7a, 0xf1, 0x46, 0x2c, 0x47, 0x94, 0x59,
+			0x44, 0xc4, 0xe2, 0xc0, 0x26, 0xbe, 0x5e, 0x98,
+			0xbb, 0xcd, 0xed, 0x25, 0x97, 0x82, 0x72, 0xe1,
+			0xe3, 0xe0, 0x79, 0xc5, 0x09, 0x4d, 0x57, 0x3f,
+			0x0e, 0x83, 0xc9, 0x2f, 0x02, 0xb3, 0x2d, 0x35,
+			0x13, 0xb1, 0x55, 0x0b, 0x82, 0x69, 0x29, 0xc8,
+			0x0d, 0xd0, 0xf9, 0x2c, 0xac, 0x96, 0x6d, 0x17,
+			0x76, 0x9f, 0xd5, 0x86, 0x7b, 0x64, 0x7c, 0x3f,
+			0x38, 0x02, 0x9a, 0xbd, 0xc4, 0x81, 0x52, 0xeb,
+			0x8f, 0x20, 0x71, 0x59, 0xec, 0xc5, 0xd2, 0x32,
+			0xc7, 0xc1, 0x53, 0x7c, 0x79, 0xf4, 0xb7, 0xac,
+			0x28, 0xff, 0x11, 0x68, 0x2f, 0x21, 0x68, 0x1b,
+			0xf6, 0xd6, 0xab, 0xa5, 0x55, 0x03, 0x2b, 0xf6,
+			0xf9, 0xf0, 0x36, 0xbe, 0xb2, 0xaa, 0xa5, 0xb3,
+			0x77, 0x8d, 0x6e, 0xeb, 0xfb, 0xa6, 0xbf, 0x9e,
+			0xa1, 0x91, 0xbe, 0x4a, 0xb0, 0xca, 0xea, 0x75,
+			0x9e, 0x2f, 0x77, 0x3a, 0x1f, 0x90, 0x29, 0xc7,
+			0x3e, 0xcb, 0x8d, 0x57, 0x35, 0xb9, 0x32, 0x1d,
+			0xb0, 0x85, 0xf1, 0xb8, 0xe2, 0xd8, 0x03, 0x8f,
+			0xe2, 0x94, 0x19, 0x92, 0x54, 0x8c, 0xee, 0x0d,
+			0x67, 0xdd, 0x45, 0x47, 0xe1, 0x1d, 0xd6, 0x3a,
+			0xf9, 0xc9, 0xfc, 0x1c, 0x54, 0x66, 0xfb, 0x68,
+			0x4c, 0xf0, 0x09, 0xd7, 0x19, 0x7c, 0x2c, 0xf7,
+			0x9e, 0x79, 0x2a, 0xb5, 0x01, 0xe6, 0xa8, 0xa1,
+			0xca, 0x51, 0x9a, 0xf2, 0xcb, 0x9b, 0x5f, 0x63,
+			0x67, 0xe9, 0x4c, 0x0d, 0x47, 0x50, 0x24, 0x51,
+			0x35, 0x7b, 0xe1, 0xb5 };
+		if (flags == 257 && proto == 3 && alg == 8 &&
+		    isc_buffer_usedlength(&b) == sizeof(root_ksk_2010) &&
+		    !memcmp(keydata, root_ksk_2010, sizeof(root_ksk_2010))) {
+			*keyflags |= ROOT_KSK_2010;
+		}
+		if (flags == 257 && proto == 3 && alg == 8 &&
+		    isc_buffer_usedlength(&b) == sizeof(root_ksk_2017) &&
+		    !memcmp(keydata, root_ksk_2017, sizeof(root_ksk_2017))) {
+			*keyflags |= ROOT_KSK_2017;
+		}
+	}
+	if (result == ISC_R_SUCCESS && dns_name_equal(keyname, &dlviscorg)) {
+		static const unsigned char dlviscorgkey[] = {
+			0x04, 0x40, 0x00, 0x00, 0x03, 0xc7, 0x32, 0xef,
+			0xf9, 0xa2, 0x7c, 0xeb, 0x10, 0x4e, 0xf3, 0xd5,
+			0xe8, 0x26, 0x86, 0x0f, 0xd6, 0x3c, 0xed, 0x3e,
+			0x8e, 0xea, 0x19, 0xad, 0x6d, 0xde, 0xb9, 0x61,
+			0x27, 0xe0, 0xcc, 0x43, 0x08, 0x4d, 0x7e, 0x94,
+			0xbc, 0xb6, 0x6e, 0xb8, 0x50, 0xbf, 0x9a, 0xcd,
+			0xdf, 0x64, 0x4a, 0xb4, 0xcc, 0xd7, 0xe8, 0xc8,
+			0xfb, 0xd2, 0x37, 0x73, 0x78, 0xd0, 0xf8, 0x5e,
+			0x49, 0xd6, 0xe7, 0xc7, 0x67, 0x24, 0xd3, 0xc2,
+			0xc6, 0x7f, 0x3e, 0x8c, 0x01, 0xa5, 0xd8, 0x56,
+			0x4b, 0x2b, 0xcb, 0x7e, 0xd6, 0xea, 0xb8, 0x5b,
+			0xe9, 0xe7, 0x03, 0x7a, 0x8e, 0xdb, 0xe0, 0xcb,
+			0xfa, 0x4e, 0x81, 0x0f, 0x89, 0x9e, 0xc0, 0xc2,
+			0xdb, 0x21, 0x81, 0x70, 0x7b, 0x43, 0xc6, 0xef,
+			0x74, 0xde, 0xf5, 0xf6, 0x76, 0x90, 0x96, 0xf9,
+			0xe9, 0xd8, 0x60, 0x31, 0xd7, 0xb9, 0xca, 0x65,
+			0xf8, 0x04, 0x8f, 0xe8, 0x43, 0xe7, 0x00, 0x2b,
+			0x9d, 0x3f, 0xc6, 0xf2, 0x6f, 0xd3, 0x41, 0x6b,
+			0x7f, 0xc9, 0x30, 0xea, 0xe7, 0x0c, 0x4f, 0x01,
+			0x65, 0x80, 0xf7, 0xbe, 0x8e, 0x71, 0xb1, 0x3c,
+			0xf1, 0x26, 0x1c, 0x0b, 0x5e, 0xfd, 0x44, 0x64,
+			0x63, 0xad, 0x99, 0x7e, 0x42, 0xe8, 0x04, 0x00,
+			0x03, 0x2c, 0x74, 0x3d, 0x22, 0xb4, 0xb6, 0xb6,
+			0xbc, 0x80, 0x7b, 0xb9, 0x9b, 0x05, 0x95, 0x5c,
+			0x3b, 0x02, 0x1e, 0x53, 0xf4, 0x70, 0xfe, 0x64,
+			0x71, 0xfe, 0xfc, 0x30, 0x30, 0x24, 0xe0, 0x35,
+			0xba, 0x0c, 0x40, 0xab, 0x54, 0x76, 0xf3, 0x57,
+			0x0e, 0xb6, 0x09, 0x0d, 0x21, 0xd9, 0xc2, 0xcd,
+			0xf1, 0x89, 0x15, 0xc5, 0xd5, 0x17, 0xfe, 0x6a,
+			0x5f, 0x54, 0x99, 0x97, 0xd2, 0x6a, 0xff, 0xf8,
+			0x35, 0x62, 0xca, 0x8c, 0x7c, 0xe9, 0x4f, 0x9f,
+			0x64, 0xfd, 0x54, 0xad, 0x4c, 0x33, 0x74, 0x61,
+			0x4b, 0x96, 0xac, 0x13, 0x61 };
+		if (flags == 257 && proto == 3 && alg == 5 &&
+		    isc_buffer_usedlength(&b) == sizeof(dlviscorgkey) &&
+		    !memcmp(keydata, dlviscorgkey, sizeof(dlviscorgkey))) {
+			*keyflags |= DLV_KSK_KEY;
+		}
+	}
+
 	return (result);
 }
 
@@ -2758,6 +3030,9 @@ check_rpz(const char *rpz_catz, const cfg_obj_t *rpz_obj,
 	const char *forview = " for view ";
 	isc_symvalue_t value;
 	isc_result_t result, tresult;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	char namebuf[DNS_NAME_FORMATSIZE];
 
 	if (viewname == NULL) {
 		viewname = "";
@@ -2765,6 +3040,8 @@ check_rpz(const char *rpz_catz, const cfg_obj_t *rpz_obj,
 	}
 	result = ISC_R_SUCCESS;
 
+	dns_fixedname_init(&fixed);
+	name = dns_fixedname_name(&fixed);
 	obj = cfg_tuple_get(rpz_obj, "zone list");
 	for (element = cfg_list_first(obj);
 	     element != NULL;
@@ -2773,7 +3050,17 @@ check_rpz(const char *rpz_catz, const cfg_obj_t *rpz_obj,
 		nameobj = cfg_tuple_get(obj, "zone name");
 		zonename = cfg_obj_asstring(nameobj);
 		zonetype = "";
-		tresult = isc_symtab_lookup(symtab, zonename, 3, &value);
+
+		tresult = dns_name_fromstring(name, zonename, 0, NULL);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(nameobj, logctx, ISC_LOG_ERROR,
+				   "bad domain name '%s'", zonename);
+			if (result == ISC_R_SUCCESS)
+				result = tresult;
+			continue;
+		}
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		tresult = isc_symtab_lookup(symtab, namebuf, 3, &value);
 		if (tresult == ISC_R_SUCCESS) {
 			obj = NULL;
 			zoneobj = value.as_cpointer;
@@ -2789,7 +3076,8 @@ check_rpz(const char *rpz_catz, const cfg_obj_t *rpz_obj,
 			cfg_obj_log(nameobj, logctx, ISC_LOG_ERROR,
 				    "%s '%s'%s%s is not a master or slave zone",
 				    rpz_catz, zonename, forview, viewname);
-			result = ISC_R_FAILURE;
+			if (result == ISC_R_SUCCESS)
+				result = ISC_R_FAILURE;
 		}
 	}
 	return (result);
@@ -2798,7 +3086,8 @@ check_rpz(const char *rpz_catz, const cfg_obj_t *rpz_obj,
 static isc_result_t
 check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	       const char *viewname, dns_rdataclass_t vclass,
-	       isc_symtab_t *files, isc_log_t *logctx, isc_mem_t *mctx)
+	       isc_symtab_t *files, isc_symtab_t *inview,
+	       isc_log_t *logctx, isc_mem_t *mctx)
 {
 	const cfg_obj_t *zones = NULL;
 	const cfg_obj_t *keys = NULL;
@@ -2812,6 +3101,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	const cfg_obj_t *opts = NULL;
 	isc_boolean_t enablednssec, enablevalidation;
 	const char *valstr = "no";
+	unsigned int tflags, mflags;
 
 	/*
 	 * Get global options block
@@ -2849,8 +3139,8 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 		const cfg_obj_t *zone = cfg_listelt_value(element);
 
 		tresult = check_zoneconf(zone, voptions, config, symtab,
-					 files, vclass, actx, logctx,
-					 mctx);
+					 files, inview, viewname, vclass,
+					 actx, logctx, mctx);
 		if (tresult != ISC_R_SUCCESS)
 			result = ISC_R_FAILURE;
 	}
@@ -2975,6 +3265,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	if (keys == NULL)
 		(void)cfg_map_get(config, "trusted-keys", &keys);
 
+	tflags = 0;
 	for (element = cfg_list_first(keys);
 	     element != NULL;
 	     element = cfg_list_next(element))
@@ -2984,18 +3275,33 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 		     element2 != NULL;
 		     element2 = cfg_list_next(element2)) {
 			obj = cfg_listelt_value(element2);
-			tresult = check_trusted_key(obj, ISC_FALSE, logctx);
+			tresult = check_trusted_key(obj, ISC_FALSE, &tflags,
+						    logctx);
 			if (tresult != ISC_R_SUCCESS)
 				result = tresult;
 		}
 	}
 
+	if ((tflags & ROOT_KSK_2010) != 0 && (tflags & ROOT_KSK_2017) == 0) {
+		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+			    "trusted-key for root from 2010 without updated "
+			    "trusted-key from 2017: THIS WILL FAIL AFTER "
+			    "KEY ROLLOVER");
+	}
+
+	if ((tflags & DLV_KSK_KEY) != 0) {
+		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+			    "trusted-key for dlv.isc.org still present; "
+			    "dlv.isc.org has been shut down");
+	}
+
 	keys = NULL;
 	if (voptions != NULL)
 		(void)cfg_map_get(voptions, "managed-keys", &keys);
 	if (keys == NULL)
 		(void)cfg_map_get(config, "managed-keys", &keys);
 
+	mflags = 0;
 	for (element = cfg_list_first(keys);
 	     element != NULL;
 	     element = cfg_list_next(element))
@@ -3005,12 +3311,33 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 		     element2 != NULL;
 		     element2 = cfg_list_next(element2)) {
 			obj = cfg_listelt_value(element2);
-			tresult = check_trusted_key(obj, ISC_TRUE, logctx);
+			tresult = check_trusted_key(obj, ISC_TRUE, &mflags,
+						    logctx);
 			if (tresult != ISC_R_SUCCESS)
 				result = tresult;
 		}
 	}
 
+	if ((mflags & ROOT_KSK_2010) != 0 && (mflags & ROOT_KSK_2017) == 0) {
+		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+			    "managed-key for root from 2010 without updated "
+			    "managed-key from 2017");
+	}
+
+	if ((mflags & DLV_KSK_KEY) != 0) {
+		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+			    "managed-key for dlv.isc.org still present; "
+			    "dlv.isc.org has been shut down");
+	}
+
+	if ((tflags & (ROOT_KSK_2010|ROOT_KSK_2017)) != 0 &&
+	    (mflags & (ROOT_KSK_2010|ROOT_KSK_2017)) != 0)
+	{
+		cfg_obj_log(keys, logctx, ISC_LOG_WARNING,
+			    "both trusted-keys and managed-keys for the ICANN "
+			    "root are present");
+	}
+
 	/*
 	 * Check options.
 	 */
@@ -3312,6 +3639,7 @@ bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
 	isc_result_t tresult;
 	isc_symtab_t *symtab = NULL;
 	isc_symtab_t *files = NULL;
+	isc_symtab_t *inview = NULL;
 
 	static const char *builtin[] = { "localhost", "localnets",
 					 "any", "none"};
@@ -3342,13 +3670,24 @@ bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
 	 */
 	tresult = isc_symtab_create(mctx, 100, NULL, NULL, ISC_FALSE,
 				    &files);
-	if (tresult != ISC_R_SUCCESS)
+	if (tresult != ISC_R_SUCCESS) {
 		result = tresult;
+		goto cleanup;
+	}
+
+	tresult = isc_symtab_create(mctx, 100, freekey, mctx,
+				    ISC_TRUE, &inview);
+	if (tresult != ISC_R_SUCCESS) {
+		result = tresult;
+		goto cleanup;
+	}
 
 	if (views == NULL) {
-		if (check_viewconf(config, NULL, NULL, dns_rdataclass_in,
-				   files, logctx, mctx) != ISC_R_SUCCESS)
+		tresult = check_viewconf(config, NULL, NULL, dns_rdataclass_in,
+					 files, inview, logctx, mctx);
+		if (result == ISC_R_SUCCESS && tresult != ISC_R_SUCCESS) {
 			result = ISC_R_FAILURE;
+		}
 	} else {
 		const cfg_obj_t *zones = NULL;
 
@@ -3362,8 +3701,10 @@ bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
 	}
 
 	tresult = isc_symtab_create(mctx, 100, NULL, NULL, ISC_TRUE, &symtab);
-	if (tresult != ISC_R_SUCCESS)
+	if (tresult != ISC_R_SUCCESS) {
 		result = tresult;
+		goto cleanup;
+	}
 	for (velement = cfg_list_first(views);
 	     velement != NULL;
 	     velement = cfg_list_next(velement))
@@ -3421,14 +3762,10 @@ bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
 		}
 		if (tresult == ISC_R_SUCCESS)
 			tresult = check_viewconf(config, voptions, key, vclass,
-						 files, logctx, mctx);
+						 files, inview, logctx, mctx);
 		if (tresult != ISC_R_SUCCESS)
 			result = ISC_R_FAILURE;
 	}
-	if (symtab != NULL)
-		isc_symtab_destroy(&symtab);
-	if (files != NULL)
-		isc_symtab_destroy(&files);
 
 	if (views != NULL && options != NULL) {
 		obj = NULL;
@@ -3530,5 +3867,13 @@ bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
 		}
 	}
 
+cleanup:
+	if (symtab != NULL)
+		isc_symtab_destroy(&symtab);
+	if (inview != NULL)
+		isc_symtab_destroy(&inview);
+	if (files != NULL)
+		isc_symtab_destroy(&files);
+
 	return (result);
 }
diff --git a/usr.sbin/bind/lib/bind9/getaddresses.c b/usr.sbin/bind/lib/bind9/getaddresses.c
index 89aee84ab92..fdff0c94fba 100644
--- a/usr.sbin/bind/lib/bind9/getaddresses.c
+++ b/usr.sbin/bind/lib/bind9/getaddresses.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001, 2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getaddresses.c,v 1.6 2019/12/16 16:16:23 deraadt Exp $ */
+/* $Id: getaddresses.c,v 1.7 2019/12/17 01:46:31 sthen Exp $ */
 
 /*! \file */
 
@@ -28,6 +27,7 @@
 #include <isc/netscope.h>
 #include <isc/result.h>
 #include <isc/sockaddr.h>
+#include <isc/string.h>
 #include <isc/util.h>
 
 #include <bind9/getaddresses.h>
@@ -90,7 +90,7 @@ bind9_getaddresses(const char *hostname, in_port_t port,
 		char tmpbuf[128], *d;
 		isc_uint32_t zone = 0;
 
-		strcpy(tmpbuf, hostname);
+		strlcpy(tmpbuf, hostname, sizeof(tmpbuf));
 		d = strchr(tmpbuf, '%');
 		if (d != NULL)
 			*d = '\0';
@@ -163,6 +163,7 @@ bind9_getaddresses(const char *hostname, in_port_t port,
 			goto again;
 		}
 #endif
+		/* FALLTHROUGH */
 	default:
 		return (ISC_R_FAILURE);
 	}
diff --git a/usr.sbin/bind/lib/bind9/include/Makefile.in b/usr.sbin/bind/lib/bind9/include/Makefile.in
index d83cd6d96a7..49166a56615 100644
--- a/usr.sbin/bind/lib/bind9/include/Makefile.in
+++ b/usr.sbin/bind/lib/bind9/include/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:24 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:31 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/bind9/include/bind9/Makefile.in b/usr.sbin/bind/lib/bind9/include/bind9/Makefile.in
index c55168477e4..6a4572e9f9e 100644
--- a/usr.sbin/bind/lib/bind9/include/bind9/Makefile.in
+++ b/usr.sbin/bind/lib/bind9/include/bind9/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2007, 2012, 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:24 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:31 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/bind9/include/bind9/check.h b/usr.sbin/bind/lib/bind9/include/bind9/check.h
index bf7a65848fb..7c721bc7b0c 100644
--- a/usr.sbin/bind/lib/bind9/include/bind9/check.h
+++ b/usr.sbin/bind/lib/bind9/include/bind9/check.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.h,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: check.h,v 1.3 2019/12/17 01:46:31 sthen Exp $ */
 
 #ifndef BIND9_CHECK_H
 #define BIND9_CHECK_H 1
diff --git a/usr.sbin/bind/lib/bind9/include/bind9/getaddresses.h b/usr.sbin/bind/lib/bind9/include/bind9/getaddresses.h
index 9fd6b0b91be..1d9eecb1173 100644
--- a/usr.sbin/bind/lib/bind9/include/bind9/getaddresses.h
+++ b/usr.sbin/bind/lib/bind9/include/bind9/getaddresses.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getaddresses.h,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: getaddresses.h,v 1.3 2019/12/17 01:46:31 sthen Exp $ */
 
 #ifndef BIND9_GETADDRESSES_H
 #define BIND9_GETADDRESSES_H 1
@@ -52,7 +51,7 @@ bind9_getaddresses(const char *hostname, in_port_t port,
  * Returns:
  *\li	#ISC_R_SUCCESS
  *\li	#ISC_R_NOTFOUND
- *\li	#ISC_R_NOFAMILYSUPPORT - 'hostname' is an IPv6 address, and IPv6 is
+ *\li	#ISC_R_FAMILYNOSUPPORT - 'hostname' is an IPv6 address, and IPv6 is
  *		not supported.
  */
 
diff --git a/usr.sbin/bind/lib/bind9/include/bind9/version.h b/usr.sbin/bind/lib/bind9/include/bind9/version.h
index 7fa3cbf9819..a3fb5b86350 100644
--- a/usr.sbin/bind/lib/bind9/include/bind9/version.h
+++ b/usr.sbin/bind/lib/bind9/include/bind9/version.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.h,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: version.h,v 1.3 2019/12/17 01:46:31 sthen Exp $ */
 
 /*! \file bind9/version.h */
 
diff --git a/usr.sbin/bind/lib/bind9/version.c b/usr.sbin/bind/lib/bind9/version.c
index 4cd65daf3c7..847703d1bf1 100644
--- a/usr.sbin/bind/lib/bind9/version.c
+++ b/usr.sbin/bind/lib/bind9/version.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.2 2019/12/16 16:16:23 deraadt Exp $ */
+/* $Id: version.c,v 1.3 2019/12/17 01:46:31 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/dns/Makefile.in b/usr.sbin/bind/lib/dns/Makefile.in
index deac1bc2e7c..9ddc38567c3 100644
--- a/usr.sbin/bind/lib/dns/Makefile.in
+++ b/usr.sbin/bind/lib/dns/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2003  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -48,12 +47,15 @@ LIBS =		@LIBS@
 # Alphabetically
 
 OPENSSLGOSTLINKOBJS = opensslgost_link.@O@
+OPENSSLECDSALINKOBJS = opensslecdsa_link.@O@
+OPENSSLEDDSALINKOBJS = openssleddsa_link.@O@
 OPENSSLLINKOBJS = openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \
-		  opensslecdsa_link.@O@ @OPENSSLGOSTLINKOBJS@ \
-		  opensslrsa_link.@O@
+		  @OPENSSLECDSALINKOBJS@ @OPENSSLEDDSALINKOBJS@ \
+		  @OPENSSLGOSTLINKOBJS@ opensslrsa_link.@O@
 
 PKCS11LINKOBJS	= pkcs11dh_link.@O@ pkcs11dsa_link.@O@ pkcs11rsa_link.@O@ \
-		pkcs11ecdsa_link.@O@ pkcs11gost_link.@O@ pkcs11.@O@
+		pkcs11ecdsa_link.@O@ pkcs11eddsa_link.@O@ \
+		pkcs11gost_link.@O@ pkcs11.@O@
 
 DSTOBJS =	@DST_EXTRA_OBJS@ @OPENSSLLINKOBJS@ @PKCS11LINKOBJS@ \
 		dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \
@@ -87,11 +89,15 @@ OBJS=		${DNSOBJS} ${OTHEROBJS} ${DSTOBJS} ${PORTDNSOBJS} \
 
 # Alphabetically
 OPENSSLGOSTLINKSRCS = opensslgost_link.c
+OPENSSLECDSALINKSRCS = opensslecdsa_link.c
+OPENSSLEDDSALINKSRCS = openssleddsa_link.c
 OPENSSLLINKSRCS = openssl_link.c openssldh_link.c openssldsa_link.c \
-		  opensslecdsa_link.c @OPENSSLGOSTLINKSRCS@ opensslrsa_link.c
+		  @OPENSSLECDSALINKSRCS@ @OPENSSLEDDSALINKSRCS@ \
+		  @OPENSSLGOSTLINKSRCS@ opensslrsa_link.c
 
 PKCS11LINKSRCS	= pkcs11dh_link.c pkcs11dsa_link.c pkcs11rsa_link.c \
-		pkcs11ecdsa_link.c pkcs11gost_link.c pkcs11.c
+		pkcs11ecdsa_link.c pkcs11eddsa_link.c \
+		pkcs11gost_link.c pkcs11.c
 
 DSTSRCS =	@DST_EXTRA_SRCS@ @OPENSSLLINKSRCS@ @PKCS11LINKSRCS@ \
 		dst_api.c dst_lib.c dst_parse.c \
@@ -119,8 +125,7 @@ PORTDNSSRCS =	client.c ecdb.c
 SRCS = ${DSTSRCS} ${DNSSRCS} ${PORTDNSSRCS} @GEOIPLINKSRCS@
 
 SUBDIRS =	include
-TARGETS =	include/dns/enumtype.h include/dns/enumclass.h \
-		include/dns/rdatastruct.h timestamp
+TARGETS =	timestamp
 TESTDIRS =	@UNITTESTS@
 
 DEPENDEXTRA =	./gen -F include/dns/rdatastruct.h \
@@ -148,9 +153,38 @@ libdns.la: ${OBJS}
 		-version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \
 		${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS}
 
-timestamp: libdns.@A@
+include: gen
+	${MAKE} include/dns/enumtype.h
+	${MAKE} include/dns/enumclass.h
+	${MAKE} include/dns/rdatastruct.h
+	${MAKE} code.h
+
+include/dns/enumtype.h: gen
+	./gen -s ${srcdir} -t > $@ || { rm -f $@ ; exit 1; }
+
+include/dns/enumclass.h: gen
+	./gen -s ${srcdir} -c > $@ || { rm -f $@ ; exit 1; }
+
+include/dns/rdatastruct.h: gen \
+		${srcdir}/rdata/rdatastructpre.h \
+		${srcdir}/rdata/rdatastructsuf.h
+	./gen -s ${srcdir} -i \
+		-P ${srcdir}/rdata/rdatastructpre.h \
+		-S ${srcdir}/rdata/rdatastructsuf.h > $@ || \
+	{ rm -f $@ ; exit 1; }
+
+code.h:	gen
+	./gen -s ${srcdir} > code.h || { rm -f $@ ; exit 1; }
+
+gen: gen.c
+	${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc/include \
+	${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c ${BUILD_LIBS}
+
+timestamp: include libdns.@A@
 	touch timestamp
 
+testdirs: libdns.@A@
+
 installdirs:
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
 
@@ -172,36 +206,12 @@ newrr::
 include: include/dns/enumtype.h include/dns/enumclass.h \
 	include/dns/rdatastruct.h
 
-rdata.@O@: code.h
-
-include/dns/enumtype.h: gen
-	./gen -s ${srcdir} -t > $@ || { rm -f $@ ; exit 1; }
-
-include/dns/enumclass.h: gen
-	./gen -s ${srcdir} -c > $@ || { rm -f $@ ; exit 1; }
-
-include/dns/rdatastruct.h: gen \
-		${srcdir}/rdata/rdatastructpre.h \
-		${srcdir}/rdata/rdatastructsuf.h
-	./gen -s ${srcdir} -i \
-		-P ${srcdir}/rdata/rdatastructpre.h \
-		-S ${srcdir}/rdata/rdatastructsuf.h > $@ || \
-	{ rm -f $@ ; exit 1; }
-
-code.h:	gen
-	./gen -s ${srcdir} > code.h || { rm -f $@ ; exit 1; }
-
-gen: gen.c
-	${BUILD_CC} ${BUILD_CFLAGS} -I${top_srcdir}/lib/isc/include \
-	${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} -o $@ ${srcdir}/gen.c ${BUILD_LIBS}
+rdata.@O@: include
 
 rbtdb64.@O@: rbtdb64.c rbtdb.c
 
-depend: include/dns/enumtype.h include/dns/enumclass.h \
-	include/dns/rdatastruct.h code.h
-subdirs: include/dns/enumtype.h include/dns/enumclass.h \
-	include/dns/rdatastruct.h code.h
-${OBJS}: include/dns/enumtype.h include/dns/enumclass.h \
-	include/dns/rdatastruct.h
+depend: include
+subdirs: include
+${OBJS}: include
 
 spnego.@O@: spnego_asn1.c spnego.h
diff --git a/usr.sbin/bind/lib/dns/acache.c b/usr.sbin/bind/lib/dns/acache.c
index 334fd19e35f..3244385877a 100644
--- a/usr.sbin/bind/lib/dns/acache.c
+++ b/usr.sbin/bind/lib/dns/acache.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2012, 2013, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acache.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: acache.c,v 1.3 2019/12/17 01:46:31 sthen Exp $ */
 
 #include <config.h>
 
@@ -24,6 +24,7 @@
 #include <isc/magic.h>
 #include <isc/mem.h>
 #include <isc/mutex.h>
+#include <isc/platform.h>
 #include <isc/random.h>
 #include <isc/refcount.h>
 #include <isc/rwlock.h>
@@ -31,6 +32,7 @@
 #include <isc/task.h>
 #include <isc/time.h>
 #include <isc/timer.h>
+#include <isc/util.h>
 
 #include <dns/acache.h>
 #include <dns/db.h>
@@ -42,6 +44,10 @@
 #include <dns/result.h>
 #include <dns/zone.h>
 
+#if defined(ISC_PLATFORM_HAVESTDATOMIC)
+#include <stdatomic.h>
+#endif
+
 #define ACACHE_MAGIC			ISC_MAGIC('A', 'C', 'H', 'E')
 #define DNS_ACACHE_VALID(acache)	ISC_MAGIC_VALID(acache, ACACHE_MAGIC)
 
@@ -78,8 +84,13 @@
 
 #define DEFAULT_ACACHE_ENTRY_LOCK_COUNT	1009	 /*%< Should be prime. */
 
-#if defined(ISC_RWLOCK_USEATOMIC) && defined(ISC_PLATFORM_HAVEATOMICSTORE)
+#if defined(ISC_RWLOCK_USEATOMIC) &&					\
+	((defined(ISC_PLATFORM_HAVESTDATOMIC) && defined(ATOMIC_LONG_LOCK_FREE)) || \
+	 defined(ISC_PLATFORM_HAVEATOMICSTORE))
 #define ACACHE_USE_RWLOCK 1
+#if (defined(ISC_PLATFORM_HAVESTDATOMIC) && defined(ATOMIC_LONG_LOCK_FREE))
+#define ACACHE_HAVESTDATOMIC 1
+#endif
 #endif
 
 #ifdef ACACHE_USE_RWLOCK
@@ -88,8 +99,15 @@
 #define ACACHE_LOCK(l, t)	RWLOCK((l), (t))
 #define ACACHE_UNLOCK(l, t)	RWUNLOCK((l), (t))
 
+#ifdef ACACHE_HAVESTDATOMIC
+#define acache_storetime(entry, t) \
+	atomic_store_explicit(&(entry)->lastused, (t), \
+			      memory_order_relaxed);
+#else
 #define acache_storetime(entry, t) \
 	(isc_atomic_store((isc_int32_t *)&(entry)->lastused, (t)))
+#endif
+
 #else
 #define ACACHE_INITLOCK(l)	isc_mutex_init(l)
 #define ACACHE_DESTROYLOCK(l)	DESTROYLOCK(l)
@@ -235,7 +253,11 @@ struct dns_acacheentry {
 	void 			*cbarg;
 
 	/* Timestamp of the last time this entry is referred to */
+#ifdef ACACHE_HAVESTDATOMIC
+	atomic_uint_fast32_t	lastused;
+#else
 	isc_stdtime32_t		lastused;
+#endif
 };
 
 /*
@@ -1375,6 +1397,7 @@ dns_acache_createentry(dns_acache_t *acache, dns_db_t *origdb,
 	dns_acacheentry_t *newentry;
 	isc_result_t result;
 	isc_uint32_t r;
+	isc_stdtime_t tmptime;
 
 	REQUIRE(DNS_ACACHE_VALID(acache));
 	REQUIRE(entryp != NULL && *entryp == NULL);
@@ -1430,7 +1453,8 @@ dns_acache_createentry(dns_acache_t *acache, dns_db_t *origdb,
 	newentry->origdb = NULL;
 	dns_db_attach(origdb, &newentry->origdb);
 
-	isc_stdtime_get(&newentry->lastused);
+	isc_stdtime_get(&tmptime);
+	acache_storetime(newentry, tmptime);
 
 	newentry->magic = ACACHEENTRY_MAGIC;
 
diff --git a/usr.sbin/bind/lib/dns/acl.c b/usr.sbin/bind/lib/dns/acl.c
index dac3705b467..40549e667d3 100644
--- a/usr.sbin/bind/lib/dns/acl.c
+++ b/usr.sbin/bind/lib/dns/acl.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2011, 2013, 2014, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acl.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: acl.c,v 1.3 2019/12/17 01:46:31 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/dns/adb.c b/usr.sbin/bind/lib/dns/adb.c
index d9f7f8cb8cc..e9ac74762d4 100644
--- a/usr.sbin/bind/lib/dns/adb.c
+++ b/usr.sbin/bind/lib/dns/adb.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -2187,7 +2186,7 @@ log_quota(dns_adbentry_t *entry, const char *fmt, ...) {
 	isc_netaddr_format(&netaddr, addrbuf, sizeof(addrbuf));
 
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_ADB,
-		      ISC_LOG_INFO, "adb: quota %s (%d/%d): %s",
+		      ISC_LOG_INFO, "adb: quota %s (%u/%u): %s",
 		      addrbuf, entry->active, entry->quota, msgbuf);
 }
 #endif /* ENABLE_FETCHLIMIT */
@@ -2869,7 +2868,7 @@ void
 dns_adb_whenshutdown(dns_adb_t *adb, isc_task_t *task, isc_event_t **eventp) {
 	isc_task_t *tclone;
 	isc_event_t *event;
-	isc_boolean_t zeroirefcnt = ISC_FALSE;
+	isc_boolean_t zeroirefcnt;
 
 	/*
 	 * Send '*eventp' to 'task' when 'adb' has shutdown.
@@ -2882,8 +2881,8 @@ dns_adb_whenshutdown(dns_adb_t *adb, isc_task_t *task, isc_event_t **eventp) {
 	*eventp = NULL;
 
 	LOCK(&adb->lock);
-
 	LOCK(&adb->reflock);
+
 	zeroirefcnt = ISC_TF(adb->irefcnt == 0);
 
 	if (adb->shutting_down && zeroirefcnt &&
@@ -3458,7 +3457,7 @@ static void
 dump_ttl(FILE *f, const char *legend, isc_stdtime_t value, isc_stdtime_t now) {
 	if (value == INT_MAX)
 		return;
-	fprintf(f, " [%s TTL %d]", legend, value - now);
+	fprintf(f, " [%s TTL %d]", legend, (int)(value - now));
 }
 
 static void
@@ -3489,7 +3488,7 @@ dump_adb(dns_adb_t *adb, FILE *f, isc_boolean_t debug, isc_stdtime_t now) {
 		if (name == NULL)
 			continue;
 		if (debug)
-			fprintf(f, "; bucket %d\n", i);
+			fprintf(f, "; bucket %u\n", i);
 		for (;
 		     name != NULL;
 		     name = ISC_LIST_NEXT(name, plink))
@@ -3520,10 +3519,10 @@ dump_adb(dns_adb_t *adb, FILE *f, isc_boolean_t debug, isc_stdtime_t now) {
 			print_namehook_list(f, "v6", adb,
 					    &name->v6, debug, now);
 
-			if (debug)
+			if (debug) {
 				print_fetch_list(f, name);
-			if (debug)
 				print_find_list(f, name);
+			}
 		}
 	}
 
@@ -3583,11 +3582,11 @@ dump_entry(FILE *f, dns_adb_t *adb, dns_adbentry_t *entry,
 #endif
 
 	if (entry->expires != 0)
-		fprintf(f, " [ttl %d]", entry->expires - now);
+		fprintf(f, " [ttl %d]", (int)(entry->expires - now));
 
 #ifdef ENABLE_FETCHLIMIT
 	if (adb != NULL && adb->quota != 0 && adb->atr_freq != 0) {
-		fprintf(f, " [atr %0.2f] [quota %d]",
+		fprintf(f, " [atr %0.2f] [quota %u]",
 			entry->atr, entry->quota);
 	}
 #endif /* ENABLE_FETCHLIMIT */
@@ -3601,7 +3600,7 @@ dump_entry(FILE *f, dns_adb_t *adb, dns_adbentry_t *entry,
 		print_dns_name(f, &li->qname);
 		dns_rdatatype_format(li->qtype, typebuf, sizeof(typebuf));
 		fprintf(f, " %s [lame TTL %d]\n", typebuf,
-			li->lame_timer - now);
+			(int)(li->lame_timer - now));
 	}
 }
 
@@ -4263,6 +4262,8 @@ static int quota_adj[] = {
 	312, 307, 303, 298, 294, 290, 286, 282, 278
 };
 
+#define QUOTA_ADJ_SIZE (sizeof(quota_adj)/sizeof(quota_adj[0]))
+
 /*
  * Caller must hold adbentry lock
  */
@@ -4301,12 +4302,13 @@ maybe_adjust_quota(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
 	if (addr->entry->atr < adb->atr_low && addr->entry->mode > 0) {
 		addr->entry->quota = adb->quota *
 			quota_adj[--addr->entry->mode] / 10000;
-		log_quota(addr->entry, "atr %0.2f, quota increased to %d",
+		log_quota(addr->entry, "atr %0.2f, quota increased to %u",
 			  addr->entry->atr, addr->entry->quota);
-	} else if (addr->entry->atr > adb->atr_high && addr->entry->mode < 99) {
+	} else if (addr->entry->atr > adb->atr_high &&
+		   addr->entry->mode < (QUOTA_ADJ_SIZE - 1)) {
 		addr->entry->quota = adb->quota *
 			quota_adj[++addr->entry->mode] / 10000;
-		log_quota(addr->entry, "atr %0.2f, quota decreased to %d",
+		log_quota(addr->entry, "atr %0.2f, quota decreased to %u",
 			  addr->entry->atr, addr->entry->quota);
 	}
 
diff --git a/usr.sbin/bind/lib/dns/api b/usr.sbin/bind/lib/dns/api
index f2be618c487..19c5d38c7bb 100644
--- a/usr.sbin/bind/lib/dns/api
+++ b/usr.sbin/bind/lib/dns/api
@@ -3,9 +3,11 @@
 # 9.7: 60-79
 # 9.8: 80-89, 120-129
 # 9.9: 90-109, 170-179
-# 9.9-sub: 130-139, 150-159
-# 9.10: 140-149, 170-179
-# 9.11: 160-169
-LIBINTERFACE = 170
-LIBREVISION = 4
+# 9.9-sub: 130-139, 150-159, 200-209
+# 9.10: 140-149, 190-199
+# 9.10-sub: 180-189
+# 9.11: 160-169,1100-1199
+# 9.12: 1200-1299
+LIBINTERFACE = 193
+LIBREVISION = 2
 LIBAGE = 0
diff --git a/usr.sbin/bind/lib/dns/byaddr.c b/usr.sbin/bind/lib/dns/byaddr.c
index 4ffd4730ff0..8f798afbbbf 100644
--- a/usr.sbin/bind/lib/dns/byaddr.c
+++ b/usr.sbin/bind/lib/dns/byaddr.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: byaddr.c,v 1.7 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: byaddr.c,v 1.8 2019/12/17 01:46:31 sthen Exp $ */
 
 /*! \file */
 
@@ -84,11 +83,13 @@ dns_byaddr_createptrname2(isc_netaddr_t *address, unsigned int options,
 	if (address->family == AF_INET) {
 		(void)snprintf(textname, sizeof(textname),
 			       "%u.%u.%u.%u.in-addr.arpa.",
-			       (bytes[3] & 0xff),
-			       (bytes[2] & 0xff),
-			       (bytes[1] & 0xff),
-			       (bytes[0] & 0xff));
+			       (bytes[3] & 0xffU),
+			       (bytes[2] & 0xffU),
+			       (bytes[1] & 0xffU),
+			       (bytes[0] & 0xffU));
 	} else if (address->family == AF_INET6) {
+		size_t remaining;
+
 		cp = textname;
 		for (i = 15; i >= 0; i--) {
 			*cp++ = hex_digits[bytes[i] & 0x0f];
@@ -96,10 +97,12 @@ dns_byaddr_createptrname2(isc_netaddr_t *address, unsigned int options,
 			*cp++ = hex_digits[(bytes[i] >> 4) & 0x0f];
 			*cp++ = '.';
 		}
-		if ((options & DNS_BYADDROPT_IPV6INT) != 0)
-			strcpy(cp, "ip6.int.");
-		else
-			strcpy(cp, "ip6.arpa.");
+		remaining = sizeof(textname) - (cp - textname);
+		if ((options & DNS_BYADDROPT_IPV6INT) != 0) {
+			strlcpy(cp, "ip6.int.", remaining);
+		} else {
+			strlcpy(cp, "ip6.arpa.", remaining);
+		}
 	} else
 		return (ISC_R_NOTIMPLEMENTED);
 
diff --git a/usr.sbin/bind/lib/dns/cache.c b/usr.sbin/bind/lib/dns/cache.c
index 69b35d1a970..ba0625c37ed 100644
--- a/usr.sbin/bind/lib/dns/cache.c
+++ b/usr.sbin/bind/lib/dns/cache.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2011-2013, 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cache.c,v 1.7 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: cache.c,v 1.8 2019/12/17 01:46:31 sthen Exp $ */
 
 /*! \file */
 
@@ -1418,18 +1417,24 @@ dns_cache_dumpstats(dns_cache_t *cache, FILE *fp) {
 		(isc_uint64_t) dns_db_hashsize(cache->db),
 		"cache database hash buckets");
 
-	fprintf(fp, "%20u %s\n", (unsigned int) isc_mem_total(cache->mctx),
+	fprintf(fp, "%20" ISC_PLATFORM_QUADFORMAT "u %s\n",
+		(isc_uint64_t) isc_mem_total(cache->mctx),
 		"cache tree memory total");
-	fprintf(fp, "%20u %s\n", (unsigned int) isc_mem_inuse(cache->mctx),
+	fprintf(fp, "%20" ISC_PLATFORM_QUADFORMAT "u %s\n",
+		(isc_uint64_t) isc_mem_inuse(cache->mctx),
 		"cache tree memory in use");
-	fprintf(fp, "%20u %s\n", (unsigned int) isc_mem_maxinuse(cache->mctx),
+	fprintf(fp, "%20" ISC_PLATFORM_QUADFORMAT "u %s\n",
+		(isc_uint64_t) isc_mem_maxinuse(cache->mctx),
 		"cache tree highest memory in use");
 
-	fprintf(fp, "%20u %s\n", (unsigned int) isc_mem_total(cache->hmctx),
+	fprintf(fp, "%20" ISC_PLATFORM_QUADFORMAT "u %s\n",
+		(isc_uint64_t) isc_mem_total(cache->hmctx),
 		"cache heap memory total");
-	fprintf(fp, "%20u %s\n", (unsigned int) isc_mem_inuse(cache->hmctx),
+	fprintf(fp, "%20" ISC_PLATFORM_QUADFORMAT "u %s\n",
+		(isc_uint64_t) isc_mem_inuse(cache->hmctx),
 		"cache heap memory in use");
-	fprintf(fp, "%20u %s\n", (unsigned int) isc_mem_maxinuse(cache->hmctx),
+	fprintf(fp, "%20" ISC_PLATFORM_QUADFORMAT "u %s\n",
+		(isc_uint64_t) isc_mem_maxinuse(cache->hmctx),
 		"cache heap highest memory in use");
 }
 
@@ -1551,7 +1556,7 @@ dns_cache_renderjson(dns_cache_t *cache, json_object *cstats) {
 
 	obj = json_object_new_int64(isc_mem_maxinuse(cache->mctx));
 	CHECKMEM(obj);
-	json_object_object_add(cstats, "HeapMemMax", obj);
+	json_object_object_add(cstats, "TreeMemMax", obj);
 
 	obj = json_object_new_int64(isc_mem_total(cache->hmctx));
 	CHECKMEM(obj);
diff --git a/usr.sbin/bind/lib/dns/callbacks.c b/usr.sbin/bind/lib/dns/callbacks.c
index 47a3cd2bf41..e8169f24fac 100644
--- a/usr.sbin/bind/lib/dns/callbacks.c
+++ b/usr.sbin/bind/lib/dns/callbacks.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2011, 2012, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: callbacks.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: callbacks.c,v 1.3 2019/12/17 01:46:31 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/dns/client.c b/usr.sbin/bind/lib/dns/client.c
index 8fd0efe0212..b784eb0887b 100644
--- a/usr.sbin/bind/lib/dns/client.c
+++ b/usr.sbin/bind/lib/dns/client.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009-2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -625,7 +625,7 @@ dns_client_destroy(dns_client_t **clientp) {
 
 isc_result_t
 dns_client_setservers(dns_client_t *client, dns_rdataclass_t rdclass,
-		      dns_name_t *namespace, isc_sockaddrlist_t *addrs)
+		      dns_name_t *name_space, isc_sockaddrlist_t *addrs)
 {
 	isc_result_t result;
 	dns_view_t *view = NULL;
@@ -633,8 +633,8 @@ dns_client_setservers(dns_client_t *client, dns_rdataclass_t rdclass,
 	REQUIRE(DNS_CLIENT_VALID(client));
 	REQUIRE(addrs != NULL);
 
-	if (namespace == NULL)
-		namespace = dns_rootname;
+	if (name_space == NULL)
+		name_space = dns_rootname;
 
 	LOCK(&client->lock);
 	result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
@@ -645,7 +645,7 @@ dns_client_setservers(dns_client_t *client, dns_rdataclass_t rdclass,
 	}
 	UNLOCK(&client->lock);
 
-	result = dns_fwdtable_add(view->fwdtable, namespace, addrs,
+	result = dns_fwdtable_add(view->fwdtable, name_space, addrs,
 				  dns_fwdpolicy_only);
 
 	dns_view_detach(&view);
@@ -655,15 +655,15 @@ dns_client_setservers(dns_client_t *client, dns_rdataclass_t rdclass,
 
 isc_result_t
 dns_client_clearservers(dns_client_t *client, dns_rdataclass_t rdclass,
-			dns_name_t *namespace)
+			dns_name_t *name_space)
 {
 	isc_result_t result;
 	dns_view_t *view = NULL;
 
 	REQUIRE(DNS_CLIENT_VALID(client));
 
-	if (namespace == NULL)
-		namespace = dns_rootname;
+	if (name_space == NULL)
+		name_space = dns_rootname;
 
 	LOCK(&client->lock);
 	result = dns_viewlist_find(&client->viewlist, DNS_CLIENTVIEW_NAME,
@@ -674,7 +674,7 @@ dns_client_clearservers(dns_client_t *client, dns_rdataclass_t rdclass,
 	}
 	UNLOCK(&client->lock);
 
-	result = dns_fwdtable_delete(view->fwdtable, namespace);
+	result = dns_fwdtable_delete(view->fwdtable, name_space);
 
 	dns_view_detach(&view);
 
@@ -2940,6 +2940,17 @@ dns_client_startupdate(dns_client_t *client, dns_rdataclass_t rdclass,
 	*transp = (dns_clientupdatetrans_t *)uctx;
 	result = isc_app_ctxonrun(client->actx, client->mctx, client->task,
 				  startupdate, uctx);
+	if (result == ISC_R_ALREADYRUNNING) {
+		isc_event_t *event;
+		event = isc_event_allocate(client->mctx, dns_client_startupdate,
+					   DNS_EVENT_STARTUPDATE, startupdate,
+					   uctx, sizeof(*event));
+		if (event != NULL) {
+			result = ISC_R_SUCCESS;
+			isc_task_send(task, &event);
+		} else
+			result = ISC_R_NOMEMORY;
+	}
 	if (result == ISC_R_SUCCESS)
 		return (result);
 	*transp = NULL;
diff --git a/usr.sbin/bind/lib/dns/clientinfo.c b/usr.sbin/bind/lib/dns/clientinfo.c
index 60311df40b5..2190dd7162a 100644
--- a/usr.sbin/bind/lib/dns/clientinfo.c
+++ b/usr.sbin/bind/lib/dns/clientinfo.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: clientinfo.c,v 1.1 2019/12/16 16:31:33 deraadt Exp $ */
+/* $Id: clientinfo.c,v 1.2 2019/12/17 01:46:31 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/dns/compress.c b/usr.sbin/bind/lib/dns/compress.c
index 5bc8a5e29db..d9522581815 100644
--- a/usr.sbin/bind/lib/dns/compress.c
+++ b/usr.sbin/bind/lib/dns/compress.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: compress.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: compress.c,v 1.3 2019/12/17 01:46:31 sthen Exp $ */
 
 /*! \file */
 
@@ -260,7 +259,7 @@ dns_compress_rollback(dns_compress_t *cctx, isc_uint16_t offset) {
 		/*
 		 * This relies on nodes with greater offsets being
 		 * closer to the beginning of the list, and the
-		 * items with the greatest offsets being at the end 
+		 * items with the greatest offsets being at the end
 		 * of the initialnodes[] array.
 		 */
 		while (node != NULL && node->offset >= offset) {
diff --git a/usr.sbin/bind/lib/dns/db.c b/usr.sbin/bind/lib/dns/db.c
index 064d96e9014..d0f1b548137 100644
--- a/usr.sbin/bind/lib/dns/db.c
+++ b/usr.sbin/bind/lib/dns/db.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007-2009, 2011-2013, 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: db.c,v 1.5 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: db.c,v 1.6 2019/12/17 01:46:31 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/dns/dbiterator.c b/usr.sbin/bind/lib/dns/dbiterator.c
index d3393d81bda..4d773deb5b7 100644
--- a/usr.sbin/bind/lib/dns/dbiterator.c
+++ b/usr.sbin/bind/lib/dns/dbiterator.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dbiterator.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: dbiterator.c,v 1.3 2019/12/17 01:46:31 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/dns/dbtable.c b/usr.sbin/bind/lib/dns/dbtable.c
index 5f7c483e514..d17c952a4ca 100644
--- a/usr.sbin/bind/lib/dns/dbtable.c
+++ b/usr.sbin/bind/lib/dns/dbtable.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2013, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -16,7 +15,7 @@
  */
 
 /*
- * $Id: dbtable.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $
+ * $Id: dbtable.c,v 1.3 2019/12/17 01:46:31 sthen Exp $
  */
 
 /*! \file
diff --git a/usr.sbin/bind/lib/dns/diff.c b/usr.sbin/bind/lib/dns/diff.c
index 3c681479563..1950475f572 100644
--- a/usr.sbin/bind/lib/dns/diff.c
+++ b/usr.sbin/bind/lib/dns/diff.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007-2009, 2011, 2013-2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: diff.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: diff.c,v 1.3 2019/12/17 01:46:31 sthen Exp $ */
 
 /*! \file */
 
@@ -39,6 +38,7 @@
 #include <dns/rdatastruct.h>
 #include <dns/rdatatype.h>
 #include <dns/result.h>
+#include <dns/time.h>
 
 #define CHECK(op) \
 	do { result = (op);					\
@@ -88,11 +88,16 @@ dns_difftuple_create(isc_mem_t *mctx,
 
 	t->ttl = ttl;
 
-	memmove(datap, rdata->data, rdata->length);
 	dns_rdata_init(&t->rdata);
 	dns_rdata_clone(rdata, &t->rdata);
-	t->rdata.data = datap;
-	datap += rdata->length;
+	if (rdata->data != NULL) {
+		memmove(datap, rdata->data, rdata->length);
+		t->rdata.data = datap;
+		datap += rdata->length;
+	} else {
+		t->rdata.data = NULL;
+		INSIST(rdata->length == 0);
+	}
 
 	ISC_LINK_INIT(&t->rdata, link);
 	ISC_LINK_INIT(t, link);
@@ -204,7 +209,7 @@ static isc_stdtime_t
 setresign(dns_rdataset_t *modified) {
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	dns_rdata_rrsig_t sig;
-	isc_stdtime_t when;
+	isc_int64_t when;
 	isc_result_t result;
 
 	result = dns_rdataset_first(modified);
@@ -214,7 +219,7 @@ setresign(dns_rdataset_t *modified) {
 	if ((rdata.flags & DNS_RDATA_OFFLINE) != 0)
 		when = 0;
 	else
-		when = sig.timeexpire;
+		when = dns_time64_from32(sig.timeexpire);
 	dns_rdata_reset(&rdata);
 
 	result = dns_rdataset_next(modified);
@@ -224,14 +229,14 @@ setresign(dns_rdataset_t *modified) {
 		if ((rdata.flags & DNS_RDATA_OFFLINE) != 0) {
 			goto next_rr;
 		}
-		if (when == 0 || sig.timeexpire < when)
-			when = sig.timeexpire;
+		if (when == 0 || dns_time64_from32(sig.timeexpire) < when)
+			when = dns_time64_from32(sig.timeexpire);
  next_rr:
 		dns_rdata_reset(&rdata);
 		result = dns_rdataset_next(modified);
 	}
 	INSIST(result == ISC_R_NOMORE);
-	return (when);
+	return ((isc_stdtime_t)when);
 }
 
 static isc_result_t
diff --git a/usr.sbin/bind/lib/dns/dispatch.c b/usr.sbin/bind/lib/dns/dispatch.c
index 3371af0baa4..e487b8d0725 100644
--- a/usr.sbin/bind/lib/dns/dispatch.c
+++ b/usr.sbin/bind/lib/dns/dispatch.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2011-2017  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -3685,12 +3684,14 @@ dns_dispatch_importrecv(dns_dispatch_t *disp, isc_event_t *event) {
 	isc_socketevent_t *sevent, *newsevent;
 
 	REQUIRE(VALID_DISPATCH(disp));
-	REQUIRE((disp->attributes & DNS_DISPATCHATTR_NOLISTEN) != 0);
 	REQUIRE(event != NULL);
 
-	sevent = (isc_socketevent_t *)event;
+	if ((disp->attributes & DNS_DISPATCHATTR_NOLISTEN) == 0)
+		return;
 
+	sevent = (isc_socketevent_t *)event;
 	INSIST(sevent->n <= disp->mgr->buffersize);
+
 	newsevent = (isc_socketevent_t *)
 		    isc_event_allocate(disp->mgr->mctx, NULL,
 				      DNS_EVENT_IMPORTRECVDONE, udp_shrecv,
diff --git a/usr.sbin/bind/lib/dns/dlz.c b/usr.sbin/bind/lib/dns/dlz.c
index 72df22f58a2..7297b3573bf 100644
--- a/usr.sbin/bind/lib/dns/dlz.c
+++ b/usr.sbin/bind/lib/dns/dlz.c
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2005, 2007, 2009-2013, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2001  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -50,7 +49,7 @@
  * USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dlz.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: dlz.c,v 1.3 2019/12/17 01:46:31 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/dns/dns64.c b/usr.sbin/bind/lib/dns/dns64.c
index 4245a40e6bc..dc53240b1b6 100644
--- a/usr.sbin/bind/lib/dns/dns64.c
+++ b/usr.sbin/bind/lib/dns/dns64.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010, 2011, 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dns64.c,v 1.1 2019/12/16 16:31:33 deraadt Exp $ */
+/* $Id: dns64.c,v 1.2 2019/12/17 01:46:31 sthen Exp $ */
 
 #include <config.h>
 
@@ -57,9 +57,9 @@ isc_result_t
 dns_dns64_create(isc_mem_t *mctx, isc_netaddr_t *prefix,
 		 unsigned int prefixlen, isc_netaddr_t *suffix,
 		 dns_acl_t *clients, dns_acl_t *mapped, dns_acl_t *excluded,
-		 unsigned int flags, dns_dns64_t **dns64)
+		 unsigned int flags, dns_dns64_t **dns64p)
 {
-	dns_dns64_t *new;
+	dns_dns64_t *dns64;
 	unsigned int nbytes = 16;
 
 	REQUIRE(prefix != NULL && prefix->family == AF_INET6);
@@ -67,7 +67,7 @@ dns_dns64_create(isc_mem_t *mctx, isc_netaddr_t *prefix,
 	REQUIRE(prefixlen == 32 || prefixlen == 40 || prefixlen == 48 ||
 		prefixlen == 56 || prefixlen == 64 || prefixlen == 96);
 	REQUIRE(isc_netaddr_prefixok(prefix, prefixlen) == ISC_R_SUCCESS);
-	REQUIRE(dns64 != NULL && *dns64 == NULL);
+	REQUIRE(dns64p != NULL && *dns64p == NULL);
 
 	if (suffix != NULL) {
 		static const unsigned char zeros[16];
@@ -79,29 +79,29 @@ dns_dns64_create(isc_mem_t *mctx, isc_netaddr_t *prefix,
 		REQUIRE(memcmp(suffix->type.in6.s6_addr, zeros, nbytes) == 0);
 	}
 
-	new = isc_mem_get(mctx, sizeof(dns_dns64_t));
-	if (new == NULL)
+	dns64 = isc_mem_get(mctx, sizeof(dns_dns64_t));
+	if (dns64 == NULL)
 		return (ISC_R_NOMEMORY);
-	memset(new->bits, 0, sizeof(new->bits));
-	memmove(new->bits, prefix->type.in6.s6_addr, prefixlen / 8);
+	memset(dns64->bits, 0, sizeof(dns64->bits));
+	memmove(dns64->bits, prefix->type.in6.s6_addr, prefixlen / 8);
 	if (suffix != NULL)
-		memmove(new->bits + nbytes, suffix->type.in6.s6_addr + nbytes,
+		memmove(dns64->bits + nbytes, suffix->type.in6.s6_addr + nbytes,
 			16 - nbytes);
-	new->clients = NULL;
+	dns64->clients = NULL;
 	if (clients != NULL)
-		dns_acl_attach(clients, &new->clients);
-	new->mapped = NULL;
+		dns_acl_attach(clients, &dns64->clients);
+	dns64->mapped = NULL;
 	if (mapped != NULL)
-		dns_acl_attach(mapped, &new->mapped);
-	new->excluded = NULL;
+		dns_acl_attach(mapped, &dns64->mapped);
+	dns64->excluded = NULL;
 	if (excluded != NULL)
-		dns_acl_attach(excluded, &new->excluded);
-	new->prefixlen = prefixlen;
-	new->flags = flags;
-	ISC_LINK_INIT(new, link);
-	new->mctx = NULL;
-	isc_mem_attach(mctx, &new->mctx);
-	*dns64 = new;
+		dns_acl_attach(excluded, &dns64->excluded);
+	dns64->prefixlen = prefixlen;
+	dns64->flags = flags;
+	ISC_LINK_INIT(dns64, link);
+	dns64->mctx = NULL;
+	isc_mem_attach(mctx, &dns64->mctx);
+	*dns64p = dns64;
 	return (ISC_R_SUCCESS);
 }
 
diff --git a/usr.sbin/bind/lib/dns/dnssec.c b/usr.sbin/bind/lib/dns/dnssec.c
index 2db0860d05b..b07f9de83f9 100644
--- a/usr.sbin/bind/lib/dns/dnssec.c
+++ b/usr.sbin/bind/lib/dns/dnssec.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2017  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -16,7 +15,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.6 2019/12/16 16:16:24 deraadt Exp $
+ * $Id: dnssec.c,v 1.7 2019/12/17 01:46:31 sthen Exp $
  */
 
 /*! \file */
@@ -616,7 +615,7 @@ dns_dnssec_verify(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 isc_boolean_t
 dns_dnssec_keyactive(dst_key_t *key, isc_stdtime_t now) {
 	isc_result_t result;
-	isc_stdtime_t publish, active, revoke, inactive, delete;
+	isc_stdtime_t publish, active, revoke, inactive, deltime;
 	isc_boolean_t pubset = ISC_FALSE, actset = ISC_FALSE;
 	isc_boolean_t revset = ISC_FALSE, inactset = ISC_FALSE;
 	isc_boolean_t delset = ISC_FALSE;
@@ -649,11 +648,11 @@ dns_dnssec_keyactive(dst_key_t *key, isc_stdtime_t now) {
 	if (result == ISC_R_SUCCESS)
 		inactset = ISC_TRUE;
 
-	result = dst_key_gettime(key, DST_TIME_DELETE, &delete);
+	result = dst_key_gettime(key, DST_TIME_DELETE, &deltime);
 	if (result == ISC_R_SUCCESS)
 		delset = ISC_TRUE;
 
-	if ((inactset && inactive <= now) || (delset && delete <= now))
+	if ((inactset && inactive <= now) || (delset && deltime <= now))
 		return (ISC_FALSE);
 
 	if (revset && revoke <= now && pubset && publish <= now)
@@ -1219,7 +1218,7 @@ dns_dnsseckey_destroy(isc_mem_t *mctx, dns_dnsseckey_t **dkp) {
 static void
 get_hints(dns_dnsseckey_t *key, isc_stdtime_t now) {
 	isc_result_t result;
-	isc_stdtime_t publish, active, revoke, inactive, delete;
+	isc_stdtime_t publish, active, revoke, inactive, deltime;
 	isc_boolean_t pubset = ISC_FALSE, actset = ISC_FALSE;
 	isc_boolean_t revset = ISC_FALSE, inactset = ISC_FALSE;
 	isc_boolean_t delset = ISC_FALSE;
@@ -1242,7 +1241,7 @@ get_hints(dns_dnsseckey_t *key, isc_stdtime_t now) {
 	if (result == ISC_R_SUCCESS)
 		inactset = ISC_TRUE;
 
-	result = dst_key_gettime(key->key, DST_TIME_DELETE, &delete);
+	result = dst_key_gettime(key->key, DST_TIME_DELETE, &deltime);
 	if (result == ISC_R_SUCCESS)
 		delset = ISC_TRUE;
 
@@ -1302,7 +1301,7 @@ get_hints(dns_dnsseckey_t *key, isc_stdtime_t now) {
 	/*
 	 * Metadata says delete, so don't publish this key or sign with it.
 	 */
-	if (delset && delete <= now) {
+	if (delset && deltime <= now) {
 		key->hint_publish = ISC_FALSE;
 		key->hint_sign = ISC_FALSE;
 		key->hint_remove = ISC_TRUE;
diff --git a/usr.sbin/bind/lib/dns/ds.c b/usr.sbin/bind/lib/dns/ds.c
index 1b2304c812e..6b6c1b03a6b 100644
--- a/usr.sbin/bind/lib/dns/ds.c
+++ b/usr.sbin/bind/lib/dns/ds.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2010, 2012, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ds.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: ds.c,v 1.3 2019/12/17 01:46:31 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/dns/dst_api.c b/usr.sbin/bind/lib/dns/dst_api.c
index 59eb747f2cd..4eabb3b0356 100644
--- a/usr.sbin/bind/lib/dns/dst_api.c
+++ b/usr.sbin/bind/lib/dns/dst_api.c
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2003  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +13,10 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  *
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) Network Associates, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -31,7 +33,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.6 2019/12/16 16:16:24 deraadt Exp $
+ * $Id: dst_api.c,v 1.7 2019/12/17 01:46:31 sthen Exp $
  */
 
 /*! \file */
@@ -53,6 +55,7 @@
 #include <isc/print.h>
 #include <isc/refcount.h>
 #include <isc/random.h>
+#include <isc/safe.h>
 #include <isc/string.h>
 #include <isc/time.h>
 #include <isc/util.h>
@@ -235,6 +238,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
 	RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
 	RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
 #endif
+#ifdef HAVE_OPENSSL_ED25519
+	RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED25519]));
+#endif
+#ifdef HAVE_OPENSSL_ED448
+	RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448]));
+#endif
 #elif PKCS11CRYPTO
 	RETERR(dst__pkcs11_init(mctx, engine));
 #ifndef PK11_MD5_DISABLE
@@ -255,6 +264,12 @@ dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
 	RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
 	RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
 #endif
+#ifdef HAVE_PKCS11_ED25519
+	RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED25519]));
+#endif
+#ifdef HAVE_PKCS11_ED448
+	RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED448]));
+#endif
 #ifdef HAVE_PKCS11_GOST
 	RETERR(dst__pkcs11gost_init(&dst_t_func[DST_ALG_ECCGOST]));
 #endif
@@ -1210,8 +1225,8 @@ dst_key_free(dst_key_t **keyp) {
 	if (key->key_tkeytoken) {
 		isc_buffer_free(&key->key_tkeytoken);
 	}
-	memset(key, 0, sizeof(dst_key_t));
-	isc_mem_putanddetach(&mctx, key, sizeof(dst_key_t));
+	isc_safe_memwipe(key, sizeof(*key));
+	isc_mem_putanddetach(&mctx, key, sizeof(*key));
 	*keyp = NULL;
 }
 
@@ -1266,6 +1281,12 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
 	case DST_ALG_ECDSA384:
 		*n = DNS_SIG_ECDSA384SIZE;
 		break;
+	case DST_ALG_ED25519:
+		*n = DNS_SIG_ED25519SIZE;
+		break;
+	case DST_ALG_ED448:
+		*n = DNS_SIG_ED448SIZE;
+		break;
 #ifndef PK11_MD5_DISABLE
 	case DST_ALG_HMACMD5:
 		*n = 16;
@@ -1608,6 +1629,8 @@ issymmetric(const dst_key_t *key) {
 	case DST_ALG_ECCGOST:
 	case DST_ALG_ECDSA256:
 	case DST_ALG_ECDSA384:
+	case DST_ALG_ED25519:
+	case DST_ALG_ED448:
 		return (ISC_FALSE);
 #ifndef PK11_MD5_DISABLE
 	case DST_ALG_HMACMD5:
@@ -1762,7 +1785,7 @@ write_public_key(const dst_key_t *key, int type, const char *directory) {
 	fprintf(fp, " ");
 
 	if (key->key_ttl != 0)
-		fprintf(fp, "%d ", key->key_ttl);
+		fprintf(fp, "%u ", key->key_ttl);
 
 	isc_buffer_usedregion(&classb, &r);
 	if ((unsigned) fwrite(r.base, 1, r.length, fp) != r.length)
@@ -1817,8 +1840,9 @@ buildfilename(dns_name_t *name, dns_keytag_t id,
 	len = 1 + 3 + 1 + 5 + strlen(suffix) + 1;
 	if (isc_buffer_availablelength(out) < len)
 		return (ISC_R_NOSPACE);
-	sprintf((char *) isc_buffer_used(out), "+%03d+%05d%s", alg, id,
-		suffix);
+	snprintf((char *) isc_buffer_used(out),
+		 (int)isc_buffer_availablelength(out),
+		 "+%03d+%05d%s", alg, id, suffix);
 	isc_buffer_add(out, len);
 
 	return (ISC_R_SUCCESS);
@@ -1894,7 +1918,8 @@ algorithm_status(unsigned int alg) {
 	    alg == DST_ALG_NSEC3RSASHA1 ||
 	    alg == DST_ALG_RSASHA256 || alg == DST_ALG_RSASHA512 ||
 	    alg == DST_ALG_ECCGOST ||
-	    alg == DST_ALG_ECDSA256 || alg == DST_ALG_ECDSA384)
+	    alg == DST_ALG_ECDSA256 || alg == DST_ALG_ECDSA384 ||
+	    alg == DST_ALG_ED25519 || alg == DST_ALG_ED448)
 		return (DST_R_NOCRYPTO);
 #endif
 	return (DST_R_UNSUPPORTEDALG);
diff --git a/usr.sbin/bind/lib/dns/dst_gost.h b/usr.sbin/bind/lib/dns/dst_gost.h
index a60bb191f40..f8a9c72c993 100644
--- a/usr.sbin/bind/lib/dns/dst_gost.h
+++ b/usr.sbin/bind/lib/dns/dst_gost.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014, 2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/dst_internal.h b/usr.sbin/bind/lib/dns/dst_internal.h
index 3f5c7899fb9..f36c84dde9f 100644
--- a/usr.sbin/bind/lib/dns/dst_internal.h
+++ b/usr.sbin/bind/lib/dns/dst_internal.h
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2014, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2000-2002  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +13,10 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  *
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) Network Associates, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -29,7 +31,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_internal.h,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: dst_internal.h,v 1.3 2019/12/17 01:46:31 sthen Exp $ */
 
 #ifndef DST_DST_INTERNAL_H
 #define DST_DST_INTERNAL_H 1
@@ -265,9 +267,15 @@ isc_result_t dst__gssapi_init(struct dst_func **funcp);
 #ifdef HAVE_OPENSSL_ECDSA
 isc_result_t dst__opensslecdsa_init(struct dst_func **funcp);
 #endif
+#if defined(HAVE_OPENSSL_ED25519) || defined(HAVE_OPENSSL_ED448)
+isc_result_t dst__openssleddsa_init(struct dst_func **funcp);
+#endif
 #ifdef HAVE_PKCS11_ECDSA
 isc_result_t dst__pkcs11ecdsa_init(struct dst_func **funcp);
 #endif
+#if defined(HAVE_PKCS11_ED25519) || defined(HAVE_PKCS11_ED448)
+isc_result_t dst__pkcs11eddsa_init(struct dst_func **funcp);
+#endif
 #ifdef HAVE_OPENSSL_GOST
 isc_result_t dst__opensslgost_init(struct dst_func **funcp);
 #endif
diff --git a/usr.sbin/bind/lib/dns/dst_lib.c b/usr.sbin/bind/lib/dns/dst_lib.c
index 042326829a9..8c566b0b51d 100644
--- a/usr.sbin/bind/lib/dns/dst_lib.c
+++ b/usr.sbin/bind/lib/dns/dst_lib.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -17,7 +16,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_lib.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $
+ * $Id: dst_lib.c,v 1.3 2019/12/17 01:46:31 sthen Exp $
  */
 
 /*! \file */
diff --git a/usr.sbin/bind/lib/dns/dst_openssl.h b/usr.sbin/bind/lib/dns/dst_openssl.h
index 45ee2ed413a..03450c84c42 100644
--- a/usr.sbin/bind/lib/dns/dst_openssl.h
+++ b/usr.sbin/bind/lib/dns/dst_openssl.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007-2009, 2011, 2012, 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_openssl.h,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: dst_openssl.h,v 1.3 2019/12/17 01:46:31 sthen Exp $ */
 
 #ifndef DST_OPENSSL_H
 #define DST_OPENSSL_H 1
@@ -47,7 +46,7 @@
  *     	 _cb;
  * #endif
  */
-#define BN_GENCB_free(x) (x = NULL);
+#define BN_GENCB_free(x) ((void)0)
 #define BN_GENCB_new() (&_cb)
 #define BN_GENCB_get_arg(x) ((x)->arg)
 #endif
diff --git a/usr.sbin/bind/lib/dns/dst_parse.c b/usr.sbin/bind/lib/dns/dst_parse.c
index 8a74cb9cd78..78d5f9e2750 100644
--- a/usr.sbin/bind/lib/dns/dst_parse.c
+++ b/usr.sbin/bind/lib/dns/dst_parse.c
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2002  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +13,10 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  *
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) Network Associates, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -31,7 +33,7 @@
 
 /*%
  * Principal Author: Brian Wellington
- * $Id: dst_parse.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $
+ * $Id: dst_parse.c,v 1.3 2019/12/17 01:46:31 sthen Exp $
  */
 
 #include <config.h>
@@ -119,6 +121,10 @@ static struct parse_map map[] = {
 	{TAG_ECDSA_ENGINE, "Engine:" },
 	{TAG_ECDSA_LABEL, "Label:" },
 
+	{TAG_EDDSA_PRIVATEKEY, "PrivateKey:"},
+	{TAG_EDDSA_ENGINE, "Engine:" },
+	{TAG_EDDSA_LABEL, "Label:" },
+
 #ifndef PK11_MD5_DISABLE
 	{TAG_HMACMD5_KEY, "Key:"},
 	{TAG_HMACMD5_BITS, "Bits:"},
@@ -210,9 +216,7 @@ check_rsa(const dst_private_t *priv, isc_boolean_t external) {
 		have[i] = ISC_TRUE;
 	}
 
-	mask = ~0;
-	mask <<= sizeof(mask) * 8 - TAG_SHIFT;
-	mask >>= sizeof(mask) * 8 - TAG_SHIFT;
+	mask = (1ULL << TAG_SHIFT) - 1;
 
 	if (have[TAG_RSA_ENGINE & mask])
 		ok = have[TAG_RSA_MODULUS & mask] &&
@@ -304,9 +308,7 @@ check_ecdsa(const dst_private_t *priv, isc_boolean_t external) {
 		have[i] = ISC_TRUE;
 	}
 
-	mask = ~0;
-	mask <<= sizeof(mask) * 8 - TAG_SHIFT;
-	mask >>= sizeof(mask) * 8 - TAG_SHIFT;
+	mask = (1ULL << TAG_SHIFT) - 1;
 
 	if (have[TAG_ECDSA_ENGINE & mask])
 		ok = have[TAG_ECDSA_LABEL & mask];
@@ -315,6 +317,36 @@ check_ecdsa(const dst_private_t *priv, isc_boolean_t external) {
 	return (ok ? 0 : -1 );
 }
 
+static int
+check_eddsa(const dst_private_t *priv, isc_boolean_t external) {
+	int i, j;
+	isc_boolean_t have[EDDSA_NTAGS];
+	isc_boolean_t ok;
+	unsigned int mask;
+
+	if (external)
+		return ((priv->nelements == 0) ? 0 : -1);
+
+	for (i = 0; i < EDDSA_NTAGS; i++)
+		have[i] = ISC_FALSE;
+	for (j = 0; j < priv->nelements; j++) {
+		for (i = 0; i < EDDSA_NTAGS; i++)
+			if (priv->elements[j].tag == TAG(DST_ALG_ED25519, i))
+				break;
+		if (i == EDDSA_NTAGS)
+			return (-1);
+		have[i] = ISC_TRUE;
+	}
+
+	mask = (1ULL << TAG_SHIFT) - 1;
+
+	if (have[TAG_EDDSA_ENGINE & mask])
+		ok = have[TAG_EDDSA_LABEL & mask];
+	else
+		ok = have[TAG_EDDSA_PRIVATEKEY & mask];
+	return (ok ? 0 : -1 );
+}
+
 #ifndef PK11_MD5_DISABLE
 static int
 check_hmac_md5(const dst_private_t *priv, isc_boolean_t old) {
@@ -392,6 +424,9 @@ check_data(const dst_private_t *priv, const unsigned int alg,
 	case DST_ALG_ECDSA256:
 	case DST_ALG_ECDSA384:
 		return (check_ecdsa(priv, external));
+	case DST_ALG_ED25519:
+	case DST_ALG_ED448:
+		return (check_eddsa(priv, external));
 #ifndef PK11_MD5_DISABLE
 	case DST_ALG_HMACMD5:
 		return (check_hmac_md5(priv, old));
@@ -612,7 +647,12 @@ dst__privstruct_parse(dst_key_t *key, unsigned int alg, isc_lex_t *lex,
 		goto fail;
 	}
 
+#ifdef PK11_MD5_DISABLE
+	check = check_data(priv, alg == DST_ALG_RSA ? DST_ALG_RSASHA1 : alg,
+			   ISC_TRUE, external);
+#else
 	check = check_data(priv, alg, ISC_TRUE, external);
+#endif
 	if (check < 0) {
 		ret = DST_R_INVALIDPRIVATEKEY;
 		goto fail;
@@ -701,7 +741,7 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
 	/* XXXDCL return value should be checked for full filesystem */
 	fprintf(fp, "%s v%d.%d\n", PRIVATE_KEY_STR, major, minor);
 
-	fprintf(fp, "%s %d ", ALGORITHM_STR, dst_key_alg(key));
+	fprintf(fp, "%s %u ", ALGORITHM_STR, dst_key_alg(key));
 
 	/* XXXVIX this switch statement is too sparse to gen a jump table. */
 	switch (dst_key_alg(key)) {
@@ -738,6 +778,12 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
 	case DST_ALG_ECDSA384:
 		fprintf(fp, "(ECDSAP384SHA384)\n");
 		break;
+	case DST_ALG_ED25519:
+		fprintf(fp, "(ED25519)\n");
+		break;
+	case DST_ALG_ED448:
+		fprintf(fp, "(ED448)\n");
+		break;
 	case DST_ALG_HMACMD5:
 		fprintf(fp, "(HMAC_MD5)\n");
 		break;
diff --git a/usr.sbin/bind/lib/dns/dst_parse.h b/usr.sbin/bind/lib/dns/dst_parse.h
index cef69b4ae4d..b73d9851700 100644
--- a/usr.sbin/bind/lib/dns/dst_parse.h
+++ b/usr.sbin/bind/lib/dns/dst_parse.h
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2010, 2012, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2000-2002  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +13,10 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  *
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) Network Associates, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -29,7 +31,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_parse.h,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: dst_parse.h,v 1.3 2019/12/17 01:46:31 sthen Exp $ */
 
 /*! \file */
 #ifndef DST_DST_PARSE_H
@@ -86,6 +88,11 @@
 #define TAG_ECDSA_ENGINE	((DST_ALG_ECDSA256 << TAG_SHIFT) + 1)
 #define TAG_ECDSA_LABEL		((DST_ALG_ECDSA256 << TAG_SHIFT) + 2)
 
+#define EDDSA_NTAGS		4
+#define TAG_EDDSA_PRIVATEKEY	((DST_ALG_ED25519 << TAG_SHIFT) + 0)
+#define TAG_EDDSA_ENGINE	((DST_ALG_ED25519 << TAG_SHIFT) + 1)
+#define TAG_EDDSA_LABEL		((DST_ALG_ED25519 << TAG_SHIFT) + 2)
+
 #define OLD_HMACMD5_NTAGS	1
 #define HMACMD5_NTAGS		2
 #define TAG_HMACMD5_KEY		((DST_ALG_HMACMD5 << TAG_SHIFT) + 0)
diff --git a/usr.sbin/bind/lib/dns/dst_pkcs11.h b/usr.sbin/bind/lib/dns/dst_pkcs11.h
index cb572939848..574b64ce05e 100644
--- a/usr.sbin/bind/lib/dns/dst_pkcs11.h
+++ b/usr.sbin/bind/lib/dns/dst_pkcs11.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/dst_result.c b/usr.sbin/bind/lib/dns/dst_result.c
index 00d52d56298..af4a83643bb 100644
--- a/usr.sbin/bind/lib/dns/dst_result.c
+++ b/usr.sbin/bind/lib/dns/dst_result.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008, 2012-2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -17,7 +16,7 @@
 
 /*%
  * Principal Author: Brian Wellington
- * $Id: dst_result.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $
+ * $Id: dst_result.c,v 1.3 2019/12/17 01:46:31 sthen Exp $
  */
 
 #include <config.h>
diff --git a/usr.sbin/bind/lib/dns/ecdb.c b/usr.sbin/bind/lib/dns/ecdb.c
index 4637120b2cb..ad44a466d93 100644
--- a/usr.sbin/bind/lib/dns/ecdb.c
+++ b/usr.sbin/bind/lib/dns/ecdb.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009-2014, 2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/forward.c b/usr.sbin/bind/lib/dns/forward.c
index 5d64643a165..58c02988122 100644
--- a/usr.sbin/bind/lib/dns/forward.c
+++ b/usr.sbin/bind/lib/dns/forward.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2013, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/gen-unix.h b/usr.sbin/bind/lib/dns/gen-unix.h
index 73ae94906e9..b245379e221 100644
--- a/usr.sbin/bind/lib/dns/gen-unix.h
+++ b/usr.sbin/bind/lib/dns/gen-unix.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gen-unix.h,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: gen-unix.h,v 1.3 2019/12/17 01:46:31 sthen Exp $ */
 
 /*! \file
  * \brief
diff --git a/usr.sbin/bind/lib/dns/gen-win32.h b/usr.sbin/bind/lib/dns/gen-win32.h
index 157b115e957..e0c3934400a 100644
--- a/usr.sbin/bind/lib/dns/gen-win32.h
+++ b/usr.sbin/bind/lib/dns/gen-win32.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -44,7 +43,7 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: gen-win32.h,v 1.5 2019/12/16 16:31:33 deraadt Exp $ */
+/* $Id: gen-win32.h,v 1.6 2019/12/17 01:46:31 sthen Exp $ */
 
 /*! \file
  * \author Principal Authors: Computer Systems Research Group at UC Berkeley
diff --git a/usr.sbin/bind/lib/dns/gen.c b/usr.sbin/bind/lib/dns/gen.c
index 4a8d50ea541..6a20a6ad7c3 100644
--- a/usr.sbin/bind/lib/dns/gen.c
+++ b/usr.sbin/bind/lib/dns/gen.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2012-2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -548,7 +547,7 @@ main(int argc, char **argv) {
 	for (i = 0; i < TYPENAMES; i++)
 		memset(&typenames[i], 0, sizeof(typenames[i]));
 
-	strcpy(srcdir, "");
+	srcdir[0] = '\0';
 	while ((c = isc_commandline_parse(argc, argv, "cdits:F:P:S:")) != -1)
 		switch (c) {
 		case 'c':
@@ -643,7 +642,8 @@ main(int argc, char **argv) {
 	} else
 		year[0] = 0;
 
-	if (!depend) fprintf(stdout, copyright, year);
+	if (!depend)
+		fprintf(stdout, copyright, year);
 
 	if (code) {
 		fputs("#ifndef DNS_CODE_H\n", stdout);
diff --git a/usr.sbin/bind/lib/dns/geoip.c b/usr.sbin/bind/lib/dns/geoip.c
index 47467265ac7..2c462b2cb3a 100644
--- a/usr.sbin/bind/lib/dns/geoip.c
+++ b/usr.sbin/bind/lib/dns/geoip.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013-2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -196,10 +196,12 @@ set_state(unsigned int family, isc_uint32_t ipnum, const geoipv6_t *ipnum6,
 	clean_state(state);
 #endif
 
-	if (family == AF_INET)
+	if (family == AF_INET) {
 		state->ipnum = ipnum;
-	else
+	} else {
+		INSIST(ipnum6 != NULL);
 		state->ipnum6 = *ipnum6;
+	}
 
 	state->family = family;
 	state->subtype = subtype;
diff --git a/usr.sbin/bind/lib/dns/gssapi_link.c b/usr.sbin/bind/lib/dns/gssapi_link.c
index d9e6fad5d34..69853f9a4e5 100644
--- a/usr.sbin/bind/lib/dns/gssapi_link.c
+++ b/usr.sbin/bind/lib/dns/gssapi_link.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2011-2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -16,7 +15,7 @@
  */
 
 /*
- * $Id: gssapi_link.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $
+ * $Id: gssapi_link.c,v 1.3 2019/12/17 01:46:31 sthen Exp $
  */
 
 #include <config.h>
diff --git a/usr.sbin/bind/lib/dns/gssapictx.c b/usr.sbin/bind/lib/dns/gssapictx.c
index 2e16a7511a2..ab4d7122f3a 100644
--- a/usr.sbin/bind/lib/dns/gssapictx.c
+++ b/usr.sbin/bind/lib/dns/gssapictx.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gssapictx.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: gssapictx.c,v 1.3 2019/12/17 01:46:31 sthen Exp $ */
 
 #include <config.h>
 
@@ -701,10 +700,14 @@ dst_gssapi_acceptctx(gss_cred_id_t cred,
 		 */
 		const char *old = getenv("KRB5_KTNAME");
 		if (old == NULL || strcmp(old, gssapi_keytab) != 0) {
-			char *kt = malloc(strlen(gssapi_keytab) + 13);
+			size_t size;
+			char *kt;
+
+			size = strlen(gssapi_keytab) + 13;
+			kt = malloc(size);
 			if (kt == NULL)
 				return (ISC_R_NOMEMORY);
-			sprintf(kt, "KRB5_KTNAME=%s", gssapi_keytab);
+			snprintf(kt, size, "KRB5_KTNAME=%s", gssapi_keytab);
 			if (putenv(kt) != 0)
 				return (ISC_R_NOMEMORY);
 		}
diff --git a/usr.sbin/bind/lib/dns/hmac_link.c b/usr.sbin/bind/lib/dns/hmac_link.c
index ae476ed7438..e78f54a5e0e 100644
--- a/usr.sbin/bind/lib/dns/hmac_link.c
+++ b/usr.sbin/bind/lib/dns/hmac_link.c
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2002  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +13,10 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  *
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) Network Associates, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -31,7 +33,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: hmac_link.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $
+ * $Id: hmac_link.c,v 1.3 2019/12/17 01:46:31 sthen Exp $
  */
 
 #include <config.h>
@@ -51,6 +53,9 @@
 #include <dst/result.h>
 
 #include "dst_internal.h"
+#ifdef HAVE_FIPS_MODE
+#include "dst_openssl.h"	/* FIPS_mode() prototype */
+#endif
 #include "dst_parse.h"
 
 #ifndef PK11_MD5_DISABLE
@@ -174,7 +179,7 @@ hmacmd5_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) {
 	isc_buffer_init(&b, data, bytes);
 	isc_buffer_add(&b, bytes);
 	ret = hmacmd5_fromdns(key, &b);
-	memset(data, 0, ISC_MD5_BLOCK_LENGTH);
+	isc_safe_memwipe(data, sizeof(data));
 
 	return (ret);
 }
@@ -189,8 +194,8 @@ static void
 hmacmd5_destroy(dst_key_t *key) {
 	dst_hmacmd5_key_t *hkey = key->keydata.hmacmd5;
 
-	memset(hkey, 0, sizeof(dst_hmacmd5_key_t));
-	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacmd5_key_t));
+	isc_safe_memwipe(hkey, sizeof(*hkey));
+	isc_mem_put(key->mctx, hkey, sizeof(*hkey));
 	key->keydata.hmacmd5 = NULL;
 }
 
@@ -316,7 +321,7 @@ hmacmd5_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		}
 	}
 	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
+	isc_safe_memwipe(&priv, sizeof(priv));
 	return (result);
 }
 
@@ -346,6 +351,28 @@ static dst_func_t hmacmd5_functions = {
 
 isc_result_t
 dst__hmacmd5_init(dst_func_t **funcp) {
+#ifdef HAVE_FIPS_MODE
+	/*
+	 * Problems from OpenSSL are likely from FIPS mode
+	 */
+	int fips_mode = FIPS_mode();
+
+	if (fips_mode != 0) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "FIPS mode is %d: MD5 is only supported "
+				 "if the value is 0.\n"
+				 "Please disable either FIPS mode or MD5.",
+				 fips_mode);
+	}
+#endif
+
+	/*
+	 * Prevent use of incorrect crypto
+	 */
+
+	RUNTIME_CHECK(isc_md5_check(ISC_FALSE));
+	RUNTIME_CHECK(isc_hmacmd5_check(0));
+
 	REQUIRE(funcp != NULL);
 	if (*funcp == NULL)
 		*funcp = &hmacmd5_functions;
@@ -460,7 +487,7 @@ hmacsha1_generate(dst_key_t *key, int pseudorandom_ok, void (*callback)(int)) {
 	isc_buffer_init(&b, data, bytes);
 	isc_buffer_add(&b, bytes);
 	ret = hmacsha1_fromdns(key, &b);
-	memset(data, 0, ISC_SHA1_BLOCK_LENGTH);
+	isc_safe_memwipe(data, sizeof(data));
 
 	return (ret);
 }
@@ -475,8 +502,8 @@ static void
 hmacsha1_destroy(dst_key_t *key) {
 	dst_hmacsha1_key_t *hkey = key->keydata.hmacsha1;
 
-	memset(hkey, 0, sizeof(dst_hmacsha1_key_t));
-	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha1_key_t));
+	isc_safe_memwipe(hkey, sizeof(*hkey));
+	isc_mem_put(key->mctx, hkey, sizeof(*hkey));
 	key->keydata.hmacsha1 = NULL;
 }
 
@@ -602,7 +629,7 @@ hmacsha1_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		}
 	}
 	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
+	isc_safe_memwipe(&priv, sizeof(priv));
 	return (result);
 }
 
@@ -632,6 +659,12 @@ static dst_func_t hmacsha1_functions = {
 
 isc_result_t
 dst__hmacsha1_init(dst_func_t **funcp) {
+	/*
+	 * Prevent use of incorrect crypto
+	 */
+	RUNTIME_CHECK(isc_sha1_check(ISC_FALSE));
+	RUNTIME_CHECK(isc_hmacsha1_check(0));
+
 	REQUIRE(funcp != NULL);
 	if (*funcp == NULL)
 		*funcp = &hmacsha1_functions;
@@ -747,7 +780,7 @@ hmacsha224_generate(dst_key_t *key, int pseudorandom_ok,
 	isc_buffer_init(&b, data, bytes);
 	isc_buffer_add(&b, bytes);
 	ret = hmacsha224_fromdns(key, &b);
-	memset(data, 0, ISC_SHA224_BLOCK_LENGTH);
+	isc_safe_memwipe(data, sizeof(data));
 
 	return (ret);
 }
@@ -762,8 +795,8 @@ static void
 hmacsha224_destroy(dst_key_t *key) {
 	dst_hmacsha224_key_t *hkey = key->keydata.hmacsha224;
 
-	memset(hkey, 0, sizeof(dst_hmacsha224_key_t));
-	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha224_key_t));
+	isc_safe_memwipe(hkey, sizeof(*hkey));
+	isc_mem_put(key->mctx, hkey, sizeof(*hkey));
 	key->keydata.hmacsha224 = NULL;
 }
 
@@ -889,7 +922,7 @@ hmacsha224_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		}
 	}
 	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
+	isc_safe_memwipe(&priv, sizeof(priv));
 	return (result);
 }
 
@@ -1034,7 +1067,7 @@ hmacsha256_generate(dst_key_t *key, int pseudorandom_ok,
 	isc_buffer_init(&b, data, bytes);
 	isc_buffer_add(&b, bytes);
 	ret = hmacsha256_fromdns(key, &b);
-	memset(data, 0, ISC_SHA256_BLOCK_LENGTH);
+	isc_safe_memwipe(data, sizeof(data));
 
 	return (ret);
 }
@@ -1049,8 +1082,8 @@ static void
 hmacsha256_destroy(dst_key_t *key) {
 	dst_hmacsha256_key_t *hkey = key->keydata.hmacsha256;
 
-	memset(hkey, 0, sizeof(dst_hmacsha256_key_t));
-	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha256_key_t));
+	isc_safe_memwipe(hkey, sizeof(*hkey));
+	isc_mem_put(key->mctx, hkey, sizeof(*hkey));
 	key->keydata.hmacsha256 = NULL;
 }
 
@@ -1176,7 +1209,7 @@ hmacsha256_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		}
 	}
 	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
+	isc_safe_memwipe(&priv, sizeof(priv));
 	return (result);
 }
 
@@ -1321,7 +1354,7 @@ hmacsha384_generate(dst_key_t *key, int pseudorandom_ok,
 	isc_buffer_init(&b, data, bytes);
 	isc_buffer_add(&b, bytes);
 	ret = hmacsha384_fromdns(key, &b);
-	memset(data, 0, ISC_SHA384_BLOCK_LENGTH);
+	isc_safe_memwipe(data, sizeof(data));
 
 	return (ret);
 }
@@ -1336,8 +1369,8 @@ static void
 hmacsha384_destroy(dst_key_t *key) {
 	dst_hmacsha384_key_t *hkey = key->keydata.hmacsha384;
 
-	memset(hkey, 0, sizeof(dst_hmacsha384_key_t));
-	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha384_key_t));
+	isc_safe_memwipe(hkey, sizeof(*hkey));
+	isc_mem_put(key->mctx, hkey, sizeof(*hkey));
 	key->keydata.hmacsha384 = NULL;
 }
 
@@ -1463,7 +1496,7 @@ hmacsha384_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		}
 	}
 	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
+	isc_safe_memwipe(&priv, sizeof(priv));
 	return (result);
 }
 
@@ -1608,7 +1641,7 @@ hmacsha512_generate(dst_key_t *key, int pseudorandom_ok,
 	isc_buffer_init(&b, data, bytes);
 	isc_buffer_add(&b, bytes);
 	ret = hmacsha512_fromdns(key, &b);
-	memset(data, 0, ISC_SHA512_BLOCK_LENGTH);
+	isc_safe_memwipe(data, sizeof(data));
 
 	return (ret);
 }
@@ -1623,8 +1656,8 @@ static void
 hmacsha512_destroy(dst_key_t *key) {
 	dst_hmacsha512_key_t *hkey = key->keydata.hmacsha512;
 
-	memset(hkey, 0, sizeof(dst_hmacsha512_key_t));
-	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha512_key_t));
+	isc_safe_memwipe(hkey, sizeof(*hkey));
+	isc_mem_put(key->mctx, hkey, sizeof(*hkey));
 	key->keydata.hmacsha512 = NULL;
 }
 
@@ -1750,7 +1783,7 @@ hmacsha512_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		}
 	}
 	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
+	isc_safe_memwipe(&priv, sizeof(priv));
 	return (result);
 }
 
diff --git a/usr.sbin/bind/lib/dns/include/Makefile.in b/usr.sbin/bind/lib/dns/include/Makefile.in
index 1628471175a..d6c627b7e38 100644
--- a/usr.sbin/bind/lib/dns/include/Makefile.in
+++ b/usr.sbin/bind/lib/dns/include/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:24 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:32 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/dns/include/dns/Makefile.in b/usr.sbin/bind/lib/dns/include/dns/Makefile.in
index 4e5a383ecd3..9dbb6319391 100644
--- a/usr.sbin/bind/lib/dns/include/dns/Makefile.in
+++ b/usr.sbin/bind/lib/dns/include/dns/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2007-2009, 2011-2016  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2003  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:24 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:32 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/dns/include/dns/acache.h b/usr.sbin/bind/lib/dns/include/dns/acache.h
index 8097920dfc0..4c5a4d39727 100644
--- a/usr.sbin/bind/lib/dns/include/dns/acache.h
+++ b/usr.sbin/bind/lib/dns/include/dns/acache.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006, 2007, 2013  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acache.h,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: acache.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_ACACHE_H
 #define DNS_ACACHE_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/acl.h b/usr.sbin/bind/lib/dns/include/dns/acl.h
index 12394f034f6..b8ab58302ee 100644
--- a/usr.sbin/bind/lib/dns/include/dns/acl.h
+++ b/usr.sbin/bind/lib/dns/include/dns/acl.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2011, 2013, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acl.h,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: acl.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_ACL_H
 #define DNS_ACL_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/adb.h b/usr.sbin/bind/lib/dns/include/dns/adb.h
index 8c4840693fb..bacee941b7c 100644
--- a/usr.sbin/bind/lib/dns/include/dns/adb.h
+++ b/usr.sbin/bind/lib/dns/include/dns/adb.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2011, 2013-2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: adb.h,v 1.5 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: adb.h,v 1.6 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_ADB_H
 #define DNS_ADB_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/bit.h b/usr.sbin/bind/lib/dns/include/dns/bit.h
index 624ccfc5de8..4493e7dd1fc 100644
--- a/usr.sbin/bind/lib/dns/include/dns/bit.h
+++ b/usr.sbin/bind/lib/dns/include/dns/bit.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: bit.h,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: bit.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_BIT_H
 #define DNS_BIT_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/byaddr.h b/usr.sbin/bind/lib/dns/include/dns/byaddr.h
index 720fc9332b3..b9b395c6f02 100644
--- a/usr.sbin/bind/lib/dns/include/dns/byaddr.h
+++ b/usr.sbin/bind/lib/dns/include/dns/byaddr.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: byaddr.h,v 1.5 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: byaddr.h,v 1.6 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_BYADDR_H
 #define DNS_BYADDR_H 1
@@ -161,7 +160,7 @@ dns_byaddr_createptrname2(isc_netaddr_t *address, unsigned int options,
  * set.  'options' are the same as for dns_byaddr_create().
  *
  * Requires:
- * 
+ *
  * \li	'address' is a valid address.
  * \li	'name' is a valid name with a dedicated buffer.
  */
diff --git a/usr.sbin/bind/lib/dns/include/dns/cache.h b/usr.sbin/bind/lib/dns/include/dns/cache.h
index aab9979ce71..219439b9dad 100644
--- a/usr.sbin/bind/lib/dns/include/dns/cache.h
+++ b/usr.sbin/bind/lib/dns/include/dns/cache.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cache.h,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: cache.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_CACHE_H
 #define DNS_CACHE_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/callbacks.h b/usr.sbin/bind/lib/dns/include/dns/callbacks.h
index fd42f91129b..8927ed25ef1 100644
--- a/usr.sbin/bind/lib/dns/include/dns/callbacks.h
+++ b/usr.sbin/bind/lib/dns/include/dns/callbacks.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: callbacks.h,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: callbacks.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_CALLBACKS_H
 #define DNS_CALLBACKS_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/cert.h b/usr.sbin/bind/lib/dns/include/dns/cert.h
index aee0db8c213..aa1792f5b99 100644
--- a/usr.sbin/bind/lib/dns/include/dns/cert.h
+++ b/usr.sbin/bind/lib/dns/include/dns/cert.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cert.h,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: cert.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_CERT_H
 #define DNS_CERT_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/client.h b/usr.sbin/bind/lib/dns/include/dns/client.h
index 73494b26f96..34cd80ca129 100644
--- a/usr.sbin/bind/lib/dns/include/dns/client.h
+++ b/usr.sbin/bind/lib/dns/include/dns/client.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2013, 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.h,v 1.1 2019/12/16 16:31:33 deraadt Exp $ */
+/* $Id: client.h,v 1.2 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_CLIENT_H
 #define DNS_CLIENT_H 1
@@ -218,22 +218,22 @@ dns_client_destroy(dns_client_t **clientp);
 
 isc_result_t
 dns_client_setservers(dns_client_t *client, dns_rdataclass_t rdclass,
-		      dns_name_t *namespace, isc_sockaddrlist_t *addrs);
+		      dns_name_t *name_space, isc_sockaddrlist_t *addrs);
 /*%<
  * Specify a list of addresses of recursive name servers that the client will
  * use for name resolution.  A view for the 'rdclass' class must be created
- * beforehand.  If 'namespace' is non NULL, the specified server will be used
- * if and only if the query name is a subdomain of 'namespace'.  When servers
- * for multiple 'namespace's are provided, and a query name is covered by
- * more than one 'namespace', the servers for the best (longest) matching
- * namespace will be used.  If 'namespace' is NULL, it works as if
+ * beforehand.  If 'name_space' is non NULL, the specified server will be used
+ * if and only if the query name is a subdomain of 'name_space'.  When servers
+ * for multiple 'name_space's are provided, and a query name is covered by
+ * more than one 'name_space', the servers for the best (longest) matching
+ * name_space will be used.  If 'name_space' is NULL, it works as if
  * dns_rootname (.) were specified.
  *
  * Requires:
  *
  *\li	'client' is a valid client.
  *
- *\li	'namespace' is NULL or a valid name.
+ *\li	'name_space' is NULL or a valid name.
  *
  *\li	'addrs' != NULL.
  *
@@ -246,17 +246,17 @@ dns_client_setservers(dns_client_t *client, dns_rdataclass_t rdclass,
 
 isc_result_t
 dns_client_clearservers(dns_client_t *client, dns_rdataclass_t rdclass,
-			dns_name_t *namespace);
+			dns_name_t *name_space);
 /*%<
- * Remove configured recursive name servers for the 'rdclass' and 'namespace'
+ * Remove configured recursive name servers for the 'rdclass' and 'name_space'
  * from the client.  See the description of dns_client_setservers() for
- * the requirements about 'rdclass' and 'namespace'.
+ * the requirements about 'rdclass' and 'name_space'.
  *
  * Requires:
  *
  *\li	'client' is a valid client.
  *
- *\li	'namespace' is NULL or a valid name.
+ *\li	'name_space' is NULL or a valid name.
  *
  * Returns:
  *
@@ -269,10 +269,10 @@ isc_result_t
 dns_client_setdlv(dns_client_t *client, dns_rdataclass_t rdclass,
 		  const char *dlvname);
 /*%<
- * Specify a name to use for DNSSEC lookaside validation (e.g.,
- * "dlv.isc.org"). If a trusted key has been added for that name,
- * then DLV will be used during validation.  If 'dlvname' is NULL,
- * then DLV will no longer be used for this client.
+ * Specify a name to use for DNSSEC lookaside validation.
+ * If a trusted key has been added for that name, then DLV will be
+ * used during validation.  If 'dlvname' is NULL, then DLV will no
+ * longer be used for this client.
  *
  * Requires:
  *
diff --git a/usr.sbin/bind/lib/dns/include/dns/clientinfo.h b/usr.sbin/bind/lib/dns/include/dns/clientinfo.h
index 5b69b834f1a..5d7a31aa8a1 100644
--- a/usr.sbin/bind/lib/dns/include/dns/clientinfo.h
+++ b/usr.sbin/bind/lib/dns/include/dns/clientinfo.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: clientinfo.h,v 1.1 2019/12/16 16:31:33 deraadt Exp $ */
+/* $Id: clientinfo.h,v 1.2 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_CLIENTINFO_H
 #define DNS_CLIENTINFO_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/compress.h b/usr.sbin/bind/lib/dns/include/dns/compress.h
index c8c52705cc8..15a3a2fe584 100644
--- a/usr.sbin/bind/lib/dns/include/dns/compress.h
+++ b/usr.sbin/bind/lib/dns/include/dns/compress.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: compress.h,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: compress.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_COMPRESS_H
 #define DNS_COMPRESS_H 1
@@ -87,7 +86,6 @@ dns_compress_init(dns_compress_t *cctx, int edns, isc_mem_t *mctx);
  *
  *	Returns:
  *	\li	#ISC_R_SUCCESS
- *	\li	failures from dns_rbt_create()
  */
 
 void
diff --git a/usr.sbin/bind/lib/dns/include/dns/db.h b/usr.sbin/bind/lib/dns/include/dns/db.h
index 607698b1afc..42e97085328 100644
--- a/usr.sbin/bind/lib/dns/include/dns/db.h
+++ b/usr.sbin/bind/lib/dns/include/dns/db.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2011-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: db.h,v 1.5 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: db.h,v 1.6 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_DB_H
 #define DNS_DB_H 1
@@ -842,14 +841,6 @@ dns_db_findext(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
  *	\li	#ISC_R_SUCCESS			The desired node and type were
  *						found.
  *
- *	\li	#DNS_R_WILDCARD			The desired node and type were
- *						found after performing
- *						wildcard matching.  This is
- *						only returned if the
- *						#DNS_DBFIND_INDICATEWILD
- *						option is set; otherwise
- *						#ISC_R_SUCCESS is returned.
- *
  *	\li	#DNS_R_GLUE			The desired node and type were
  *						found, but are glue.  This
  *						result can only occur if
diff --git a/usr.sbin/bind/lib/dns/include/dns/dbiterator.h b/usr.sbin/bind/lib/dns/include/dns/dbiterator.h
index b3bcf072a6e..b2a3f233658 100644
--- a/usr.sbin/bind/lib/dns/include/dns/dbiterator.h
+++ b/usr.sbin/bind/lib/dns/include/dns/dbiterator.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dbiterator.h,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: dbiterator.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_DBITERATOR_H
 #define DNS_DBITERATOR_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/dbtable.h b/usr.sbin/bind/lib/dns/include/dns/dbtable.h
index 6fdb8963c6b..a0de1e50d27 100644
--- a/usr.sbin/bind/lib/dns/include/dns/dbtable.h
+++ b/usr.sbin/bind/lib/dns/include/dns/dbtable.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dbtable.h,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: dbtable.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_DBTABLE_H
 #define DNS_DBTABLE_H 1
@@ -155,7 +154,7 @@ dns_dbtable_find(dns_dbtable_t *dbtable, dns_name_t *name,
  *\li	If the DNS_DBTABLEFIND_NOEXACT option is set, the best partial
  *	match (if any) to 'name' will be returned.
  *
- * Returns:  
+ * Returns:
  * \li #ISC_R_SUCCESS		on success
  *\li	     something else:		no default and match
  */
diff --git a/usr.sbin/bind/lib/dns/include/dns/diff.h b/usr.sbin/bind/lib/dns/include/dns/diff.h
index 294189df55a..f9f87a4dd50 100644
--- a/usr.sbin/bind/lib/dns/include/dns/diff.h
+++ b/usr.sbin/bind/lib/dns/include/dns/diff.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2010, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: diff.h,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: diff.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_DIFF_H
 #define DNS_DIFF_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/dispatch.h b/usr.sbin/bind/lib/dns/include/dns/dispatch.h
index 5bcab2f9904..bdc8a55a5d4 100644
--- a/usr.sbin/bind/lib/dns/include/dns/dispatch.h
+++ b/usr.sbin/bind/lib/dns/include/dns/dispatch.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2011-2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dispatch.h,v 1.8 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: dispatch.h,v 1.9 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_DISPATCH_H
 #define DNS_DISPATCH_H 1
@@ -524,6 +523,9 @@ dns_dispatch_importrecv(dns_dispatch_t *disp, isc_event_t *event);
  * shared between dispatchers and clients.  If the dispatcher fails to copy
  * or send the event, nothing happens.
  *
+ * If the attribute DNS_DISPATCHATTR_NOLISTEN is not set, then
+ * the dispatch is already handling a recv; return immediately.
+ *
  * Requires:
  *\li 	disp is valid, and the attribute DNS_DISPATCHATTR_NOLISTEN is set.
  * 	event != NULL
diff --git a/usr.sbin/bind/lib/dns/include/dns/dlz.h b/usr.sbin/bind/lib/dns/include/dns/dlz.h
index 5f7af19e248..326f2deb8c1 100644
--- a/usr.sbin/bind/lib/dns/include/dns/dlz.h
+++ b/usr.sbin/bind/lib/dns/include/dns/dlz.h
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2005-2007, 2009-2013  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2001  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -50,7 +49,7 @@
  * USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dlz.h,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: dlz.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file dns/dlz.h */
 
diff --git a/usr.sbin/bind/lib/dns/include/dns/dlz_dlopen.h b/usr.sbin/bind/lib/dns/include/dns/dlz_dlopen.h
index f1014391aae..cbe4a6f31e9 100644
--- a/usr.sbin/bind/lib/dns/include/dns/dlz_dlopen.h
+++ b/usr.sbin/bind/lib/dns/include/dns/dlz_dlopen.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,9 +14,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dlz_dlopen.h,v 1.1 2019/12/16 16:31:33 deraadt Exp $ */
+/* $Id: dlz_dlopen.h,v 1.2 2019/12/17 01:46:32 sthen Exp $ */
 
-/*! \file dns/dlz_open.h */
+/*! \file dns/dlz_dlopen.h */
 
 #ifndef DLZ_DLOPEN_H
 #define DLZ_DLOPEN_H
diff --git a/usr.sbin/bind/lib/dns/include/dns/dns64.h b/usr.sbin/bind/lib/dns/include/dns/dns64.h
index f90c6c044a0..e7e6f66366c 100644
--- a/usr.sbin/bind/lib/dns/include/dns/dns64.h
+++ b/usr.sbin/bind/lib/dns/include/dns/dns64.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010, 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dns64.h,v 1.1 2019/12/16 16:31:33 deraadt Exp $ */
+/* $Id: dns64.h,v 1.2 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_DNS64_H
 #define DNS_DNS64_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/dnssec.h b/usr.sbin/bind/lib/dns/include/dns/dnssec.h
index 3b7a901a330..5bf164e68d6 100644
--- a/usr.sbin/bind/lib/dns/include/dns/dnssec.h
+++ b/usr.sbin/bind/lib/dns/include/dns/dnssec.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009-2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec.h,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: dnssec.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_DNSSEC_H
 #define DNS_DNSSEC_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/ds.h b/usr.sbin/bind/lib/dns/include/dns/ds.h
index 46d3eba9689..cbc44edfb68 100644
--- a/usr.sbin/bind/lib/dns/include/dns/ds.h
+++ b/usr.sbin/bind/lib/dns/include/dns/ds.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2010, 2012, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ds.h,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: ds.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_DS_H
 #define DNS_DS_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/dsdigest.h b/usr.sbin/bind/lib/dns/include/dns/dsdigest.h
index cf2ae222d8c..b52710a5f5c 100644
--- a/usr.sbin/bind/lib/dns/include/dns/dsdigest.h
+++ b/usr.sbin/bind/lib/dns/include/dns/dsdigest.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dsdigest.h,v 1.1 2019/12/16 16:31:33 deraadt Exp $ */
+/* $Id: dsdigest.h,v 1.2 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_DSDIGEST_H
 #define DNS_DSDIGEST_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/ecdb.h b/usr.sbin/bind/lib/dns/include/dns/ecdb.h
index ab42ed9ff31..1aadd01bca1 100644
--- a/usr.sbin/bind/lib/dns/include/dns/ecdb.h
+++ b/usr.sbin/bind/lib/dns/include/dns/ecdb.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ecdb.h,v 1.1 2019/12/16 16:31:33 deraadt Exp $ */
+/* $Id: ecdb.h,v 1.2 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_ECDB_H
 #define DNS_ECDB_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/events.h b/usr.sbin/bind/lib/dns/include/dns/events.h
index da031c4cb84..d203b7104bb 100644
--- a/usr.sbin/bind/lib/dns/include/dns/events.h
+++ b/usr.sbin/bind/lib/dns/include/dns/events.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009-2011, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: events.h,v 1.5 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: events.h,v 1.6 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_EVENTS_H
 #define DNS_EVENTS_H 1
@@ -80,6 +79,7 @@
 #define DNS_EVENT_KEYDONE			(ISC_EVENTCLASS_DNS + 50)
 #define DNS_EVENT_SETNSEC3PARAM			(ISC_EVENTCLASS_DNS + 51)
 #define DNS_EVENT_SETSERIAL			(ISC_EVENTCLASS_DNS + 52)
+#define DNS_EVENT_STARTUPDATE			(ISC_EVENTCLASS_DNS + 58)
 
 #define DNS_EVENT_FIRSTEVENT			(ISC_EVENTCLASS_DNS + 0)
 #define DNS_EVENT_LASTEVENT			(ISC_EVENTCLASS_DNS + 65535)
diff --git a/usr.sbin/bind/lib/dns/include/dns/fixedname.h b/usr.sbin/bind/lib/dns/include/dns/fixedname.h
index 1c6f2d71b61..6054856ec2a 100644
--- a/usr.sbin/bind/lib/dns/include/dns/fixedname.h
+++ b/usr.sbin/bind/lib/dns/include/dns/fixedname.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: fixedname.h,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: fixedname.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_FIXEDNAME_H
 #define DNS_FIXEDNAME_H 1
@@ -74,7 +73,7 @@ struct dns_fixedname {
 	do { \
 		dns_name_init(&((fn)->name), (fn)->offsets); \
 		isc_buffer_init(&((fn)->buffer), (fn)->data, \
-                                  DNS_NAME_MAXWIRE); \
+				  DNS_NAME_MAXWIRE); \
 		dns_name_setbuffer(&((fn)->name), &((fn)->buffer)); \
 	} while (0)
 
diff --git a/usr.sbin/bind/lib/dns/include/dns/forward.h b/usr.sbin/bind/lib/dns/include/dns/forward.h
index 058b25be8a4..bac8bf3e910 100644
--- a/usr.sbin/bind/lib/dns/include/dns/forward.h
+++ b/usr.sbin/bind/lib/dns/include/dns/forward.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2013, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/include/dns/geoip.h b/usr.sbin/bind/lib/dns/include/dns/geoip.h
index 35a4036a120..f6769371ebe 100644
--- a/usr.sbin/bind/lib/dns/include/dns/geoip.h
+++ b/usr.sbin/bind/lib/dns/include/dns/geoip.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/include/dns/iptable.h b/usr.sbin/bind/lib/dns/include/dns/iptable.h
index 9095455172a..6d355e163c7 100644
--- a/usr.sbin/bind/lib/dns/include/dns/iptable.h
+++ b/usr.sbin/bind/lib/dns/include/dns/iptable.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: iptable.h,v 1.1 2019/12/16 16:31:33 deraadt Exp $ */
+/* $Id: iptable.h,v 1.2 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_IPTABLE_H
 #define DNS_IPTABLE_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/journal.h b/usr.sbin/bind/lib/dns/include/dns/journal.h
index 88f9ec2b2cb..fd4acc88db1 100644
--- a/usr.sbin/bind/lib/dns/include/dns/journal.h
+++ b/usr.sbin/bind/lib/dns/include/dns/journal.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2011, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: journal.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: journal.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_JOURNAL_H
 #define DNS_JOURNAL_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/keydata.h b/usr.sbin/bind/lib/dns/include/dns/keydata.h
index c17fe4ecfbc..ad5f60464a8 100644
--- a/usr.sbin/bind/lib/dns/include/dns/keydata.h
+++ b/usr.sbin/bind/lib/dns/include/dns/keydata.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keydata.h,v 1.1 2019/12/16 16:31:33 deraadt Exp $ */
+/* $Id: keydata.h,v 1.2 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_KEYDATA_H
 #define DNS_KEYDATA_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/keyflags.h b/usr.sbin/bind/lib/dns/include/dns/keyflags.h
index b4f1277dfa5..5da78f21488 100644
--- a/usr.sbin/bind/lib/dns/include/dns/keyflags.h
+++ b/usr.sbin/bind/lib/dns/include/dns/keyflags.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keyflags.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: keyflags.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_KEYFLAGS_H
 #define DNS_KEYFLAGS_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/keytable.h b/usr.sbin/bind/lib/dns/include/dns/keytable.h
index e7ec91725b3..9d439b406fc 100644
--- a/usr.sbin/bind/lib/dns/include/dns/keytable.h
+++ b/usr.sbin/bind/lib/dns/include/dns/keytable.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2010, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keytable.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: keytable.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_KEYTABLE_H
 #define DNS_KEYTABLE_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/keyvalues.h b/usr.sbin/bind/lib/dns/include/dns/keyvalues.h
index a54daf85543..c3b1568383c 100644
--- a/usr.sbin/bind/lib/dns/include/dns/keyvalues.h
+++ b/usr.sbin/bind/lib/dns/include/dns/keyvalues.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2010, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keyvalues.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: keyvalues.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_KEYVALUES_H
 #define DNS_KEYVALUES_H 1
@@ -73,6 +72,8 @@
 #define DNS_KEYALG_ECCGOST	12
 #define DNS_KEYALG_ECDSA256	13
 #define DNS_KEYALG_ECDSA384	14
+#define DNS_KEYALG_ED25519	15
+#define DNS_KEYALG_ED448	16
 #define DNS_KEYALG_INDIRECT	252
 #define DNS_KEYALG_PRIVATEDNS	253
 #define DNS_KEYALG_PRIVATEOID	254     /*%< Key begins with OID giving alg */
@@ -109,4 +110,10 @@
 #define DNS_KEY_ECDSA256SIZE	64
 #define DNS_KEY_ECDSA384SIZE	96
 
+#define DNS_SIG_ED25519SIZE	64
+#define DNS_SIG_ED448SIZE	114
+
+#define DNS_KEY_ED25519SIZE	32
+#define DNS_KEY_ED448SIZE	57
+
 #endif /* DNS_KEYVALUES_H */
diff --git a/usr.sbin/bind/lib/dns/include/dns/lib.h b/usr.sbin/bind/lib/dns/include/dns/lib.h
index fa212835127..f4d99b1f63c 100644
--- a/usr.sbin/bind/lib/dns/include/dns/lib.h
+++ b/usr.sbin/bind/lib/dns/include/dns/lib.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: lib.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_LIB_H
 #define DNS_LIB_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/log.h b/usr.sbin/bind/lib/dns/include/dns/log.h
index 845be49907f..007c8167732 100644
--- a/usr.sbin/bind/lib/dns/include/dns/log.h
+++ b/usr.sbin/bind/lib/dns/include/dns/log.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2011-2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -78,6 +77,7 @@ LIBDNS_EXTERNAL_DATA extern isc_logmodule_t dns_modules[];
 #define DNS_LOGMODULE_DNSSEC		(&dns_modules[27])
 #define DNS_LOGMODULE_CRYPTO		(&dns_modules[28])
 #define DNS_LOGMODULE_PACKETS		(&dns_modules[29])
+#define DNS_LOGMODULE_SSU		(&dns_modules[30])
 
 ISC_LANG_BEGINDECLS
 
diff --git a/usr.sbin/bind/lib/dns/include/dns/lookup.h b/usr.sbin/bind/lib/dns/include/dns/lookup.h
index 7aaff81cd3c..8e25e26f0ed 100644
--- a/usr.sbin/bind/lib/dns/include/dns/lookup.h
+++ b/usr.sbin/bind/lib/dns/include/dns/lookup.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lookup.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: lookup.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_LOOKUP_H
 #define DNS_LOOKUP_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/master.h b/usr.sbin/bind/lib/dns/include/dns/master.h
index c331f1194a1..fecfbe83fc7 100644
--- a/usr.sbin/bind/lib/dns/include/dns/master.h
+++ b/usr.sbin/bind/lib/dns/include/dns/master.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2011-2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: master.h,v 1.5 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: master.h,v 1.6 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_MASTER_H
 #define DNS_MASTER_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/masterdump.h b/usr.sbin/bind/lib/dns/include/dns/masterdump.h
index b34c4b28c52..7f628142582 100644
--- a/usr.sbin/bind/lib/dns/include/dns/masterdump.h
+++ b/usr.sbin/bind/lib/dns/include/dns/masterdump.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2011, 2013, 2014, 2017  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/include/dns/message.h b/usr.sbin/bind/lib/dns/include/dns/message.h
index 3d7385b6296..beadfdad5df 100644
--- a/usr.sbin/bind/lib/dns/include/dns/message.h
+++ b/usr.sbin/bind/lib/dns/include/dns/message.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2010, 2012-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -107,6 +106,7 @@
 #define DNS_OPT_EXPIRE		9		/*%< EXPIRE opt code */
 #define DNS_OPT_COOKIE		10		/*%< COOKIE opt code */
 #define DNS_OPT_PAD		12		/*%< PAD opt code */
+#define DNS_OPT_KEY_TAG		14		/*%< Key tag opt code */
 
 /*%< The number of EDNS options we know about. */
 #define DNS_EDNSOPTIONS	4
@@ -143,7 +143,6 @@ typedef int dns_messagetextflag_t;
 #define DNS_MESSAGETEXTFLAG_NOHEADERS	0x0002
 #define DNS_MESSAGETEXTFLAG_ONESOA	0x0004
 #define DNS_MESSAGETEXTFLAG_OMITSOA	0x0008
-#define DNS_MESSAGETEXTFLAG_COMMENTDATA	0x0010
 
 /*
  * Dynamic update names for these sections.
@@ -381,21 +380,20 @@ dns_message_totext(dns_message_t *msg, const dns_master_style_t *style,
 /*%<
  * Convert all sections of message 'msg' to a cleartext representation
  *
- * Notes:
- * \li     In flags, If #DNS_MESSAGETEXTFLAG_OMITDOT is set, then the
- *      final '.' in absolute names will not be emitted.  If
- *      #DNS_MESSAGETEXTFLAG_NOCOMMENTS is cleared, lines beginning
- *      with ";;" will be emitted indicating section name.  If
- *      #DNS_MESSAGETEXTFLAG_NOHEADERS is cleared, header lines will
- *      be emitted.
- *
- *	If #DNS_MESSAGETEXTFLAG_ONESOA is set then only print the
- *	first SOA record in the answer section.  If
- *	#DNS_MESSAGETEXTFLAG_OMITSOA is set don't print any SOA records
- *	in the answer section.  These are useful for suppressing the
- *	display of the second SOA record in a AXFR by setting
- *	#DNS_MESSAGETEXTFLAG_ONESOA on the first message in a AXFR stream
- *	and #DNS_MESSAGETEXTFLAG_OMITSOA on subsequent messages.
+ * Notes on flags:
+ *\li	If #DNS_MESSAGETEXTFLAG_NOCOMMENTS is cleared, lines beginning with
+ * 	";;" will be emitted indicating section name.
+ *\li	If #DNS_MESSAGETEXTFLAG_NOHEADERS is cleared, header lines will be
+ * 	emitted.
+ *\li   If #DNS_MESSAGETEXTFLAG_ONESOA is set then only print the first
+ *	SOA record in the answer section.
+ *\li	If *#DNS_MESSAGETEXTFLAG_OMITSOA is set don't print any SOA records
+ *	in the answer section.
+ *
+ * The SOA flags are useful for suppressing the display of the second
+ * SOA record in an AXFR by setting #DNS_MESSAGETEXTFLAG_ONESOA on the
+ * first message in an AXFR stream and #DNS_MESSAGETEXTFLAG_OMITSOA on
+ * subsequent messages.
  *
  * Requires:
  *
diff --git a/usr.sbin/bind/lib/dns/include/dns/name.h b/usr.sbin/bind/lib/dns/include/dns/name.h
index d1e7d0c6b34..42758b05ed1 100644
--- a/usr.sbin/bind/lib/dns/include/dns/name.h
+++ b/usr.sbin/bind/lib/dns/include/dns/name.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009-2013, 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name.h,v 1.7 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: name.h,v 1.8 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_NAME_H
 #define DNS_NAME_H 1
@@ -346,7 +345,11 @@ unsigned int
 dns_name_hashbylabel(dns_name_t *name, isc_boolean_t case_sensitive);
 /*%<
  * Provide a hash value for 'name', where the hash value is the sum
- * of the hash values of each label.
+ * of the hash values of each label.  This function should only be used
+ * when incremental hashing is necessary, for example, during RBT
+ * traversal. It is not currently used in BIND. Generally,
+ * dns_name_fullhash() is the correct function to use for name
+ * hashing.
  *
  * Note: if 'case_sensitive' is ISC_FALSE, then names which differ only in
  * case will have the same hash value.
@@ -800,8 +803,6 @@ dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
  *\li	#DNS_R_EMPTYLABEL
  *\li	#DNS_R_LABELTOOLONG
  *\li	#DNS_R_BADESCAPE
- *\li	(#DNS_R_BADBITSTRING: should not be returned)
- *\li	(#DNS_R_BITSTRINGTOOLONG: should not be returned)
  *\li	#DNS_R_BADDOTTEDQUAD
  *\li	#ISC_R_NOSPACE
  *\li	#ISC_R_UNEXPECTEDEND
@@ -1303,6 +1304,12 @@ dns_name_isula(const dns_name_t *owner);
  * Determine if the 'name' is in the ULA reverse namespace.
  */
 
+isc_boolean_t
+dns_name_istat(const dns_name_t *name);
+/*
+ * Determine if 'name' is a potential 'trust-anchor-telementry' name.
+ */
+
 ISC_LANG_ENDDECLS
 
 /*
diff --git a/usr.sbin/bind/lib/dns/include/dns/ncache.h b/usr.sbin/bind/lib/dns/include/dns/ncache.h
index 1b6f5fada34..19f300c7bbd 100644
--- a/usr.sbin/bind/lib/dns/include/dns/ncache.h
+++ b/usr.sbin/bind/lib/dns/include/dns/ncache.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2010, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ncache.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: ncache.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_NCACHE_H
 #define DNS_NCACHE_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/nsec.h b/usr.sbin/bind/lib/dns/include/dns/nsec.h
index eb75b817db3..72d41f75a0b 100644
--- a/usr.sbin/bind/lib/dns/include/dns/nsec.h
+++ b/usr.sbin/bind/lib/dns/include/dns/nsec.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: nsec.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_NSEC_H
 #define DNS_NSEC_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/nsec3.h b/usr.sbin/bind/lib/dns/include/dns/nsec3.h
index 4c0bd676f94..3e71c7d8e8c 100644
--- a/usr.sbin/bind/lib/dns/include/dns/nsec3.h
+++ b/usr.sbin/bind/lib/dns/include/dns/nsec3.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2013  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec3.h,v 1.1 2019/12/16 16:31:33 deraadt Exp $ */
+/* $Id: nsec3.h,v 1.2 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_NSEC3_H
 #define DNS_NSEC3_H 1
@@ -240,6 +240,19 @@ dns_nsec3param_toprivate(dns_rdata_t *src, dns_rdata_t *target,
  */
 
 isc_result_t
+dns_nsec3param_salttotext(dns_rdata_nsec3param_t *nsec3param, char *dst,
+			  size_t dstlen);
+/*%<
+ * Convert the salt of given NSEC3PARAM RDATA into hex-encoded, NULL-terminated
+ * text stored at "dst".
+ *
+ * Requires:
+ *
+ *\li 	"dst" to have enough space (as indicated by "dstlen") to hold the
+ * 	resulting text and its NULL-terminating byte.
+ */
+
+isc_result_t
 dns_nsec3param_deletechains(dns_db_t *db, dns_dbversion_t *ver,
 			    dns_zone_t *zone, isc_boolean_t nonsec,
 			    dns_diff_t *diff);
diff --git a/usr.sbin/bind/lib/dns/include/dns/opcode.h b/usr.sbin/bind/lib/dns/include/dns/opcode.h
index f2eced798e6..0d847703cca 100644
--- a/usr.sbin/bind/lib/dns/include/dns/opcode.h
+++ b/usr.sbin/bind/lib/dns/include/dns/opcode.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: opcode.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: opcode.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_OPCODE_H
 #define DNS_OPCODE_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/order.h b/usr.sbin/bind/lib/dns/include/dns/order.h
index 7326caf1d14..2fc12617e0d 100644
--- a/usr.sbin/bind/lib/dns/include/dns/order.h
+++ b/usr.sbin/bind/lib/dns/include/dns/order.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: order.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: order.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_ORDER_H
 #define DNS_ORDER_H 1
@@ -53,8 +52,8 @@ dns_order_add(dns_order_t *order, dns_name_t *name,
  * Requires:
  * \li	'order' to be valid.
  *\li	'name' to be valid.
- *\li	'mode' to be one of #DNS_RDATASERATTR_RANDOMIZE,
- *		#DNS_RDATASERATTR_RANDOMIZE or zero (#DNS_RDATASERATTR_CYCLIC).
+ *\li	'mode' to be one of #DNS_RDATASETATTR_RANDOMIZE,
+ *		#DNS_RDATASETATTR_FIXEDORDER or zero (#DNS_RDATASETATTR_CYCLIC).
  *
  * Returns:
  *\li	#ISC_R_SUCCESS
diff --git a/usr.sbin/bind/lib/dns/include/dns/peer.h b/usr.sbin/bind/lib/dns/include/dns/peer.h
index 34a7034ca7e..9c7934f1bf3 100644
--- a/usr.sbin/bind/lib/dns/include/dns/peer.h
+++ b/usr.sbin/bind/lib/dns/include/dns/peer.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2013, 2014, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: peer.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: peer.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_PEER_H
 #define DNS_PEER_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/portlist.h b/usr.sbin/bind/lib/dns/include/dns/portlist.h
index 0e948c38618..f010b39345e 100644
--- a/usr.sbin/bind/lib/dns/include/dns/portlist.h
+++ b/usr.sbin/bind/lib/dns/include/dns/portlist.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: portlist.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: portlist.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file dns/portlist.h */
 
@@ -25,13 +24,16 @@
 
 #include <dns/types.h>
 
+#ifndef DNS_PORTLIST_H
+#define DNS_PORTLIST_H 1
+
 ISC_LANG_BEGINDECLS
 
 isc_result_t
 dns_portlist_create(isc_mem_t *mctx, dns_portlist_t **portlistp);
 /*%<
  * Create a port list.
- * 
+ *
  * Requires:
  *\li	'mctx' to be valid.
  *\li	'portlistp' to be non NULL and '*portlistp' to be NULL;
@@ -99,3 +101,5 @@ dns_portlist_detach(dns_portlist_t **portlistp);
  */
 
 ISC_LANG_ENDDECLS
+
+#endif /* DNS_PORTLIST_H */
diff --git a/usr.sbin/bind/lib/dns/include/dns/private.h b/usr.sbin/bind/lib/dns/include/dns/private.h
index 68f2121622a..aae8b39c172 100644
--- a/usr.sbin/bind/lib/dns/include/dns/private.h
+++ b/usr.sbin/bind/lib/dns/include/dns/private.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: private.h,v 1.1 2019/12/16 16:31:33 deraadt Exp $ */
+/* $Id: private.h,v 1.2 2019/12/17 01:46:32 sthen Exp $ */
 
 #include <isc/lang.h>
 #include <isc/types.h>
diff --git a/usr.sbin/bind/lib/dns/include/dns/rbt.h b/usr.sbin/bind/lib/dns/include/dns/rbt.h
index ed145a5c31c..1ccb03b53c5 100644
--- a/usr.sbin/bind/lib/dns/include/dns/rbt.h
+++ b/usr.sbin/bind/lib/dns/include/dns/rbt.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2012-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,13 +14,14 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbt.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: rbt.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_RBT_H
 #define DNS_RBT_H 1
 
 /*! \file dns/rbt.h */
 
+#include <isc/assertions.h>
 #include <isc/crc64.h>
 #include <isc/lang.h>
 #include <isc/magic.h>
@@ -203,6 +203,13 @@ typedef void (*dns_rbtdeleter_t)(void *, void *);
  * pointers, chains might be going away in a future release, though the
  * movement functionality would remain.
  *
+ * Chains may be used to iterate over a tree of trees.  After setting up the
+ * chain's structure using dns_rbtnodechain_init(), it needs to be initialized
+ * to point to the lexically first or lexically last node in the tree of trees
+ * using dns_rbtnodechain_first() or dns_rbtnodechain_last(), respectively.
+ * Calling dns_rbtnodechain_next() or dns_rbtnodechain_prev() then moves the
+ * chain over to the next or previous node, respectively.
+ *
  * In any event, parent information, whether via parent pointers or chains, is
  * necessary information for iterating through the tree or for basic internal
  * tree maintenance issues (ie, the rotations that are done to rebalance the
@@ -1078,7 +1085,7 @@ dns_rbtnodechain_nextflat(dns_rbtnodechain_t *chain, dns_name_t *name);
 	} while (0)
 #else  /* DNS_RBT_USEISCREFCOUNT */
 #define dns_rbtnode_refinit(node, n)    ((node)->references = (n))
-#define dns_rbtnode_refdestroy(node)    REQUIRE((node)->references == 0)
+#define dns_rbtnode_refdestroy(node)    ISC_REQUIRE((node)->references == 0)
 #define dns_rbtnode_refcurrent(node)    ((node)->references)
 
 #if (__STDC_VERSION__ + 0) >= 199901L || defined __GNUC__
@@ -1091,7 +1098,7 @@ dns_rbtnode_refincrement0(dns_rbtnode_t *node, unsigned int *refs) {
 
 static inline void
 dns_rbtnode_refincrement(dns_rbtnode_t *node, unsigned int *refs) {
-	REQUIRE(node->references > 0);
+	ISC_REQUIRE(node->references > 0);
 	node->references++;
 	if (refs != NULL)
 		*refs = node->references;
@@ -1099,7 +1106,7 @@ dns_rbtnode_refincrement(dns_rbtnode_t *node, unsigned int *refs) {
 
 static inline void
 dns_rbtnode_refdecrement(dns_rbtnode_t *node, unsigned int *refs) {
-	REQUIRE(node->references > 0);
+	ISC_REQUIRE(node->references > 0);
 	node->references--;
 	if (refs != NULL)
 		*refs = node->references;
@@ -1114,14 +1121,14 @@ dns_rbtnode_refdecrement(dns_rbtnode_t *node, unsigned int *refs) {
 	} while (0)
 #define dns_rbtnode_refincrement(node, refs)                    \
 	do {                                                    \
-		REQUIRE((node)->references > 0);                \
+		ISC_REQUIRE((node)->references > 0);                \
 		(node)->references++;                           \
 		if ((refs) != NULL)                             \
 			(*refs) = (node)->references;           \
 	} while (0)
 #define dns_rbtnode_refdecrement(node, refs)                    \
 	do {                                                    \
-		REQUIRE((node)->references > 0);                \
+		ISC_REQUIRE((node)->references > 0);                \
 		(node)->references--;                           \
 		if ((refs) != NULL)                             \
 			(*refs) = (node)->references;           \
diff --git a/usr.sbin/bind/lib/dns/include/dns/rcode.h b/usr.sbin/bind/lib/dns/include/dns/rcode.h
index b6f2021fd08..a52438d2e4d 100644
--- a/usr.sbin/bind/lib/dns/include/dns/rcode.h
+++ b/usr.sbin/bind/lib/dns/include/dns/rcode.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rcode.h,v 1.3 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: rcode.h,v 1.4 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_RCODE_H
 #define DNS_RCODE_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/rdata.h b/usr.sbin/bind/lib/dns/include/dns/rdata.h
index b8a21748016..c8a06b4610e 100644
--- a/usr.sbin/bind/lib/dns/include/dns/rdata.h
+++ b/usr.sbin/bind/lib/dns/include/dns/rdata.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2011-2013, 2017  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -503,7 +502,7 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
  */
 
 isc_result_t
-dns_rdata_tostruct(dns_rdata_t *rdata, void *target, isc_mem_t *mctx);
+dns_rdata_tostruct(const dns_rdata_t *rdata, void *target, isc_mem_t *mctx);
 /*%<
  * Convert an rdata into its C structure representation.
  *
diff --git a/usr.sbin/bind/lib/dns/include/dns/rdataclass.h b/usr.sbin/bind/lib/dns/include/dns/rdataclass.h
index 0518fb951c3..d29af24e87c 100644
--- a/usr.sbin/bind/lib/dns/include/dns/rdataclass.h
+++ b/usr.sbin/bind/lib/dns/include/dns/rdataclass.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataclass.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: rdataclass.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_RDATACLASS_H
 #define DNS_RDATACLASS_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/rdatalist.h b/usr.sbin/bind/lib/dns/include/dns/rdatalist.h
index 7e0dbdf06ca..ce29e64e056 100644
--- a/usr.sbin/bind/lib/dns/include/dns/rdatalist.h
+++ b/usr.sbin/bind/lib/dns/include/dns/rdatalist.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatalist.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: rdatalist.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_RDATALIST_H
 #define DNS_RDATALIST_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/rdataset.h b/usr.sbin/bind/lib/dns/include/dns/rdataset.h
index 0bb675161b1..0175718a660 100644
--- a/usr.sbin/bind/lib/dns/include/dns/rdataset.h
+++ b/usr.sbin/bind/lib/dns/include/dns/rdataset.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2012, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataset.h,v 1.7 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: rdataset.h,v 1.8 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_RDATASET_H
 #define DNS_RDATASET_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/rdatasetiter.h b/usr.sbin/bind/lib/dns/include/dns/rdatasetiter.h
index 7b55dd479ed..67c55068ba9 100644
--- a/usr.sbin/bind/lib/dns/include/dns/rdatasetiter.h
+++ b/usr.sbin/bind/lib/dns/include/dns/rdatasetiter.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatasetiter.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: rdatasetiter.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_RDATASETITER_H
 #define DNS_RDATASETITER_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/rdataslab.h b/usr.sbin/bind/lib/dns/include/dns/rdataslab.h
index 0dad0c12996..3e6e71c1167 100644
--- a/usr.sbin/bind/lib/dns/include/dns/rdataslab.h
+++ b/usr.sbin/bind/lib/dns/include/dns/rdataslab.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataslab.h,v 1.5 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: rdataslab.h,v 1.6 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_RDATASLAB_H
 #define DNS_RDATASLAB_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/rdatatype.h b/usr.sbin/bind/lib/dns/include/dns/rdatatype.h
index 5f5660a84ac..d60c112be1b 100644
--- a/usr.sbin/bind/lib/dns/include/dns/rdatatype.h
+++ b/usr.sbin/bind/lib/dns/include/dns/rdatatype.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatatype.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: rdatatype.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_RDATATYPE_H
 #define DNS_RDATATYPE_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/request.h b/usr.sbin/bind/lib/dns/include/dns/request.h
index f4a607e4592..b87aff36533 100644
--- a/usr.sbin/bind/lib/dns/include/dns/request.h
+++ b/usr.sbin/bind/lib/dns/include/dns/request.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2010, 2013, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: request.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: request.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_REQUEST_H
 #define DNS_REQUEST_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/resolver.h b/usr.sbin/bind/lib/dns/include/dns/resolver.h
index 19bb4625184..f218ca661dd 100644
--- a/usr.sbin/bind/lib/dns/include/dns/resolver.h
+++ b/usr.sbin/bind/lib/dns/include/dns/resolver.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -94,17 +93,23 @@ typedef enum {
 /*
  * Options that modify how a 'fetch' is done.
  */
-#define DNS_FETCHOPT_TCP		0x001	     /*%< Use TCP. */
-#define DNS_FETCHOPT_UNSHARED		0x002	     /*%< See below. */
-#define DNS_FETCHOPT_RECURSIVE		0x004	     /*%< Set RD? */
-#define DNS_FETCHOPT_NOEDNS0		0x008	     /*%< Do not use EDNS. */
-#define DNS_FETCHOPT_FORWARDONLY	0x010	     /*%< Only use forwarders. */
-#define DNS_FETCHOPT_NOVALIDATE		0x020	     /*%< Disable validation. */
-#define DNS_FETCHOPT_EDNS512		0x040	     /*%< Advertise a 512 byte
+#define DNS_FETCHOPT_TCP		0x0001	     /*%< Use TCP. */
+#define DNS_FETCHOPT_UNSHARED		0x0002	     /*%< See below. */
+#define DNS_FETCHOPT_RECURSIVE		0x0004	     /*%< Set RD? */
+#define DNS_FETCHOPT_NOEDNS0		0x0008	     /*%< Do not use EDNS. */
+#define DNS_FETCHOPT_FORWARDONLY	0x0010	     /*%< Only use forwarders. */
+#define DNS_FETCHOPT_NOVALIDATE		0x0020	     /*%< Disable validation. */
+#define DNS_FETCHOPT_EDNS512		0x0040	     /*%< Advertise a 512 byte
 							  UDP buffer. */
-#define DNS_FETCHOPT_WANTNSID		0x080	     /*%< Request NSID */
-#define DNS_FETCHOPT_PREFETCH		0x100	     /*%< Do prefetch */
-#define DNS_FETCHOPT_NOCDFLAG		0x200	     /*%< Don't set CD flag. */
+#define DNS_FETCHOPT_WANTNSID		0x0080	     /*%< Request NSID */
+#define DNS_FETCHOPT_PREFETCH		0x0100	     /*%< Do prefetch */
+#define DNS_FETCHOPT_NOCDFLAG		0x0200	     /*%< Don't set CD flag. */
+#define DNS_FETCHOPT_NONTA		0x0400	     /*%< Ignore NTA table. */
+/* RESERVED ECS				0x0000 */
+/* RESERVED ECS				0x1000 */
+/* RESERVED ECS				0x2000 */
+/* RESERVED TCPCLIENT			0x4000 */
+#define DNS_FETCHOPT_NOCACHED		0x8000	     /*%< Force cache update. */
 
 /* Reserved in use by adb.c		0x00400000 */
 #define	DNS_FETCHOPT_EDNSVERSIONSET	0x00800000
diff --git a/usr.sbin/bind/lib/dns/include/dns/result.h b/usr.sbin/bind/lib/dns/include/dns/result.h
index 5da5ba79cd7..3c4fd74afb4 100644
--- a/usr.sbin/bind/lib/dns/include/dns/result.h
+++ b/usr.sbin/bind/lib/dns/include/dns/result.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2013, 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.h,v 1.5 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: result.h,v 1.6 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_RESULT_H
 #define DNS_RESULT_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/rootns.h b/usr.sbin/bind/lib/dns/include/dns/rootns.h
index ce2e459ec0a..02dd4956fa7 100644
--- a/usr.sbin/bind/lib/dns/include/dns/rootns.h
+++ b/usr.sbin/bind/lib/dns/include/dns/rootns.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rootns.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: rootns.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_ROOTNS_H
 #define DNS_ROOTNS_H 1
@@ -30,7 +29,7 @@ ISC_LANG_BEGINDECLS
 
 isc_result_t
 dns_rootns_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
-                  const char *filename, dns_db_t **target);
+		  const char *filename, dns_db_t **target);
 
 void
 dns_root_checkhints(dns_view_t *view, dns_db_t *hints, dns_db_t *db);
diff --git a/usr.sbin/bind/lib/dns/include/dns/rpz.h b/usr.sbin/bind/lib/dns/include/dns/rpz.h
index f99580270ff..7afac3217fa 100644
--- a/usr.sbin/bind/lib/dns/include/dns/rpz.h
+++ b/usr.sbin/bind/lib/dns/include/dns/rpz.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2013, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,12 +14,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rpz.h,v 1.1 2019/12/16 16:31:34 deraadt Exp $ */
+/* $Id: rpz.h,v 1.2 2019/12/17 01:46:32 sthen Exp $ */
 
 
 #ifndef DNS_RPZ_H
 #define DNS_RPZ_H 1
 
+#include <isc/event.h>
 #include <isc/lang.h>
 #include <isc/refcount.h>
 #include <isc/rwlock.h>
diff --git a/usr.sbin/bind/lib/dns/include/dns/rriterator.h b/usr.sbin/bind/lib/dns/include/dns/rriterator.h
index 1754a3f084f..f7f1950e1bb 100644
--- a/usr.sbin/bind/lib/dns/include/dns/rriterator.h
+++ b/usr.sbin/bind/lib/dns/include/dns/rriterator.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2011  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rriterator.h,v 1.1 2019/12/16 16:31:34 deraadt Exp $ */
+/* $Id: rriterator.h,v 1.2 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_RRITERATOR_H
 #define DNS_RRITERATOR_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/rrl.h b/usr.sbin/bind/lib/dns/include/dns/rrl.h
index aaaa886fd41..8318917baf1 100644
--- a/usr.sbin/bind/lib/dns/include/dns/rrl.h
+++ b/usr.sbin/bind/lib/dns/include/dns/rrl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013, 2015, 2017  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/include/dns/sdb.h b/usr.sbin/bind/lib/dns/include/dns/sdb.h
index cae1f119edb..240ae2b83b8 100644
--- a/usr.sbin/bind/lib/dns/include/dns/sdb.h
+++ b/usr.sbin/bind/lib/dns/include/dns/sdb.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sdb.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: sdb.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_SDB_H
 #define DNS_SDB_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/sdlz.h b/usr.sbin/bind/lib/dns/include/dns/sdlz.h
index 353937ed6ae..8f99336090a 100644
--- a/usr.sbin/bind/lib/dns/include/dns/sdlz.h
+++ b/usr.sbin/bind/lib/dns/include/dns/sdlz.h
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2005-2007, 2009-2012  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2001  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -50,7 +49,7 @@
  * USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sdlz.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: sdlz.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file dns/sdlz.h */
 
diff --git a/usr.sbin/bind/lib/dns/include/dns/secalg.h b/usr.sbin/bind/lib/dns/include/dns/secalg.h
index 7c2cee9b092..4eb84719386 100644
--- a/usr.sbin/bind/lib/dns/include/dns/secalg.h
+++ b/usr.sbin/bind/lib/dns/include/dns/secalg.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: secalg.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: secalg.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_SECALG_H
 #define DNS_SECALG_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/secproto.h b/usr.sbin/bind/lib/dns/include/dns/secproto.h
index 8b9a308a8a9..783885b03b6 100644
--- a/usr.sbin/bind/lib/dns/include/dns/secproto.h
+++ b/usr.sbin/bind/lib/dns/include/dns/secproto.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: secproto.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: secproto.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_SECPROTO_H
 #define DNS_SECPROTO_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/soa.h b/usr.sbin/bind/lib/dns/include/dns/soa.h
index 505dd95358d..e7aa2133d22 100644
--- a/usr.sbin/bind/lib/dns/include/dns/soa.h
+++ b/usr.sbin/bind/lib/dns/include/dns/soa.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: soa.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: soa.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_SOA_H
 #define DNS_SOA_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/ssu.h b/usr.sbin/bind/lib/dns/include/dns/ssu.h
index 617064f0759..a7e6bb3c918 100644
--- a/usr.sbin/bind/lib/dns/include/dns/ssu.h
+++ b/usr.sbin/bind/lib/dns/include/dns/ssu.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2010, 2011  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ssu.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: ssu.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_SSU_H
 #define DNS_SSU_H 1
@@ -24,26 +23,49 @@
 
 #include <isc/lang.h>
 
+#include <dns/acl.h>
 #include <dns/types.h>
 #include <dst/dst.h>
 
 ISC_LANG_BEGINDECLS
 
-#define DNS_SSUMATCHTYPE_NAME		0
-#define DNS_SSUMATCHTYPE_SUBDOMAIN	1
-#define DNS_SSUMATCHTYPE_WILDCARD	2
-#define DNS_SSUMATCHTYPE_SELF		3
-#define DNS_SSUMATCHTYPE_SELFSUB	4
-#define DNS_SSUMATCHTYPE_SELFWILD	5
-#define DNS_SSUMATCHTYPE_SELFKRB5	6
-#define DNS_SSUMATCHTYPE_SELFMS		7
-#define DNS_SSUMATCHTYPE_SUBDOMAINMS	8
-#define DNS_SSUMATCHTYPE_SUBDOMAINKRB5	9
-#define DNS_SSUMATCHTYPE_TCPSELF	10
-#define DNS_SSUMATCHTYPE_6TO4SELF	11
-#define DNS_SSUMATCHTYPE_EXTERNAL	12
-#define DNS_SSUMATCHTYPE_DLZ		13
-#define DNS_SSUMATCHTYPE_MAX 		12  /* max value */
+typedef enum {
+	dns_ssumatchtype_name = 0,
+	dns_ssumatchtype_subdomain = 1,
+	dns_ssumatchtype_wildcard = 2,
+	dns_ssumatchtype_self    = 3,
+	dns_ssumatchtype_selfsub = 4,
+	dns_ssumatchtype_selfwild = 5,
+	dns_ssumatchtype_selfkrb5 = 6,
+	dns_ssumatchtype_selfms  = 7,
+	dns_ssumatchtype_subdomainms = 8,
+	dns_ssumatchtype_subdomainkrb5 = 9,
+	dns_ssumatchtype_tcpself = 10,
+	dns_ssumatchtype_6to4self = 11,
+	dns_ssumatchtype_external = 12,
+	dns_ssumatchtype_local = 13,
+	dns_ssumatchtype_max = 13,      /* max value */
+
+	dns_ssumatchtype_dlz = 14       /* intentionally higher than _max */
+} dns_ssumatchtype_t;
+
+#define DNS_SSUMATCHTYPE_NAME		dns_ssumatchtype_name
+#define DNS_SSUMATCHTYPE_SUBDOMAIN	dns_ssumatchtype_subdomain
+#define DNS_SSUMATCHTYPE_WILDCARD	dns_ssumatchtype_wildcard
+#define DNS_SSUMATCHTYPE_SELF		dns_ssumatchtype_self
+#define DNS_SSUMATCHTYPE_SELFSUB	dns_ssumatchtype_selfsub
+#define DNS_SSUMATCHTYPE_SELFWILD	dns_ssumatchtype_selfwild
+#define DNS_SSUMATCHTYPE_SELFKRB5	dns_ssumatchtype_selfkrb5
+#define DNS_SSUMATCHTYPE_SELFMS		dns_ssumatchtype_selfms
+#define DNS_SSUMATCHTYPE_SUBDOMAINMS	dns_ssumatchtype_subdomainms
+#define DNS_SSUMATCHTYPE_SUBDOMAINKRB5	dns_ssumatchtype_subdomainkrb5
+#define DNS_SSUMATCHTYPE_TCPSELF	dns_ssumatchtype_tcpself
+#define DNS_SSUMATCHTYPE_6TO4SELF	dns_ssumatchtype_6to4self
+#define DNS_SSUMATCHTYPE_EXTERNAL	dns_ssumatchtype_external
+#define DNS_SSUMATCHTYPE_LOCAL		dns_ssumatchtype_local
+#define DNS_SSUMATCHTYPE_MAX 		dns_ssumatchtype_max  /* max value */
+
+#define DNS_SSUMATCHTYPE_DLZ		dns_ssumatchtype_dlz  /* intentionally higher than _MAX */
 
 isc_result_t
 dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **table);
@@ -132,7 +154,12 @@ dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
 
 isc_boolean_t
 dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
-			dns_name_t *name, isc_netaddr_t *tcpaddr,
+			dns_name_t *name, isc_netaddr_t *addr,
+			dns_rdatatype_t type, const dst_key_t *key);
+isc_boolean_t
+dns_ssutable_checkrules2(dns_ssutable_t *table, dns_name_t *signer,
+			dns_name_t *name, isc_netaddr_t *addr,
+			isc_boolean_t tcp, const dns_aclenv_t *env,
 			dns_rdatatype_t type, const dst_key_t *key);
 /*%<
  *	Checks that the attempted update of (name, type) is allowed according
@@ -140,11 +167,19 @@ dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
  *	no rules are matched, access is denied.
  *
  *	Notes:
- *		'tcpaddr' should only be set if the request received
- *		via TCP.  This provides a weak assurance that the
- *		request was not spoofed.  'tcpaddr' is to to validate
- *		DNS_SSUMATCHTYPE_TCPSELF and DNS_SSUMATCHTYPE_6TO4SELF
- *		rules.
+ *		In dns_ssutable_checkrules(), 'addr' should only be
+ *		set if the request received via TCP.  This provides a
+ *		weak assurance that the request was not spoofed.
+ *		'addr' is to to validate DNS_SSUMATCHTYPE_TCPSELF
+ *		and DNS_SSUMATCHTYPE_6TO4SELF rules.
+ *
+ *		In dns_ssutable_checkrules2(), 'addr' can also be passed for
+ *		UDP requests and TCP is specified via the 'tcp' parameter.
+ *		In addition to DNS_SSUMATCHTYPE_TCPSELF and
+ *		tcp_ssumatchtype_6to4self  rules, the address
+ *		also be used to check DNS_SSUMATCHTYPE_LOCAL rules.
+ *		If 'addr' is set then 'env' must also be set so that
+ *		requests from non-localhost addresses can be rejected.
  *
  *		For DNS_SSUMATCHTYPE_TCPSELF the addresses are mapped to
  *		the standard reverse names under IN-ADDR.ARPA and IP6.ARPA.
@@ -160,8 +195,10 @@ dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
  *	Requires:
  *\li		'table' is a valid SSU table
  *\li		'signer' is NULL or a valid absolute name
- *\li		'tcpaddr' is NULL or a valid network address.
+ *\li		'addr' is NULL or a valid network address.
+ *\li		'aclenv' is NULL or a valid ACL environment.
  *\li		'name' is a valid absolute name
+ *\li		if 'addr' is not NULL, 'env' is not NULL.
  */
 
 
@@ -197,15 +234,28 @@ isc_result_t	dns_ssutable_nextrule(dns_ssurule_t *rule,
  *\li	#ISC_R_NOMORE
  */
 
-
-/*%<
- * Check a policy rule via an external application
- */
 isc_boolean_t
 dns_ssu_external_match(dns_name_t *identity, dns_name_t *signer,
 		       dns_name_t *name, isc_netaddr_t *tcpaddr,
 		       dns_rdatatype_t type, const dst_key_t *key,
 		       isc_mem_t *mctx);
+/*%<
+ * Check a policy rule via an external application
+ */
+
+isc_result_t
+dns_ssu_mtypefromstring(const char *str, dns_ssumatchtype_t *mtype);
+/*%<
+ * Set 'mtype' from 'str'
+ *
+ * Requires:
+ *\li		'str' is not NULL.
+ *\li		'mtype' is not NULL,
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOTFOUND
+ */
 
 ISC_LANG_ENDDECLS
 
diff --git a/usr.sbin/bind/lib/dns/include/dns/stats.h b/usr.sbin/bind/lib/dns/include/dns/stats.h
index a568300c92e..0a86288e504 100644
--- a/usr.sbin/bind/lib/dns/include/dns/stats.h
+++ b/usr.sbin/bind/lib/dns/include/dns/stats.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stats.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: stats.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_STATS_H
 #define DNS_STATS_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/tcpmsg.h b/usr.sbin/bind/lib/dns/include/dns/tcpmsg.h
index 50ca8ae37f1..a838cdd9f2c 100644
--- a/usr.sbin/bind/lib/dns/include/dns/tcpmsg.h
+++ b/usr.sbin/bind/lib/dns/include/dns/tcpmsg.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tcpmsg.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: tcpmsg.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_TCPMSG_H
 #define DNS_TCPMSG_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/time.h b/usr.sbin/bind/lib/dns/include/dns/time.h
index 7d19e09e94c..5da0ce590ca 100644
--- a/usr.sbin/bind/lib/dns/include/dns/time.h
+++ b/usr.sbin/bind/lib/dns/include/dns/time.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: time.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: time.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_TIME_H
 #define DNS_TIME_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/timer.h b/usr.sbin/bind/lib/dns/include/dns/timer.h
index 461ded6b9eb..20a47b2c410 100644
--- a/usr.sbin/bind/lib/dns/include/dns/timer.h
+++ b/usr.sbin/bind/lib/dns/include/dns/timer.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: timer.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_TIMER_H
 #define DNS_TIMER_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/tkey.h b/usr.sbin/bind/lib/dns/include/dns/tkey.h
index 90f8e5373ed..01b87bf7815 100644
--- a/usr.sbin/bind/lib/dns/include/dns/tkey.h
+++ b/usr.sbin/bind/lib/dns/include/dns/tkey.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009-2011  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tkey.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: tkey.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_TKEY_H
 #define DNS_TKEY_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/tsec.h b/usr.sbin/bind/lib/dns/include/dns/tsec.h
index 4687576f055..d87501a4816 100644
--- a/usr.sbin/bind/lib/dns/include/dns/tsec.h
+++ b/usr.sbin/bind/lib/dns/include/dns/tsec.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2010, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsec.h,v 1.1 2019/12/16 16:31:34 deraadt Exp $ */
+/* $Id: tsec.h,v 1.2 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_TSEC_H
 #define DNS_TSEC_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/tsig.h b/usr.sbin/bind/lib/dns/include/dns/tsig.h
index 2faabe9b9f8..979160d44e9 100644
--- a/usr.sbin/bind/lib/dns/include/dns/tsig.h
+++ b/usr.sbin/bind/lib/dns/include/dns/tsig.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009-2011, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsig.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: tsig.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_TSIG_H
 #define DNS_TSIG_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/ttl.h b/usr.sbin/bind/lib/dns/include/dns/ttl.h
index 291caf0125c..8d12335b4e3 100644
--- a/usr.sbin/bind/lib/dns/include/dns/ttl.h
+++ b/usr.sbin/bind/lib/dns/include/dns/ttl.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ttl.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: ttl.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_TTL_H
 #define DNS_TTL_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/types.h b/usr.sbin/bind/lib/dns/include/dns/types.h
index 964d40c6406..916260d6d9d 100644
--- a/usr.sbin/bind/lib/dns/include/dns/types.h
+++ b/usr.sbin/bind/lib/dns/include/dns/types.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2013, 2015, 2017  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/include/dns/update.h b/usr.sbin/bind/lib/dns/include/dns/update.h
index 049b56dbe37..9c181f00985 100644
--- a/usr.sbin/bind/lib/dns/include/dns/update.h
+++ b/usr.sbin/bind/lib/dns/include/dns/update.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.h,v 1.1 2019/12/16 16:31:34 deraadt Exp $ */
+/* $Id: update.h,v 1.2 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_UPDATE_H
 #define DNS_UPDATE_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/validator.h b/usr.sbin/bind/lib/dns/include/dns/validator.h
index 48437fcb6a5..398bcd652fb 100644
--- a/usr.sbin/bind/lib/dns/include/dns/validator.h
+++ b/usr.sbin/bind/lib/dns/include/dns/validator.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2010, 2013, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: validator.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_VALIDATOR_H
 #define DNS_VALIDATOR_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/version.h b/usr.sbin/bind/lib/dns/include/dns/version.h
index a761352d8f1..bf15011db23 100644
--- a/usr.sbin/bind/lib/dns/include/dns/version.h
+++ b/usr.sbin/bind/lib/dns/include/dns/version.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,10 +14,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: version.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file dns/version.h */
 
+#ifndef DNS_VERSION_H
+#define DNS_VERSION_H 1
+
 #include <isc/platform.h>
 
 LIBDNS_EXTERNAL_DATA extern const char dns_version[];
@@ -28,3 +30,5 @@ LIBDNS_EXTERNAL_DATA extern const char dns_mapapi[];
 LIBDNS_EXTERNAL_DATA extern const unsigned int dns_libinterface;
 LIBDNS_EXTERNAL_DATA extern const unsigned int dns_librevision;
 LIBDNS_EXTERNAL_DATA extern const unsigned int dns_libage;
+
+#endif /* DNS_VERSION_H */
diff --git a/usr.sbin/bind/lib/dns/include/dns/view.h b/usr.sbin/bind/lib/dns/include/dns/view.h
index 1fb3ff91592..a74c56646aa 100644
--- a/usr.sbin/bind/lib/dns/include/dns/view.h
+++ b/usr.sbin/bind/lib/dns/include/dns/view.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2014, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.h,v 1.6 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: view.h,v 1.7 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_VIEW_H
 #define DNS_VIEW_H 1
@@ -129,6 +128,7 @@ struct dns_view {
 	isc_boolean_t			enablevalidation;
 	isc_boolean_t			acceptexpired;
 	isc_boolean_t			trust_anchor_telemetry;
+	isc_boolean_t			root_key_sentinel;
 	dns_transfer_format_t		transfer_format;
 	dns_acl_t *			cacheacl;
 	dns_acl_t *			cacheonacl;
@@ -1146,7 +1146,7 @@ dns_view_untrust(dns_view_t *view, dns_name_t *keyname,
  * \li	'dnskey' is valid.
  */
 
-void
+isc_result_t
 dns_view_setnewzones(dns_view_t *view, isc_boolean_t allow, void *cfgctx,
 		     void (*cfg_destroy)(void **));
 /*%<
@@ -1165,6 +1165,10 @@ dns_view_setnewzones(dns_view_t *view, isc_boolean_t allow, void *cfgctx,
  *
  * Requires:
  * \li 'view' is valid.
+ *
+ * Returns:
+ * \li ISC_R_SUCCESS
+ * \li ISC_R_NOMEMORY
  */
 
 void
@@ -1183,16 +1187,37 @@ dns_view_searchdlz(dns_view_t *view, dns_name_t *name,
  * findzone method.  If successful, '*dbp' is set to point to the
  * DLZ database.
  *
+ * Requires:
+ * \li 'view' is valid.
+ * \li 'name' is not NULL.
+ * \li 'dbp' is not NULL and *dbp is NULL.
+ *
  * Returns:
  * \li ISC_R_SUCCESS
  * \li ISC_R_NOTFOUND
+ */
+
+void
+dns_view_setviewcommit(dns_view_t *view);
+/*%<
+ * Commit dns_zone_setview() calls previously made for all zones in this
+ * view.
  *
  * Requires:
- * \li 'view' is valid.
- * \li 'name' is not NULL.
- * \li 'dbp' is not NULL and *dbp is NULL.
+ *\li	'view' to be valid.
+ */
+
+void
+dns_view_setviewrevert(dns_view_t *view);
+/*%<
+ * Revert dns_zone_setview() calls previously made for all zones in this
+ * view.
+ *
+ * Requires:
+ *\li	'view' to be valid.
  */
 
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_VIEW_H */
diff --git a/usr.sbin/bind/lib/dns/include/dns/xfrin.h b/usr.sbin/bind/lib/dns/include/dns/xfrin.h
index a8318fc2ab3..9204720cdf7 100644
--- a/usr.sbin/bind/lib/dns/include/dns/xfrin.h
+++ b/usr.sbin/bind/lib/dns/include/dns/xfrin.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: xfrin.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: xfrin.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_XFRIN_H
 #define DNS_XFRIN_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/zone.h b/usr.sbin/bind/lib/dns/include/dns/zone.h
index af40a3fd3f2..876f02b114c 100644
--- a/usr.sbin/bind/lib/dns/include/dns/zone.h
+++ b/usr.sbin/bind/lib/dns/include/dns/zone.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.h,v 1.9 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: zone.h,v 1.10 2019/12/17 01:46:33 sthen Exp $ */
 
 #ifndef DNS_ZONE_H
 #define DNS_ZONE_H 1
@@ -233,6 +232,26 @@ dns_zone_getview(dns_zone_t *zone);
  *\li	'zone' to be a valid zone.
  */
 
+void
+dns_zone_setviewcommit(dns_zone_t *zone);
+/*%<
+ *	Commit the previous view saved internally via dns_zone_setview().
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setviewrevert(dns_zone_t *zone);
+/*%<
+ *	Revert the most recent dns_zone_setview() on this zone,
+ *	restoring the previous view.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+
 isc_result_t
 dns_zone_setorigin(dns_zone_t *zone, const dns_name_t *origin);
 /*%<
@@ -1244,6 +1263,9 @@ dns_zone_getjournalsize(dns_zone_t *zone);
 isc_result_t
 dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
 		       dns_message_t *msg);
+isc_result_t
+dns_zone_notifyreceive2(dns_zone_t *zone, isc_sockaddr_t *from,
+			isc_sockaddr_t *to, dns_message_t *msg);
 /*%<
  *	Tell the zone that it has received a NOTIFY message from another
  *	server.  This may cause some zone maintenance activity to occur.
diff --git a/usr.sbin/bind/lib/dns/include/dns/zonekey.h b/usr.sbin/bind/lib/dns/include/dns/zonekey.h
index bfc1e020021..2e4dde82be4 100644
--- a/usr.sbin/bind/lib/dns/include/dns/zonekey.h
+++ b/usr.sbin/bind/lib/dns/include/dns/zonekey.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zonekey.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: zonekey.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 #ifndef DNS_ZONEKEY_H
 #define DNS_ZONEKEY_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dns/zt.h b/usr.sbin/bind/lib/dns/include/dns/zt.h
index cea5914fea5..be9bdb8c030 100644
--- a/usr.sbin/bind/lib/dns/include/dns/zt.h
+++ b/usr.sbin/bind/lib/dns/include/dns/zt.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2011, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zt.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: zt.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 #ifndef DNS_ZT_H
 #define DNS_ZT_H 1
@@ -210,6 +209,26 @@ dns_zt_loadspending(dns_zt_t *zt);
  * \li	'zt' to be valid.
  */
 
+void
+dns_zt_setviewcommit(dns_zt_t *zt);
+/*%<
+ * Commit dns_zone_setview() calls previously made for all zones in this
+ * zone table.
+ *
+ * Requires:
+ *\li	'view' to be valid.
+ */
+
+void
+dns_zt_setviewrevert(dns_zt_t *zt);
+/*%<
+ * Revert dns_zone_setview() calls previously made for all zones in this
+ * zone table.
+ *
+ * Requires:
+ *\li	'view' to be valid.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_ZT_H */
diff --git a/usr.sbin/bind/lib/dns/include/dst/Makefile.in b/usr.sbin/bind/lib/dns/include/dst/Makefile.in
index 4927f8a4bd3..07dad5715b5 100644
--- a/usr.sbin/bind/lib/dns/include/dst/Makefile.in
+++ b/usr.sbin/bind/lib/dns/include/dst/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2007, 2012, 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:25 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:33 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/dns/include/dst/dst.h b/usr.sbin/bind/lib/dns/include/dst/dst.h
index 5b6e24a12d2..80ab56d5216 100644
--- a/usr.sbin/bind/lib/dns/include/dst/dst.h
+++ b/usr.sbin/bind/lib/dns/include/dst/dst.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: dst.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 #ifndef DST_DST_H
 #define DST_DST_H 1
@@ -64,6 +63,8 @@ typedef struct dst_context 	dst_context_t;
 #define DST_ALG_ECCGOST		12
 #define DST_ALG_ECDSA256	13
 #define DST_ALG_ECDSA384	14
+#define DST_ALG_ED25519		15
+#define DST_ALG_ED448		16
 #define DST_ALG_HMACMD5		157
 #define DST_ALG_GSSAPI		160
 #define DST_ALG_HMACSHA1	161	/* XXXMPA */
diff --git a/usr.sbin/bind/lib/dns/include/dst/gssapi.h b/usr.sbin/bind/lib/dns/include/dst/gssapi.h
index 9ab25df037c..84437813e17 100644
--- a/usr.sbin/bind/lib/dns/include/dst/gssapi.h
+++ b/usr.sbin/bind/lib/dns/include/dst/gssapi.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009-2011, 2013, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gssapi.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: gssapi.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 #ifndef DST_GSSAPI_H
 #define DST_GSSAPI_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dst/lib.h b/usr.sbin/bind/lib/dns/include/dst/lib.h
index 2d619852c26..7b59b79f959 100644
--- a/usr.sbin/bind/lib/dns/include/dst/lib.h
+++ b/usr.sbin/bind/lib/dns/include/dst/lib.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: lib.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 #ifndef DST_LIB_H
 #define DST_LIB_H 1
diff --git a/usr.sbin/bind/lib/dns/include/dst/result.h b/usr.sbin/bind/lib/dns/include/dst/result.h
index 0bf883a704b..54db2b0b221 100644
--- a/usr.sbin/bind/lib/dns/include/dst/result.h
+++ b/usr.sbin/bind/lib/dns/include/dst/result.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2012, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: result.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 #ifndef DST_RESULT_H
 #define DST_RESULT_H 1
diff --git a/usr.sbin/bind/lib/dns/iptable.c b/usr.sbin/bind/lib/dns/iptable.c
index 03784df8698..d96f931ee47 100644
--- a/usr.sbin/bind/lib/dns/iptable.c
+++ b/usr.sbin/bind/lib/dns/iptable.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2009, 2013, 2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,12 +14,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: iptable.c,v 1.1 2019/12/16 16:31:33 deraadt Exp $ */
+/* $Id: iptable.c,v 1.2 2019/12/17 01:46:32 sthen Exp $ */
 
 #include <config.h>
 
 #include <isc/mem.h>
 #include <isc/radix.h>
+#include <isc/util.h>
 
 #include <dns/acl.h>
 
diff --git a/usr.sbin/bind/lib/dns/journal.c b/usr.sbin/bind/lib/dns/journal.c
index a310ba24807..7b34e3c6009 100644
--- a/usr.sbin/bind/lib/dns/journal.c
+++ b/usr.sbin/bind/lib/dns/journal.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007-2011, 2013-2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: journal.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: journal.c,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #include <config.h>
 
@@ -1015,7 +1014,7 @@ dns_journal_writediff(dns_journal_t *j, dns_diff_t *diff) {
 	dns_difftuple_t *t;
 	isc_buffer_t buffer;
 	void *mem = NULL;
-	unsigned int size;
+	isc_uint64_t size;
 	isc_result_t result;
 	isc_region_t used;
 
@@ -1045,6 +1044,14 @@ dns_journal_writediff(dns_journal_t *j, dns_diff_t *diff) {
 		size += t->rdata.length;
 	}
 
+	if (size >= ISC_INT32_MAX) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "dns_journal_writediff: %s: journal entry "
+			      "too big to be stored: %llu bytes", j->filename,
+			      size);
+		return (ISC_R_NOSPACE);
+	}
+
 	mem = isc_mem_get(j->mctx, size);
 	if (mem == NULL)
 		return (ISC_R_NOMEMORY);
@@ -1098,6 +1105,7 @@ isc_result_t
 dns_journal_commit(dns_journal_t *j) {
 	isc_result_t result;
 	journal_rawheader_t rawheader;
+	isc_uint64_t total;
 
 	REQUIRE(DNS_JOURNAL_VALID(j));
 	REQUIRE(j->state == JOURNAL_STATE_TRANSACTION ||
@@ -1148,6 +1156,18 @@ dns_journal_commit(dns_journal_t *j) {
 	}
 
 	/*
+	 * We currently don't support huge journal entries.
+	 */
+	total = j->x.pos[1].offset - j->x.pos[0].offset;
+	if (total >= ISC_INT32_MAX) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			     "transaction too big to be stored in journal: "
+			     "%llub (max is %llub)", total,
+			     (isc_uint64_t)ISC_INT32_MAX);
+		return (ISC_R_UNEXPECTED);
+	}
+
+	/*
 	 * Some old journal entries may become non-addressable
 	 * when we increment the current serial number.  Purge them
 	 * by stepping header.begin forward to the first addressable
@@ -1662,7 +1682,12 @@ read_one_rr(dns_journal_t *j) {
 	journal_xhdr_t xhdr;
 	journal_rrhdr_t rrhdr;
 
-	INSIST(j->offset <= j->it.epos.offset);
+	if (j->offset > j->it.epos.offset) {
+		isc_log_write(JOURNAL_COMMON_LOGARGS, ISC_LOG_ERROR,
+			      "%s: journal corrupt: possible integer overflow",
+			      j->filename);
+		return (ISC_R_UNEXPECTED);
+	}
 	if (j->offset == j->it.epos.offset)
 		return (ISC_R_NOMORE);
 	if (j->it.xpos == j->it.xsize) {
@@ -2091,8 +2116,8 @@ dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial,
 	unsigned int i;
 	journal_pos_t best_guess;
 	journal_pos_t current_pos;
-	dns_journal_t *j = NULL;
-	dns_journal_t *new = NULL;
+	dns_journal_t *j1 = NULL;
+	dns_journal_t *j2 = NULL;
 	journal_rawheader_t rawheader;
 	unsigned int copy_length;
 	size_t namelen;
@@ -2120,22 +2145,22 @@ dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial,
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
-	result = journal_open(mctx, filename, ISC_FALSE, ISC_FALSE, &j);
+	result = journal_open(mctx, filename, ISC_FALSE, ISC_FALSE, &j1);
 	if (result == ISC_R_NOTFOUND) {
 		is_backup = ISC_TRUE;
-		result = journal_open(mctx, backup, ISC_FALSE, ISC_FALSE, &j);
+		result = journal_open(mctx, backup, ISC_FALSE, ISC_FALSE, &j1);
 	}
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
-	if (JOURNAL_EMPTY(&j->header)) {
-		dns_journal_destroy(&j);
+	if (JOURNAL_EMPTY(&j1->header)) {
+		dns_journal_destroy(&j1);
 		return (ISC_R_SUCCESS);
 	}
 
-	if (DNS_SERIAL_GT(j->header.begin.serial, serial) ||
-	    DNS_SERIAL_GT(serial, j->header.end.serial)) {
-		dns_journal_destroy(&j);
+	if (DNS_SERIAL_GT(j1->header.begin.serial, serial) ||
+	    DNS_SERIAL_GT(serial, j1->header.end.serial)) {
+		dns_journal_destroy(&j1);
 		return (ISC_R_RANGE);
 	}
 
@@ -2143,19 +2168,19 @@ dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial,
 	 * Cope with very small target sizes.
 	 */
 	indexend = sizeof(journal_rawheader_t) +
-		   j->header.index_size * sizeof(journal_rawpos_t);
+		   j1->header.index_size * sizeof(journal_rawpos_t);
 	if (target_size < indexend * 2)
 		target_size = target_size/2 + indexend;
 
 	/*
 	 * See if there is any work to do.
 	 */
-	if ((isc_uint32_t) j->header.end.offset < target_size) {
-		dns_journal_destroy(&j);
+	if ((isc_uint32_t) j1->header.end.offset < target_size) {
+		dns_journal_destroy(&j1);
 		return (ISC_R_SUCCESS);
 	}
 
-	CHECK(journal_open(mctx, newname, ISC_TRUE, ISC_TRUE, &new));
+	CHECK(journal_open(mctx, newname, ISC_TRUE, ISC_TRUE, &j2));
 
 	/*
 	 * Remove overhead so space test below can succeed.
@@ -2166,24 +2191,24 @@ dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial,
 	/*
 	 * Find if we can create enough free space.
 	 */
-	best_guess = j->header.begin;
-	for (i = 0; i < j->header.index_size; i++) {
-		if (POS_VALID(j->index[i]) &&
-		    DNS_SERIAL_GE(serial, j->index[i].serial) &&
-		    ((isc_uint32_t)(j->header.end.offset - j->index[i].offset)
+	best_guess = j1->header.begin;
+	for (i = 0; i < j1->header.index_size; i++) {
+		if (POS_VALID(j1->index[i]) &&
+		    DNS_SERIAL_GE(serial, j1->index[i].serial) &&
+		    ((isc_uint32_t)(j1->header.end.offset - j1->index[i].offset)
 		     >= target_size / 2) &&
-		    j->index[i].offset > best_guess.offset)
-			best_guess = j->index[i];
+		    j1->index[i].offset > best_guess.offset)
+			best_guess = j1->index[i];
 	}
 
 	current_pos = best_guess;
 	while (current_pos.serial != serial) {
-		CHECK(journal_next(j, &current_pos));
-		if (current_pos.serial == j->header.end.serial)
+		CHECK(journal_next(j1, &current_pos));
+		if (current_pos.serial == j1->header.end.serial)
 			break;
 
 		if (DNS_SERIAL_GE(serial, current_pos.serial) &&
-		   ((isc_uint32_t)(j->header.end.offset - current_pos.offset)
+		   ((isc_uint32_t)(j1->header.end.offset - current_pos.offset)
 		     >= (target_size / 2)) &&
 		    current_pos.offset > best_guess.offset)
 			best_guess = current_pos;
@@ -2191,16 +2216,16 @@ dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial,
 			break;
 	}
 
-	INSIST(best_guess.serial != j->header.end.serial);
+	INSIST(best_guess.serial != j1->header.end.serial);
 	if (best_guess.serial != serial)
-		CHECK(journal_next(j, &best_guess));
+		CHECK(journal_next(j1, &best_guess));
 
 	/*
 	 * We should now be roughly half target_size provided
 	 * we did not reach 'serial'.  If not we will just copy
 	 * all uncommitted deltas regardless of the size.
 	 */
-	copy_length = j->header.end.offset - best_guess.offset;
+	copy_length = j1->header.end.offset - best_guess.offset;
 
 	if (copy_length != 0) {
 		/*
@@ -2215,51 +2240,51 @@ dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial,
 			goto failure;
 		}
 
-		CHECK(journal_seek(j, best_guess.offset));
-		CHECK(journal_seek(new, indexend));
+		CHECK(journal_seek(j1, best_guess.offset));
+		CHECK(journal_seek(j2, indexend));
 		for (i = 0; i < copy_length; i += size) {
 			unsigned int len = (copy_length - i) > size ? size :
 							 (copy_length - i);
-			CHECK(journal_read(j, buf, len));
-			CHECK(journal_write(new, buf, len));
+			CHECK(journal_read(j1, buf, len));
+			CHECK(journal_write(j2, buf, len));
 		}
 
-		CHECK(journal_fsync(new));
+		CHECK(journal_fsync(j2));
 
 		/*
 		 * Compute new header.
 		 */
-		new->header.begin.serial = best_guess.serial;
-		new->header.begin.offset = indexend;
-		new->header.end.serial = j->header.end.serial;
-		new->header.end.offset = indexend + copy_length;
-		new->header.sourceserial = j->header.sourceserial;
-		new->header.serialset = j->header.serialset;
+		j2->header.begin.serial = best_guess.serial;
+		j2->header.begin.offset = indexend;
+		j2->header.end.serial = j1->header.end.serial;
+		j2->header.end.offset = indexend + copy_length;
+		j2->header.sourceserial = j1->header.sourceserial;
+		j2->header.serialset = j1->header.serialset;
 
 		/*
 		 * Update the journal header.
 		 */
-		journal_header_encode(&new->header, &rawheader);
-		CHECK(journal_seek(new, 0));
-		CHECK(journal_write(new, &rawheader, sizeof(rawheader)));
-		CHECK(journal_fsync(new));
+		journal_header_encode(&j2->header, &rawheader);
+		CHECK(journal_seek(j2, 0));
+		CHECK(journal_write(j2, &rawheader, sizeof(rawheader)));
+		CHECK(journal_fsync(j2));
 
 		/*
 		 * Build new index.
 		 */
-		current_pos = new->header.begin;
-		while (current_pos.serial != new->header.end.serial) {
-			index_add(new, &current_pos);
-			CHECK(journal_next(new, &current_pos));
+		current_pos = j2->header.begin;
+		while (current_pos.serial != j2->header.end.serial) {
+			index_add(j2, &current_pos);
+			CHECK(journal_next(j2, &current_pos));
 		}
 
 		/*
 		 * Write index.
 		 */
-		CHECK(index_to_disk(new));
-		CHECK(journal_fsync(new));
+		CHECK(index_to_disk(j2));
+		CHECK(journal_fsync(j2));
 
-		indexend = new->header.end.offset;
+		indexend = j2->header.end.offset;
 		POST(indexend);
 	}
 
@@ -2267,8 +2292,8 @@ dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial,
 	 * Close both journals before trying to rename files (this is
 	 * necessary on WIN32).
 	 */
-	dns_journal_destroy(&j);
-	dns_journal_destroy(&new);
+	dns_journal_destroy(&j1);
+	dns_journal_destroy(&j2);
 
 	/*
 	 * With a UFS file system this should just succeed and be atomic.
@@ -2305,10 +2330,10 @@ dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial,
 	(void)isc_file_remove(newname);
 	if (buf != NULL)
 		isc_mem_put(mctx, buf, size);
-	if (j != NULL)
-		dns_journal_destroy(&j);
-	if (new != NULL)
-		dns_journal_destroy(&new);
+	if (j1 != NULL)
+		dns_journal_destroy(&j1);
+	if (j2 != NULL)
+		dns_journal_destroy(&j2);
 	return (result);
 }
 
diff --git a/usr.sbin/bind/lib/dns/key.c b/usr.sbin/bind/lib/dns/key.c
index e2c8e75b53c..60116345152 100644
--- a/usr.sbin/bind/lib/dns/key.c
+++ b/usr.sbin/bind/lib/dns/key.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2011  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: key.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: key.c,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #include <config.h>
 
diff --git a/usr.sbin/bind/lib/dns/keydata.c b/usr.sbin/bind/lib/dns/keydata.c
index 90f7b5135d4..565bdc83afd 100644
--- a/usr.sbin/bind/lib/dns/keydata.c
+++ b/usr.sbin/bind/lib/dns/keydata.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keydata.c,v 1.1 2019/12/16 16:31:33 deraadt Exp $ */
+/* $Id: keydata.c,v 1.2 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/dns/keytable.c b/usr.sbin/bind/lib/dns/keytable.c
index 82f9473a7dc..1850e55150d 100644
--- a/usr.sbin/bind/lib/dns/keytable.c
+++ b/usr.sbin/bind/lib/dns/keytable.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2010, 2013-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keytable.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: keytable.c,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file */
 
@@ -23,6 +22,7 @@
 
 #include <isc/mem.h>
 #include <isc/print.h>
+#include <isc/refcount.h>
 #include <isc/rwlock.h>
 #include <isc/string.h>		/* Required for HP/UX (and others?) */
 #include <isc/util.h>
@@ -42,12 +42,10 @@ struct dns_keytable {
 	/* Unlocked. */
 	unsigned int            magic;
 	isc_mem_t               *mctx;
-	isc_mutex_t             lock;
+	isc_refcount_t          active_nodes;
+	isc_refcount_t          references;
 	isc_rwlock_t            rwlock;
-	/* Locked by lock. */
-	isc_uint32_t            active_nodes;
 	/* Locked by rwlock. */
-	isc_uint32_t            references;
 	dns_rbt_t               *table;
 };
 
@@ -79,38 +77,48 @@ dns_keytable_create(isc_mem_t *mctx, dns_keytable_t **keytablep) {
 	REQUIRE(keytablep != NULL && *keytablep == NULL);
 
 	keytable = isc_mem_get(mctx, sizeof(*keytable));
-	if (keytable == NULL)
+	if (keytable == NULL) {
 		return (ISC_R_NOMEMORY);
+	}
 
 	keytable->table = NULL;
 	result = dns_rbt_create(mctx, free_keynode, mctx, &keytable->table);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		goto cleanup_keytable;
+	}
 
-	result = isc_mutex_init(&keytable->lock);
-	if (result != ISC_R_SUCCESS)
+	result = isc_rwlock_init(&keytable->rwlock, 0, 0);
+	if (result != ISC_R_SUCCESS) {
 		goto cleanup_rbt;
+	}
 
-	result = isc_rwlock_init(&keytable->rwlock, 0, 0);
-	if (result != ISC_R_SUCCESS)
-		goto cleanup_lock;
+	result = isc_refcount_init(&keytable->active_nodes, 0);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_rwlock;
+	}
+
+	result = isc_refcount_init(&keytable->references, 1);
+	if (result != ISC_R_SUCCESS) {
+		goto cleanup_active_nodes;
+	}
 
 	keytable->mctx = NULL;
 	isc_mem_attach(mctx, &keytable->mctx);
-	keytable->active_nodes = 0;
-	keytable->references = 1;
 	keytable->magic = KEYTABLE_MAGIC;
 	*keytablep = keytable;
 
 	return (ISC_R_SUCCESS);
 
-   cleanup_lock:
-	DESTROYLOCK(&keytable->lock);
+ cleanup_active_nodes:
+	isc_refcount_destroy(&keytable->active_nodes);
 
-   cleanup_rbt:
+ cleanup_rwlock:
+	isc_rwlock_destroy(&keytable->rwlock);
+
+ cleanup_rbt:
 	dns_rbt_destroy(&keytable->table);
 
-   cleanup_keytable:
+ cleanup_keytable:
 	isc_mem_putanddetach(&mctx, keytable, sizeof(*keytable));
 
 	return (result);
@@ -126,21 +134,15 @@ dns_keytable_attach(dns_keytable_t *source, dns_keytable_t **targetp) {
 	REQUIRE(VALID_KEYTABLE(source));
 	REQUIRE(targetp != NULL && *targetp == NULL);
 
-	RWLOCK(&source->rwlock, isc_rwlocktype_write);
-
-	INSIST(source->references > 0);
-	source->references++;
-	INSIST(source->references != 0);
-
-	RWUNLOCK(&source->rwlock, isc_rwlocktype_write);
+	isc_refcount_increment(&source->references, NULL);
 
 	*targetp = source;
 }
 
 void
 dns_keytable_detach(dns_keytable_t **keytablep) {
-	isc_boolean_t destroy = ISC_FALSE;
 	dns_keytable_t *keytable;
+	unsigned int refs;
 
 	/*
 	 * Detach *keytablep from its keytable.
@@ -149,28 +151,19 @@ dns_keytable_detach(dns_keytable_t **keytablep) {
 	REQUIRE(keytablep != NULL && VALID_KEYTABLE(*keytablep));
 
 	keytable = *keytablep;
+	*keytablep = NULL;
 
-	RWLOCK(&keytable->rwlock, isc_rwlocktype_write);
-
-	INSIST(keytable->references > 0);
-	keytable->references--;
-	LOCK(&keytable->lock);
-	if (keytable->references == 0 && keytable->active_nodes == 0)
-		destroy = ISC_TRUE;
-	UNLOCK(&keytable->lock);
-
-	RWUNLOCK(&keytable->rwlock, isc_rwlocktype_write);
-
-	if (destroy) {
+	isc_refcount_decrement(&keytable->references, &refs);
+	if (refs == 0) {
+		INSIST(isc_refcount_current(&keytable->active_nodes) == 0);
+		isc_refcount_destroy(&keytable->active_nodes);
+		isc_refcount_destroy(&keytable->references);
 		dns_rbt_destroy(&keytable->table);
 		isc_rwlock_destroy(&keytable->rwlock);
-		DESTROYLOCK(&keytable->lock);
 		keytable->magic = 0;
 		isc_mem_putanddetach(&keytable->mctx,
 				     keytable, sizeof(*keytable));
 	}
-
-	*keytablep = NULL;
 }
 
 static isc_result_t
@@ -355,9 +348,7 @@ dns_keytable_find(dns_keytable_t *keytable, dns_name_t *keyname,
 				  DNS_RBTFIND_NOOPTIONS, NULL, NULL);
 	if (result == ISC_R_SUCCESS) {
 		if (node->data != NULL) {
-			LOCK(&keytable->lock);
-			keytable->active_nodes++;
-			UNLOCK(&keytable->lock);
+			isc_refcount_increment0(&keytable->active_nodes, NULL);
 			dns_keynode_attach(node->data, keynodep);
 		} else
 			result = ISC_R_NOTFOUND;
@@ -385,9 +376,7 @@ dns_keytable_nextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
 		return (ISC_R_NOTFOUND);
 
 	dns_keynode_attach(keynode->next, nextnodep);
-	LOCK(&keytable->lock);
-	keytable->active_nodes++;
-	UNLOCK(&keytable->lock);
+	isc_refcount_increment(&keytable->active_nodes, NULL);
 
 	return (ISC_R_SUCCESS);
 }
@@ -435,9 +424,7 @@ dns_keytable_findkeynode(dns_keytable_t *keytable, dns_name_t *name,
 				break;
 		}
 		if (knode != NULL) {
-			LOCK(&keytable->lock);
-			keytable->active_nodes++;
-			UNLOCK(&keytable->lock);
+			isc_refcount_increment0(&keytable->active_nodes, NULL);
 			dns_keynode_attach(knode, keynodep);
 		} else
 			result = DNS_R_PARTIALMATCH;
@@ -475,9 +462,7 @@ dns_keytable_findnextkeynode(dns_keytable_t *keytable, dns_keynode_t *keynode,
 			break;
 	}
 	if (knode != NULL) {
-		LOCK(&keytable->lock);
-		keytable->active_nodes++;
-		UNLOCK(&keytable->lock);
+		isc_refcount_increment(&keytable->active_nodes, NULL);
 		result = ISC_R_SUCCESS;
 		dns_keynode_attach(knode, nextnodep);
 	} else
@@ -526,9 +511,7 @@ dns_keytable_attachkeynode(dns_keytable_t *keytable, dns_keynode_t *source,
 	REQUIRE(VALID_KEYNODE(source));
 	REQUIRE(target != NULL && *target == NULL);
 
-	LOCK(&keytable->lock);
-	keytable->active_nodes++;
-	UNLOCK(&keytable->lock);
+	isc_refcount_increment(&keytable->active_nodes, NULL);
 
 	dns_keynode_attach(source, target);
 }
@@ -543,11 +526,7 @@ dns_keytable_detachkeynode(dns_keytable_t *keytable, dns_keynode_t **keynodep)
 	REQUIRE(VALID_KEYTABLE(keytable));
 	REQUIRE(keynodep != NULL && VALID_KEYNODE(*keynodep));
 
-	LOCK(&keytable->lock);
-	INSIST(keytable->active_nodes > 0);
-	keytable->active_nodes--;
-	UNLOCK(&keytable->lock);
-
+	isc_refcount_decrement(&keytable->active_nodes, NULL);
 	dns_keynode_detach(keytable->mctx, keynodep);
 }
 
@@ -644,6 +623,7 @@ dns_keytable_forall(dns_keytable_t *keytable,
 			result = ISC_R_SUCCESS;
 		goto cleanup;
 	}
+	isc_refcount_increment0(&keytable->active_nodes, NULL);
 	for (;;) {
 		dns_rbtnodechain_current(&chain, NULL, NULL, &node);
 		if (node->data != NULL)
@@ -655,6 +635,7 @@ dns_keytable_forall(dns_keytable_t *keytable,
 			break;
 		}
 	}
+	isc_refcount_decrement(&keytable->active_nodes, NULL);
 
    cleanup:
 	dns_rbtnodechain_invalidate(&chain);
@@ -687,7 +668,7 @@ dns_keynode_managed(dns_keynode_t *keynode) {
 isc_result_t
 dns_keynode_create(isc_mem_t *mctx, dns_keynode_t **target) {
 	isc_result_t result;
-	dns_keynode_t *knode = NULL;
+	dns_keynode_t *knode;
 
 	REQUIRE(target != NULL && *target == NULL);
 
diff --git a/usr.sbin/bind/lib/dns/lib.c b/usr.sbin/bind/lib/dns/lib.c
index a3d16a7796a..4caf933911b 100644
--- a/usr.sbin/bind/lib/dns/lib.c
+++ b/usr.sbin/bind/lib/dns/lib.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2013, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: lib.c,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/dns/log.c b/usr.sbin/bind/lib/dns/log.c
index 377b03c839d..5d64991372f 100644
--- a/usr.sbin/bind/lib/dns/log.c
+++ b/usr.sbin/bind/lib/dns/log.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2011-2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -84,6 +83,7 @@ LIBDNS_EXTERNAL_DATA isc_logmodule_t dns_modules[] = {
 	{ "dns/dnssec",		0 },
 	{ "dns/crypto",		0 },
 	{ "dns/packets",	0 },
+	{ "dns/ssu",		0 },
 	{ NULL, 		0 }
 };
 
diff --git a/usr.sbin/bind/lib/dns/lookup.c b/usr.sbin/bind/lib/dns/lookup.c
index 5e78fde76b1..2f9450e26df 100644
--- a/usr.sbin/bind/lib/dns/lookup.c
+++ b/usr.sbin/bind/lib/dns/lookup.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lookup.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: lookup.c,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/dns/master.c b/usr.sbin/bind/lib/dns/master.c
index 8c4ecec0e0c..17e7fa15d7b 100644
--- a/usr.sbin/bind/lib/dns/master.c
+++ b/usr.sbin/bind/lib/dns/master.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2011-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: master.c,v 1.7 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: master.c,v 1.8 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file */
 
@@ -93,6 +92,16 @@
 
 #define CHECKNAMESFAIL(x) (((x) & DNS_MASTER_CHECKNAMESFAIL) != 0)
 
+#ifndef DNS_NAME_INITABSOLUTE
+#define DNS_NAME_INITABSOLUTE(A,B) { \
+	DNS_NAME_MAGIC, \
+	A, sizeof(A), sizeof(B), \
+	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE, \
+	B, NULL, { (void *)-1, (void *)-1}, \
+	{NULL, NULL} \
+}
+#endif
+
 typedef ISC_LIST(dns_rdatalist_t) rdatalist_head_t;
 
 typedef struct dns_incctx dns_incctx_t;
@@ -331,39 +340,18 @@ loadctx_destroy(dns_loadctx_t *lctx);
 
 static unsigned char in_addr_arpa_data[]  = "\007IN-ADDR\004ARPA";
 static unsigned char in_addr_arpa_offsets[] = { 0, 8, 13 };
-static const dns_name_t in_addr_arpa =
-{
-	DNS_NAME_MAGIC,
-	in_addr_arpa_data, 14, 3,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	in_addr_arpa_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
+static dns_name_t const in_addr_arpa =
+	DNS_NAME_INITABSOLUTE(in_addr_arpa_data, in_addr_arpa_offsets);
 
 static unsigned char ip6_int_data[]  = "\003IP6\003INT";
 static unsigned char ip6_int_offsets[] = { 0, 4, 8 };
-static const dns_name_t ip6_int =
-{
-	DNS_NAME_MAGIC,
-	ip6_int_data, 9, 3,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	ip6_int_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
+static dns_name_t const ip6_int =
+	DNS_NAME_INITABSOLUTE(ip6_int_data, ip6_int_offsets);
 
 static unsigned char ip6_arpa_data[]  = "\003IP6\004ARPA";
 static unsigned char ip6_arpa_offsets[] = { 0, 4, 9 };
-static const dns_name_t ip6_arpa =
-{
-	DNS_NAME_MAGIC,
-	ip6_arpa_data, 10, 3,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	ip6_arpa_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
+static dns_name_t const ip6_arpa =
+	DNS_NAME_INITABSOLUTE(ip6_arpa_data, ip6_arpa_offsets);
 
 static inline isc_result_t
 gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *token,
@@ -733,7 +721,7 @@ genname(char *name, int it, char *buffer, size_t length) {
 				continue;
 			}
 			nibblemode = ISC_FALSE;
-			strcpy(fmt, "%d");
+			strlcpy(fmt, "%d", sizeof(fmt));
 			/* Get format specifier. */
 			if (*name == '{' ) {
 				n = sscanf(name, "{%d,%u,%1[doxXnN]}",
@@ -863,6 +851,22 @@ generate(dns_loadctx_t *lctx, char *range, char *lhs, char *gtype, char *rhs,
 		goto insist_cleanup;
 	}
 
+	/*
+	 * RFC2930: TKEY and TSIG are not allowed to be loaded
+	 * from master files.
+	 */
+	if ((lctx->options & DNS_MASTER_ZONE) != 0 &&
+	    (lctx->options & DNS_MASTER_SLAVE) == 0 &&
+	    dns_rdatatype_ismeta(type))
+	{
+		(*callbacks->error)(callbacks,
+				   "%s: %s:%lu: meta RR type '%s'",
+				   "$GENERATE",
+				   source, line, gtype);
+		result = DNS_R_METATYPE;
+		goto insist_cleanup;
+	}
+
 	for (i = start; i <= stop; i += step) {
 		result = genname(lhs, i, lhsbuf, DNS_MASTER_LHS);
 		if (result != ISC_R_SUCCESS)
@@ -1024,6 +1028,19 @@ openfile_text(dns_loadctx_t *lctx, const char *master_file) {
 	return (isc_lex_openfile(lctx->lex, master_file));
 }
 
+static int
+find_free_name(dns_incctx_t *incctx) {
+	int i;
+
+	for (i = 0; i < (NBUFS - 1); i++) {
+		if (!incctx->in_use[i]) {
+			break;
+		}
+	}
+	INSIST(!incctx->in_use[i]);
+	return (i);
+}
+
 static isc_result_t
 load_text(dns_loadctx_t *lctx) {
 	dns_rdataclass_t rdclass;
@@ -1353,8 +1370,9 @@ load_text(dns_loadctx_t *lctx) {
 					if (MANYERRS(lctx, result)) {
 						SETRESULT(lctx, result);
 						lctx->ttl = 0;
-					} else if (result != ISC_R_SUCCESS)
+					} else {
 						goto insist_and_cleanup;
+					}
 				} else if (!explicit_ttl &&
 					   lctx->default_ttl_known) {
 					lctx->ttl = lctx->default_ttl;
@@ -1385,20 +1403,15 @@ load_text(dns_loadctx_t *lctx) {
 				result = DNS_R_SYNTAX;
 				if (MANYERRS(lctx, result)) {
 					SETRESULT(lctx, result);
-				} else if (result != ISC_R_SUCCESS)
+				} else {
 					goto insist_and_cleanup;
+				}
 			}
 
 			/*
 			 * Normal processing resumes.
-			 *
-			 * Find a free name buffer.
 			 */
-			for (new_in_use = 0; new_in_use < NBUFS; new_in_use++)
-				if (!ictx->in_use[new_in_use])
-					break;
-			INSIST(new_in_use < NBUFS);
-			dns_fixedname_init(&ictx->fixed[new_in_use]);
+			new_in_use = find_free_name(ictx);
 			new_name = dns_fixedname_name(&ictx->fixed[new_in_use]);
 			isc_buffer_init(&buffer, token.value.as_region.base,
 					token.value.as_region.length);
@@ -1557,8 +1570,9 @@ load_text(dns_loadctx_t *lctx) {
 				SETRESULT(lctx, result);
 				LOGIT(result);
 				continue;
-			} else if (result != ISC_R_SUCCESS)
+			} else {
 				goto insist_and_cleanup;
+			}
 		}
 
 		/*
@@ -1597,8 +1611,9 @@ load_text(dns_loadctx_t *lctx) {
 					SETRESULT(lctx, result);
 					read_till_eol = ISC_TRUE;
 					continue;
-				} else if (result != ISC_R_SUCCESS)
+				} else {
 					goto insist_and_cleanup;
+				}
 			}
 
 			if (ictx->origin_changed) {
@@ -1641,8 +1656,9 @@ load_text(dns_loadctx_t *lctx) {
 				SETRESULT(lctx, result);
 				read_till_eol = ISC_TRUE;
 				continue;
-			} else if (result != ISC_R_SUCCESS)
+			} else {
 				goto insist_and_cleanup;
+			}
 		}
 
 		if (rdclass == 0 &&
@@ -1659,8 +1675,9 @@ load_text(dns_loadctx_t *lctx) {
 				SETRESULT(lctx, result);
 				read_till_eol = ISC_TRUE;
 				continue;
-			} else if (result != ISC_R_SUCCESS)
+			} else {
 				goto insist_and_cleanup;
+			}
 		}
 
 		result = dns_rdatatype_fromtext(&type,
@@ -1700,8 +1717,9 @@ load_text(dns_loadctx_t *lctx) {
 				SETRESULT(lctx, result);
 				read_till_eol = ISC_TRUE;
 				continue;
-			} else if (result != ISC_R_SUCCESS)
+			} else {
 				goto insist_and_cleanup;
+			}
 		}
 
 		if (type == dns_rdatatype_ns && ictx->glue == NULL)
@@ -1731,6 +1749,30 @@ load_text(dns_loadctx_t *lctx) {
 		}
 
 		/*
+		 * RFC2930: TKEY and TSIG are not allowed to be loaded
+		 * from master files.
+		 */
+		if ((lctx->options & DNS_MASTER_ZONE) != 0 &&
+		    (lctx->options & DNS_MASTER_SLAVE) == 0 &&
+		    dns_rdatatype_ismeta(type))
+		{
+			char typename[DNS_RDATATYPE_FORMATSIZE];
+
+			result = DNS_R_METATYPE;
+
+			dns_rdatatype_format(type, typename, sizeof(typename));
+			(*callbacks->error)(callbacks,
+					    "%s:%lu: %s '%s': %s",
+					    source, line,
+					    "type", typename,
+					    dns_result_totext(result));
+			if (MANYERRS(lctx, result)) {
+				SETRESULT(lctx, result);
+			} else
+				goto insist_and_cleanup;
+		}
+
+		/*
 		 * Find a rdata structure.
 		 */
 		if (rdcount == rdata_size) {
@@ -1789,8 +1831,9 @@ load_text(dns_loadctx_t *lctx) {
 							    namebuf, desc);
 					if (MANYERRS(lctx, result)) {
 						SETRESULT(lctx, result);
-					} else if (result != ISC_R_SUCCESS)
+					} else {
 						goto cleanup;
+					}
 				} else {
 					(*callbacks->warn)(callbacks,
 							   "%s:%lu: %s: %s",
@@ -1841,8 +1884,9 @@ load_text(dns_loadctx_t *lctx) {
 				read_till_eol = ISC_TRUE;
 				target = target_ft;
 				continue;
-			} else if (result != ISC_R_SUCCESS)
+			} else {
 				goto insist_and_cleanup;
+			}
 		}
 
 
@@ -2063,9 +2107,8 @@ static isc_result_t
 pushfile(const char *master_file, dns_name_t *origin, dns_loadctx_t *lctx) {
 	isc_result_t result;
 	dns_incctx_t *ictx;
-	dns_incctx_t *new = NULL;
+	dns_incctx_t *newctx = NULL;
 	isc_region_t r;
-	int new_in_use;
 
 	REQUIRE(master_file != NULL);
 	REQUIRE(DNS_LCTX_VALID(lctx));
@@ -2073,43 +2116,39 @@ pushfile(const char *master_file, dns_name_t *origin, dns_loadctx_t *lctx) {
 	ictx = lctx->inc;
 	lctx->seen_include = ISC_TRUE;
 
-	result = incctx_create(lctx->mctx, origin, &new);
+	result = incctx_create(lctx->mctx, origin, &newctx);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
 	/*
 	 * Push origin_changed.
 	 */
-	new->origin_changed = ictx->origin_changed;
+	newctx->origin_changed = ictx->origin_changed;
 
 	/* Set current domain. */
 	if (ictx->glue != NULL || ictx->current != NULL) {
-		for (new_in_use = 0; new_in_use < NBUFS; new_in_use++)
-			if (!new->in_use[new_in_use])
-				break;
-		INSIST(new_in_use < NBUFS);
-		new->current_in_use = new_in_use;
-		new->current =
-			dns_fixedname_name(&new->fixed[new->current_in_use]);
-		new->in_use[new->current_in_use] = ISC_TRUE;
+		newctx->current_in_use = find_free_name(newctx);
+		newctx->current =
+			dns_fixedname_name(&newctx->fixed[newctx->current_in_use]);
+		newctx->in_use[newctx->current_in_use] = ISC_TRUE;
 		dns_name_toregion((ictx->glue != NULL) ?
 				   ictx->glue : ictx->current, &r);
-		dns_name_fromregion(new->current, &r);
-		new->drop = ictx->drop;
+		dns_name_fromregion(newctx->current, &r);
+		newctx->drop = ictx->drop;
 	}
 
 	result = (lctx->openfile)(lctx, master_file);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
-	new->parent = ictx;
-	lctx->inc = new;
+	newctx->parent = ictx;
+	lctx->inc = newctx;
 
 	if (lctx->include_cb != NULL)
 		lctx->include_cb(master_file, lctx->include_arg);
 	return (ISC_R_SUCCESS);
 
  cleanup:
-	incctx_destroy(lctx->mctx, new);
+	incctx_destroy(lctx->mctx, newctx);
 	return (result);
 }
 
@@ -2938,17 +2977,17 @@ dns_master_loadlexerinc(isc_lex_t *lex, dns_name_t *top,
  * Re-link glue and current list.
  */
 static dns_rdatalist_t *
-grow_rdatalist(int new_len, dns_rdatalist_t *old, int old_len,
+grow_rdatalist(int new_len, dns_rdatalist_t *oldlist, int old_len,
 	       rdatalist_head_t *current, rdatalist_head_t *glue,
 	       isc_mem_t *mctx)
 {
-	dns_rdatalist_t *new;
+	dns_rdatalist_t *newlist;
 	int rdlcount = 0;
 	ISC_LIST(dns_rdatalist_t) save;
 	dns_rdatalist_t *this;
 
-	new = isc_mem_get(mctx, new_len * sizeof(*new));
-	if (new == NULL)
+	newlist = isc_mem_get(mctx, new_len * sizeof(*newlist));
+	if (newlist == NULL)
 		return (NULL);
 
 	ISC_LIST_INIT(save);
@@ -2959,8 +2998,8 @@ grow_rdatalist(int new_len, dns_rdatalist_t *old, int old_len,
 	while ((this = ISC_LIST_HEAD(save)) != NULL) {
 		ISC_LIST_UNLINK(save, this, link);
 		INSIST(rdlcount < new_len);
-		new[rdlcount] = *this;
-		ISC_LIST_APPEND(*current, &new[rdlcount], link);
+		newlist[rdlcount] = *this;
+		ISC_LIST_APPEND(*current, &newlist[rdlcount], link);
 		rdlcount++;
 	}
 
@@ -2972,15 +3011,15 @@ grow_rdatalist(int new_len, dns_rdatalist_t *old, int old_len,
 	while ((this = ISC_LIST_HEAD(save)) != NULL) {
 		ISC_LIST_UNLINK(save, this, link);
 		INSIST(rdlcount < new_len);
-		new[rdlcount] = *this;
-		ISC_LIST_APPEND(*glue, &new[rdlcount], link);
+		newlist[rdlcount] = *this;
+		ISC_LIST_APPEND(*glue, &newlist[rdlcount], link);
 		rdlcount++;
 	}
 
 	INSIST(rdlcount == old_len);
-	if (old != NULL)
-		isc_mem_put(mctx, old, old_len * sizeof(*old));
-	return (new);
+	if (oldlist != NULL)
+		isc_mem_put(mctx, oldlist, old_len * sizeof(*oldlist));
+	return (newlist);
 }
 
 /*
@@ -2988,20 +3027,20 @@ grow_rdatalist(int new_len, dns_rdatalist_t *old, int old_len,
  * Re-link the current and glue chains.
  */
 static dns_rdata_t *
-grow_rdata(int new_len, dns_rdata_t *old, int old_len,
+grow_rdata(int new_len, dns_rdata_t *oldlist, int old_len,
 	   rdatalist_head_t *current, rdatalist_head_t *glue,
 	   isc_mem_t *mctx)
 {
-	dns_rdata_t *new;
+	dns_rdata_t *newlist;
 	int rdcount = 0;
 	ISC_LIST(dns_rdata_t) save;
 	dns_rdatalist_t *this;
 	dns_rdata_t *rdata;
 
-	new = isc_mem_get(mctx, new_len * sizeof(*new));
-	if (new == NULL)
+	newlist = isc_mem_get(mctx, new_len * sizeof(*newlist));
+	if (newlist == NULL)
 		return (NULL);
-	memset(new, 0, new_len * sizeof(*new));
+	memset(newlist, 0, new_len * sizeof(*newlist));
 
 	/*
 	 * Copy current relinking.
@@ -3016,8 +3055,8 @@ grow_rdata(int new_len, dns_rdata_t *old, int old_len,
 		while ((rdata = ISC_LIST_HEAD(save)) != NULL) {
 			ISC_LIST_UNLINK(save, rdata, link);
 			INSIST(rdcount < new_len);
-			new[rdcount] = *rdata;
-			ISC_LIST_APPEND(this->rdata, &new[rdcount], link);
+			newlist[rdcount] = *rdata;
+			ISC_LIST_APPEND(this->rdata, &newlist[rdcount], link);
 			rdcount++;
 		}
 		this = ISC_LIST_NEXT(this, link);
@@ -3036,16 +3075,16 @@ grow_rdata(int new_len, dns_rdata_t *old, int old_len,
 		while ((rdata = ISC_LIST_HEAD(save)) != NULL) {
 			ISC_LIST_UNLINK(save, rdata, link);
 			INSIST(rdcount < new_len);
-			new[rdcount] = *rdata;
-			ISC_LIST_APPEND(this->rdata, &new[rdcount], link);
+			newlist[rdcount] = *rdata;
+			ISC_LIST_APPEND(this->rdata, &newlist[rdcount], link);
 			rdcount++;
 		}
 		this = ISC_LIST_NEXT(this, link);
 	}
 	INSIST(rdcount == old_len || rdcount == 0);
-	if (old != NULL)
-		isc_mem_put(mctx, old, old_len * sizeof(*old));
-	return (new);
+	if (oldlist != NULL)
+		isc_mem_put(mctx, oldlist, old_len * sizeof(*oldlist));
+	return (newlist);
 }
 
 static isc_uint32_t
diff --git a/usr.sbin/bind/lib/dns/masterdump.c b/usr.sbin/bind/lib/dns/masterdump.c
index af5efbbffa3..592a3461b53 100644
--- a/usr.sbin/bind/lib/dns/masterdump.c
+++ b/usr.sbin/bind/lib/dns/masterdump.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2011-2017  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/message.c b/usr.sbin/bind/lib/dns/message.c
index e273b0f5c82..bf1ef5aab61 100644
--- a/usr.sbin/bind/lib/dns/message.c
+++ b/usr.sbin/bind/lib/dns/message.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2017  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.c,v 1.8 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: message.c,v 1.9 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file */
 
@@ -57,7 +56,7 @@ hexdump(const char *msg, const char *msg2, void *base, size_t len) {
 	p = base;
 	cnt = 0;
 
-	printf("*** %s [%s] (%u bytes @ %p)\n", msg, msg2, len, base);
+	printf("*** %s [%s] (%u bytes @ %p)\n", msg, msg2, (unsigned)len, base);
 
 	while (cnt < len) {
 		if (cnt % 16 == 0)
@@ -1962,6 +1961,15 @@ renderset(dns_rdataset_t *rdataset, dns_name_t *owner_name,
 	return (result);
 }
 
+static void
+maybe_clear_ad(dns_message_t *msg, dns_section_t sectionid) {
+	if (msg->counts[sectionid] == 0 &&
+	    (sectionid == DNS_SECTION_ANSWER ||
+	     (sectionid == DNS_SECTION_AUTHORITY &&
+	      msg->counts[DNS_SECTION_ANSWER] == 0)))
+		msg->flags &= ~DNS_MESSAGEFLAG_AD;
+}
+
 isc_result_t
 dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 			  unsigned int options)
@@ -2159,6 +2167,7 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 					*(msg->buffer) = st;  /* rollback */
 					msg->buffer->length += msg->reserved;
 					msg->counts[sectionid] += total;
+					maybe_clear_ad(msg, sectionid);
 					return (result);
 				}
 
@@ -3480,6 +3489,22 @@ dns_message_pseudosectiontotext(dns_message_t *msg,
 				ADD_STRING(target, "; EXPIRE");
 			} else if (optcode == DNS_OPT_PAD) {
 				ADD_STRING(target, "; PAD");
+			} else if (optcode == DNS_OPT_KEY_TAG) {
+				ADD_STRING(target, "; KEY-TAG");
+				if (optlen > 0U && (optlen % 2U) == 0U) {
+					const char *sep = ": ";
+					isc_uint16_t id;
+					while (optlen > 0U) {
+					    id = isc_buffer_getuint16(&optbuf);
+					    snprintf(buf, sizeof(buf), "%s%u",
+						     sep, id);
+					    ADD_STRING(target, buf);
+					    sep = ", ";
+					    optlen -= 2;
+					}
+					ADD_STRING(target, "\n");
+					continue;
+				}
 			} else {
 				ADD_STRING(target, "; OPT=");
 				snprintf(buf, sizeof(buf), "%u", optcode);
@@ -3819,8 +3844,10 @@ dns_message_buildopt(dns_message_t *message, dns_rdataset_t **rdatasetp,
 		for (i = 0; i < count; i++)  {
 			isc_buffer_putuint16(buf, ednsopts[i].code);
 			isc_buffer_putuint16(buf, ednsopts[i].length);
-			isc_buffer_putmem(buf, ednsopts[i].value,
-					  ednsopts[i].length);
+			if (ednsopts[i].length != 0) {
+				isc_buffer_putmem(buf, ednsopts[i].value,
+						  ednsopts[i].length);
+			}
 		}
 		rdata->data = isc_buffer_base(buf);
 		rdata->length = len;
diff --git a/usr.sbin/bind/lib/dns/name.c b/usr.sbin/bind/lib/dns/name.c
index b072739be4f..daf2b0c1133 100644
--- a/usr.sbin/bind/lib/dns/name.c
+++ b/usr.sbin/bind/lib/dns/name.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name.c,v 1.12 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: name.c,v 1.13 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file */
 
@@ -41,6 +40,25 @@
 
 #define VALID_NAME(n)	ISC_MAGIC_VALID(n, DNS_NAME_MAGIC)
 
+#ifndef DNS_NAME_INITABSOLUTE
+#define DNS_NAME_INITABSOLUTE(A,B) { \
+	DNS_NAME_MAGIC, \
+	A, sizeof(A), sizeof(B), \
+	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE, \
+	B, NULL, { (void *)-1, (void *)-1}, \
+	{NULL, NULL} \
+}
+#endif
+#ifndef DNS_NAME_INITNONABSOLUTE
+#define DNS_NAME_INITNONABSOLUTE(A,B) { \
+	DNS_NAME_MAGIC, \
+	A, (sizeof(A) - 1), sizeof(B), \
+	DNS_NAMEATTR_READONLY, \
+	B, NULL, { (void *)-1, (void *)-1}, \
+	{NULL, NULL} \
+}
+#endif
+
 typedef enum {
 	ft_init = 0,
 	ft_start,
@@ -153,34 +171,19 @@ do { \
  * literal, to avoid compiler warnings about discarding
  * the const attribute of a string.
  */
-static unsigned char root_ndata[] = { '\0' };
+static unsigned char root_ndata[] = { "" };
 static unsigned char root_offsets[] = { 0 };
 
-static dns_name_t root =
-{
-	DNS_NAME_MAGIC,
-	root_ndata, 1, 1,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	root_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
+static dns_name_t root = DNS_NAME_INITABSOLUTE(root_ndata, root_offsets);
 
 /* XXXDCL make const? */
 LIBDNS_EXTERNAL_DATA dns_name_t *dns_rootname = &root;
 
-static unsigned char wild_ndata[] = { '\001', '*' };
+static unsigned char wild_ndata[] = { "\001*" };
 static unsigned char wild_offsets[] = { 0 };
 
 static dns_name_t wild =
-{
-	DNS_NAME_MAGIC,
-	wild_ndata, 2, 1,
-	DNS_NAMEATTR_READONLY,
-	wild_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
+	DNS_NAME_INITNONABSOLUTE(wild_ndata, wild_offsets);
 
 /* XXXDCL make const? */
 LIBDNS_EXTERNAL_DATA dns_name_t *dns_wildcardname = &wild;
@@ -1062,7 +1065,8 @@ dns_name_fromregion(dns_name_t *name, const isc_region_t *r) {
 		len = (r->length < r2.length) ? r->length : r2.length;
 		if (len > DNS_NAME_MAXWIRE)
 			len = DNS_NAME_MAXWIRE;
-		memmove(r2.base, r->base, len);
+		if (len != 0)
+			memmove(r2.base, r->base, len);
 		name->ndata = r2.base;
 		name->length = len;
 	} else {
@@ -1652,9 +1656,9 @@ dns_name_tofilenametext(dns_name_t *name, isc_boolean_t omit_final_dot,
 					trem--;
 					nlen--;
 				} else {
-					if (trem < 3)
+					if (trem < 4)
 						return (ISC_R_NOSPACE);
-					sprintf(tdata, "%%%02X", c);
+					snprintf(tdata, trem, "%%%02X", c);
 					tdata += 3;
 					trem -= 3;
 					ndata++;
@@ -2040,8 +2044,11 @@ dns_name_towire(const dns_name_t *name, dns_compress_t *cctx,
 	if (gf) {
 		if (target->length - target->used < gp.length)
 			return (ISC_R_NOSPACE);
-		(void)memmove((unsigned char *)target->base + target->used,
-			      gp.ndata, (size_t)gp.length);
+		if (gp.length != 0) {
+			unsigned char *base = target->base;
+			(void)memmove(base + target->used, gp.ndata,
+				      (size_t)gp.length);
+		}
 		isc_buffer_add(target, gp.length);
 		go |= 0xc000;
 		if (target->length - target->used < 2)
@@ -2052,8 +2059,11 @@ dns_name_towire(const dns_name_t *name, dns_compress_t *cctx,
 	} else {
 		if (target->length - target->used < name->length)
 			return (ISC_R_NOSPACE);
-		(void)memmove((unsigned char *)target->base + target->used,
-			      name->ndata, (size_t)name->length);
+		if (name->length != 0) {
+			unsigned char *base = target->base;
+			(void)memmove(base + target->used, name->ndata,
+				      (size_t)name->length);
+		}
 		isc_buffer_add(target, name->length);
 		dns_compress_add(cctx, name, name, offset);
 	}
@@ -2525,7 +2535,8 @@ dns_name_copy(dns_name_t *source, dns_name_t *dest, isc_buffer_t *target) {
 	ndata = (unsigned char *)target->base + target->used;
 	dest->ndata = target->base;
 
-	memmove(ndata, source->ndata, source->length);
+	if (source->length != 0)
+		memmove(ndata, source->ndata, source->length);
 
 	dest->ndata = ndata;
 	dest->labels = source->labels;
@@ -2578,47 +2589,12 @@ static unsigned char dr_dns_sd_udp_offsets[] = { 0, 3, 11 };
 static unsigned char lb_dns_sd_udp_data[]  = "\002lb\007_dns-sd\004_udp";
 static unsigned char lb_dns_sd_udp_offsets[] = { 0, 3, 11 };
 
-static const dns_name_t dns_sd[] = {
-	{
-		DNS_NAME_MAGIC,
-		b_dns_sd_udp_data, 15, 3,
-		DNS_NAMEATTR_READONLY,
-		b_dns_sd_udp_offsets, NULL,
-		{(void *)-1, (void *)-1},
-		{NULL, NULL}
-	},
-	{
-		DNS_NAME_MAGIC,
-		db_dns_sd_udp_data, 16, 3,
-		DNS_NAMEATTR_READONLY,
-		db_dns_sd_udp_offsets, NULL,
-		{(void *)-1, (void *)-1},
-		{NULL, NULL}
-	},
-	{
-		DNS_NAME_MAGIC,
-		r_dns_sd_udp_data, 15, 3,
-		DNS_NAMEATTR_READONLY,
-		r_dns_sd_udp_offsets, NULL,
-		{(void *)-1, (void *)-1},
-		{NULL, NULL}
-	},
-	{
-		DNS_NAME_MAGIC,
-		dr_dns_sd_udp_data, 16, 3,
-		DNS_NAMEATTR_READONLY,
-		dr_dns_sd_udp_offsets, NULL,
-		{(void *)-1, (void *)-1},
-		{NULL, NULL}
-	},
-	{
-		DNS_NAME_MAGIC,
-		lb_dns_sd_udp_data, 16, 3,
-		DNS_NAMEATTR_READONLY,
-		lb_dns_sd_udp_offsets, NULL,
-		{(void *)-1, (void *)-1},
-		{NULL, NULL}
-	}
+static dns_name_t const dns_sd[] = {
+	DNS_NAME_INITNONABSOLUTE(b_dns_sd_udp_data, b_dns_sd_udp_offsets),
+	DNS_NAME_INITNONABSOLUTE(db_dns_sd_udp_data, db_dns_sd_udp_offsets),
+	DNS_NAME_INITNONABSOLUTE(r_dns_sd_udp_data, r_dns_sd_udp_offsets),
+	DNS_NAME_INITNONABSOLUTE(dr_dns_sd_udp_data, dr_dns_sd_udp_offsets),
+	DNS_NAME_INITNONABSOLUTE(lb_dns_sd_udp_data, lb_dns_sd_udp_offsets)
 };
 
 isc_boolean_t
@@ -2637,15 +2613,6 @@ dns_name_isdnssd(const dns_name_t *name) {
 	return (ISC_FALSE);
 }
 
-#define NS_NAME_INIT(A,B) \
-	 { \
-		DNS_NAME_MAGIC, \
-		A, sizeof(A), sizeof(B), \
-		DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE, \
-		B, NULL, { (void *)-1, (void *)-1}, \
-		{NULL, NULL} \
-	}
-
 static unsigned char inaddr10_offsets[] = { 0, 3, 11, 16 };
 static unsigned char inaddr172_offsets[] = { 0, 3, 7, 15, 20 };
 static unsigned char inaddr192_offsets[] = { 0, 4, 8, 16, 21 };
@@ -2672,24 +2639,24 @@ static unsigned char inaddr31172[] = "\00231\003172\007IN-ADDR\004ARPA";
 static unsigned char inaddr168192[] = "\003168\003192\007IN-ADDR\004ARPA";
 
 static dns_name_t const rfc1918names[] = {
-	NS_NAME_INIT(inaddr10, inaddr10_offsets),
-	NS_NAME_INIT(inaddr16172, inaddr172_offsets),
-	NS_NAME_INIT(inaddr17172, inaddr172_offsets),
-	NS_NAME_INIT(inaddr18172, inaddr172_offsets),
-	NS_NAME_INIT(inaddr19172, inaddr172_offsets),
-	NS_NAME_INIT(inaddr20172, inaddr172_offsets),
-	NS_NAME_INIT(inaddr21172, inaddr172_offsets),
-	NS_NAME_INIT(inaddr22172, inaddr172_offsets),
-	NS_NAME_INIT(inaddr23172, inaddr172_offsets),
-	NS_NAME_INIT(inaddr24172, inaddr172_offsets),
-	NS_NAME_INIT(inaddr25172, inaddr172_offsets),
-	NS_NAME_INIT(inaddr26172, inaddr172_offsets),
-	NS_NAME_INIT(inaddr27172, inaddr172_offsets),
-	NS_NAME_INIT(inaddr28172, inaddr172_offsets),
-	NS_NAME_INIT(inaddr29172, inaddr172_offsets),
-	NS_NAME_INIT(inaddr30172, inaddr172_offsets),
-	NS_NAME_INIT(inaddr31172, inaddr172_offsets),
-	NS_NAME_INIT(inaddr168192, inaddr192_offsets)
+	DNS_NAME_INITABSOLUTE(inaddr10, inaddr10_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr16172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr17172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr18172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr19172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr20172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr21172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr22172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr23172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr24172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr25172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr26172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr27172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr28172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr29172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr30172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr31172, inaddr172_offsets),
+	DNS_NAME_INITABSOLUTE(inaddr168192, inaddr192_offsets)
 };
 
 isc_boolean_t
@@ -2707,8 +2674,8 @@ static unsigned char ip6fc[] = "\001c\001f\003ip6\004ARPA";
 static unsigned char ip6fd[] = "\001d\001f\003ip6\004ARPA";
 
 static dns_name_t const ulanames[] = {
-	NS_NAME_INIT(ip6fc, ulaoffsets),
-	NS_NAME_INIT(ip6fd, ulaoffsets),
+	DNS_NAME_INITABSOLUTE(ip6fc, ulaoffsets),
+	DNS_NAME_INITABSOLUTE(ip6fd, ulaoffsets)
 };
 
 isc_boolean_t
@@ -2720,3 +2687,62 @@ dns_name_isula(const dns_name_t *name) {
 			return (ISC_TRUE);
 	return (ISC_FALSE);
 }
+
+/*
+ * Use a simple table as we don't want all the locale stuff
+ * associated with ishexdigit().
+ */
+const char
+ishex[256] = {
+     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+     1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0,
+     0, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+     0, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+};
+
+isc_boolean_t
+dns_name_istat(const dns_name_t *name) {
+	unsigned char len;
+	const unsigned char *ndata;
+
+	REQUIRE(VALID_NAME(name));
+
+	if (name->labels < 1)
+		return (ISC_FALSE);
+
+	ndata = name->ndata;
+	len = ndata[0];
+	INSIST(len <= name->length);
+	ndata++;
+
+	/*
+	 * Is there at least one trust anchor reported and is the
+	 * label length consistent with a trust-anchor-telementry label.
+	 */
+	if ((len < 8) || (len - 3) % 5 != 0) {
+		return (ISC_FALSE);
+	}
+
+	if (ndata[0] != '_' ||
+	    maptolower[ndata[1]] != 't' ||
+	    maptolower[ndata[2]] != 'a') {
+		return (ISC_FALSE);
+	}
+	ndata += 3;
+	len -= 3;
+
+	while (len > 0) {
+		INSIST(len >= 5);
+		if (ndata[0] != '-' || !ishex[ndata[1]] || !ishex[ndata[2]] ||
+		    !ishex[ndata[3]] || !ishex[ndata[4]]) {
+			return (ISC_FALSE);
+		}
+		ndata += 5;
+		len -= 5;
+	}
+	return (ISC_TRUE);
+}
diff --git a/usr.sbin/bind/lib/dns/ncache.c b/usr.sbin/bind/lib/dns/ncache.c
index 7dfe4906970..ac17368f6b2 100644
--- a/usr.sbin/bind/lib/dns/ncache.c
+++ b/usr.sbin/bind/lib/dns/ncache.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008, 2010-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ncache.c,v 1.6 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: ncache.c,v 1.7 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/dns/nsec.c b/usr.sbin/bind/lib/dns/nsec.c
index ba64bf808ba..cfa6ae55560 100644
--- a/usr.sbin/bind/lib/dns/nsec.c
+++ b/usr.sbin/bind/lib/dns/nsec.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007-2009, 2011-2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: nsec.c,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/dns/nsec3.c b/usr.sbin/bind/lib/dns/nsec3.c
index 7c9060c754e..8afefe262b6 100644
--- a/usr.sbin/bind/lib/dns/nsec3.c
+++ b/usr.sbin/bind/lib/dns/nsec3.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006, 2008-2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec3.c,v 1.1 2019/12/16 16:31:33 deraadt Exp $ */
+/* $Id: nsec3.c,v 1.2 2019/12/17 01:46:32 sthen Exp $ */
 
 #include <config.h>
 
@@ -383,8 +383,8 @@ match_nsec3param(const dns_rdata_nsec3_t *nsec3,
  * change in "diff".
  */
 static isc_result_t
-delete(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
-       const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff)
+delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+	 const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff)
 {
 	dns_dbnode_t *node = NULL ;
 	dns_difftuple_t *tuple = NULL;
@@ -677,7 +677,7 @@ dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version,
 		/*
 		 * Delete the old previous NSEC3.
 		 */
-		CHECK(delete(db, version, prev, nsec3param, diff));
+		CHECK(delnsec3(db, version, prev, nsec3param, diff));
 
 		/*
 		 * Fixup the previous NSEC3.
@@ -713,7 +713,7 @@ dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version,
 	/*
 	 * Delete the old NSEC3 and record the change.
 	 */
-	CHECK(delete(db, version, hashname, nsec3param, diff));
+	CHECK(delnsec3(db, version, hashname, nsec3param, diff));
 	/*
 	 * Add the new NSEC3 and record the change.
 	 */
@@ -796,7 +796,7 @@ dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version,
 			/*
 			 * Delete the old previous NSEC3.
 			 */
-			CHECK(delete(db, version, prev, nsec3param, diff));
+			CHECK(delnsec3(db, version, prev, nsec3param, diff));
 
 			/*
 			 * Fixup the previous NSEC3.
@@ -833,7 +833,7 @@ dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version,
 		/*
 		 * Delete the old NSEC3 and record the change.
 		 */
-		CHECK(delete(db, version, hashname, nsec3param, diff));
+		CHECK(delnsec3(db, version, hashname, nsec3param, diff));
 
 		/*
 		 * Add the new NSEC3 and record the change.
@@ -1016,6 +1016,42 @@ rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 }
 
 isc_result_t
+dns_nsec3param_salttotext(dns_rdata_nsec3param_t *nsec3param, char *dst,
+			  size_t dstlen)
+{
+	isc_result_t result;
+	isc_region_t r;
+	isc_buffer_t b;
+
+	REQUIRE(nsec3param != NULL);
+	REQUIRE(dst != NULL);
+
+	if (nsec3param->salt_length == 0) {
+		if (dstlen < 2U) {
+			return (ISC_R_NOSPACE);
+		}
+		strlcpy(dst, "-", dstlen);
+		return (ISC_R_SUCCESS);
+	}
+
+	r.base = nsec3param->salt;
+	r.length = nsec3param->salt_length;
+	isc_buffer_init(&b, dst, (unsigned int)dstlen);
+
+	result = isc_hex_totext(&r, 2, "", &b);
+	if (result != ISC_R_SUCCESS) {
+		return (result);
+	}
+
+	if (isc_buffer_availablelength(&b) < 1) {
+		return (ISC_R_NOSPACE);
+	}
+	isc_buffer_putuint8(&b, 0);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
 dns_nsec3param_deletechains(dns_db_t *db, dns_dbversion_t *ver,
 			    dns_zone_t *zone, isc_boolean_t nonsec,
 			    dns_diff_t *diff)
@@ -1399,7 +1435,7 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 		/*
 		 * Delete the old previous NSEC3.
 		 */
-		CHECK(delete(db, version, prev, nsec3param, diff));
+		CHECK(delnsec3(db, version, prev, nsec3param, diff));
 
 		/*
 		 * Fixup the previous NSEC3.
@@ -1423,7 +1459,7 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 	/*
 	 * Delete the old NSEC3 and record the change.
 	 */
-	CHECK(delete(db, version, hashname, nsec3param, diff));
+	CHECK(delnsec3(db, version, hashname, nsec3param, diff));
 
 	/*
 	 *  Delete NSEC3 records for now non active nodes.
@@ -1499,7 +1535,7 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 			/*
 			 * Delete the old previous NSEC3.
 			 */
-			CHECK(delete(db, version, prev, nsec3param, diff));
+			CHECK(delnsec3(db, version, prev, nsec3param, diff));
 
 			/*
 			 * Fixup the previous NSEC3.
@@ -1525,7 +1561,7 @@ dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 		/*
 		 * Delete the old NSEC3 and record the change.
 		 */
-		CHECK(delete(db, version, hashname, nsec3param, diff));
+		CHECK(delnsec3(db, version, hashname, nsec3param, diff));
 	} while (1);
 
  success:
diff --git a/usr.sbin/bind/lib/dns/openssl_link.c b/usr.sbin/bind/lib/dns/openssl_link.c
index fc13bdd431d..cfe74beebc4 100644
--- a/usr.sbin/bind/lib/dns/openssl_link.c
+++ b/usr.sbin/bind/lib/dns/openssl_link.c
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2012, 2014-2017  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2003  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +13,10 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  *
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) Network Associates, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -112,7 +114,7 @@ entropy_add(const void *buf, int num, double entropy) {
 }
 #endif
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 static void
 lock_callback(int mode, int type, const char *file, int line) {
 	UNUSED(file);
@@ -122,7 +124,9 @@ lock_callback(int mode, int type, const char *file, int line) {
 	else
 		UNLOCK(&locks[type]);
 }
+#endif
 
+#if OPENSSL_VERSION_NUMBER < 0x10000000L || defined(LIBRESSL_VERSION_NUMBER)
 static unsigned long
 id_callback(void) {
 	return ((unsigned long)isc_thread_self());
@@ -186,6 +190,14 @@ mem_realloc(void *ptr, size_t size FLARG) {
 #endif
 }
 
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L
+static void
+_set_thread_id(CRYPTO_THREADID *id)
+{
+	CRYPTO_THREADID_set_numeric(id, (unsigned long)isc_thread_self());
+}
+#endif
+
 isc_result_t
 dst__openssl_init(const char *engine) {
 	isc_result_t result;
@@ -211,10 +223,14 @@ dst__openssl_init(const char *engine) {
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_mutexalloc;
 	CRYPTO_set_locking_callback(lock_callback);
+# if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L
+	CRYPTO_THREADID_set_callback(_set_thread_id);
+# else
 	CRYPTO_set_id_callback(id_callback);
-#endif
+# endif
 
 	ERR_load_crypto_strings();
+#endif
 
 	rm = mem_alloc(sizeof(RAND_METHOD) FILELINE);
 	if (rm == NULL) {
@@ -332,7 +348,9 @@ dst__openssl_destroy(void) {
 	CRYPTO_cleanup_all_ex_data();
 #endif
 	ERR_clear_error();
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L
+	ERR_remove_thread_state(NULL);
+#elif OPENSSL_VERSION_NUMBER < 0x10000000L || defined(LIBRESSL_VERSION_NUMBER)
 	ERR_remove_state(0);
 #endif
 	ERR_free_strings();
diff --git a/usr.sbin/bind/lib/dns/openssldh_link.c b/usr.sbin/bind/lib/dns/openssldh_link.c
index 1a506526db5..869242dc81a 100644
--- a/usr.sbin/bind/lib/dns/openssldh_link.c
+++ b/usr.sbin/bind/lib/dns/openssldh_link.c
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2009, 2011-2016  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2002  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +13,10 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  *
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) Network Associates, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -31,7 +33,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: openssldh_link.c,v 1.3 2019/12/16 16:16:24 deraadt Exp $
+ * $Id: openssldh_link.c,v 1.4 2019/12/17 01:46:32 sthen Exp $
  */
 
 #ifdef OPENSSL
@@ -45,6 +47,7 @@
 #include <ctype.h>
 
 #include <isc/mem.h>
+#include <isc/safe.h>
 #include <isc/string.h>
 #include <isc/util.h>
 
@@ -313,6 +316,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
 					DST_R_OPENSSLFAILURE));
 		}
 		BN_GENCB_free(cb);
+		cb = NULL;
 #else
 		dh = DH_generate_parameters(key->key_size, generator,
 					    NULL, NULL);
@@ -694,7 +698,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		BN_free(priv_key);
 	openssldh_destroy(key);
 	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
+	isc_safe_memwipe(&priv, sizeof(priv));
 	return (ret);
 }
 
diff --git a/usr.sbin/bind/lib/dns/openssldsa_link.c b/usr.sbin/bind/lib/dns/openssldsa_link.c
index 2779d392629..bedb38f9d69 100644
--- a/usr.sbin/bind/lib/dns/openssldsa_link.c
+++ b/usr.sbin/bind/lib/dns/openssldsa_link.c
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2009, 2011-2016  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2002  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +13,10 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  *
- * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * Portions Copyright (C) Network Associates, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -44,6 +46,7 @@
 
 #include <isc/entropy.h>
 #include <isc/mem.h>
+#include <isc/safe.h>
 #include <isc/sha1.h>
 #include <isc/util.h>
 
@@ -492,6 +495,7 @@ openssldsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
 					       DST_R_OPENSSLFAILURE));
 	}
 	BN_GENCB_free(cb);
+	cb = NULL;
 #else
 	dsa = DSA_generate_parameters(key->key_size, rand_array,
 				      ISC_SHA1_DIGESTLENGTH, NULL, NULL,
@@ -720,7 +724,7 @@ openssldsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		pub->keydata.pkey = NULL;
 		key->key_size = pub->key_size;
 		dst__privstruct_free(&priv, mctx);
-		memset(&priv, 0, sizeof(priv));
+		isc_safe_memwipe(&priv, sizeof(priv));
 		return (ISC_R_SUCCESS);
 	}
 
@@ -756,7 +760,7 @@ openssldsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		}
 	}
 	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
+	isc_safe_memwipe(&priv, sizeof(priv));
 	DSA_set0_key(dsa, pub_key, priv_key);
 	DSA_set0_pqg(dsa, p, q, g);
 	key->key_size = BN_num_bits(p);
@@ -771,7 +775,7 @@ openssldsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		BN_free(g);
 	openssldsa_destroy(key);
 	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
+	isc_safe_memwipe(&priv, sizeof(priv));
 	return (ret);
 }
 
diff --git a/usr.sbin/bind/lib/dns/opensslecdsa_link.c b/usr.sbin/bind/lib/dns/opensslecdsa_link.c
index 1c8a3447535..176a446fb3c 100644
--- a/usr.sbin/bind/lib/dns/opensslecdsa_link.c
+++ b/usr.sbin/bind/lib/dns/opensslecdsa_link.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012-2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -24,6 +24,7 @@
 
 #include <isc/entropy.h>
 #include <isc/mem.h>
+#include <isc/safe.h>
 #include <isc/sha2.h>
 #include <isc/string.h>
 #include <isc/util.h>
@@ -567,7 +568,7 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		key->keydata.pkey = pub->keydata.pkey;
 		pub->keydata.pkey = NULL;
 		dst__privstruct_free(&priv, mctx);
-		memset(&priv, 0, sizeof(priv));
+		isc_safe_memwipe(&priv, sizeof(priv));
 		return (ISC_R_SUCCESS);
 	}
 
@@ -609,7 +610,7 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	if (eckey != NULL)
 		EC_KEY_free(eckey);
 	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
+	isc_safe_memwipe(&priv, sizeof(priv));
 	return (ret);
 }
 
diff --git a/usr.sbin/bind/lib/dns/openssleddsa_link.c b/usr.sbin/bind/lib/dns/openssleddsa_link.c
new file mode 100644
index 00000000000..e867eb69a97
--- /dev/null
+++ b/usr.sbin/bind/lib/dns/openssleddsa_link.c
@@ -0,0 +1,679 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <config.h>
+
+#if defined(OPENSSL) && \
+    (defined(HAVE_OPENSSL_ED25519) || defined(HAVE_OPENSSL_ED448))
+
+#include <isc/entropy.h>
+#include <isc/mem.h>
+#include <isc/safe.h>
+#include <isc/sha2.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_openssl.h"
+#include "dst_parse.h"
+
+#include <openssl/err.h>
+#include <openssl/objects.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+
+#ifndef NID_ED25519
+#error "Ed25519 group is not known (NID_ED25519)"
+#endif
+#ifndef NID_ED448
+#error "Ed448 group is not known (NID_ED448)"
+#endif
+
+#define DST_RET(a) {ret = a; goto err;}
+
+/* OpenSSL doesn't provide direct access to key values */
+
+#define PUBPREFIXLEN	12
+
+static const unsigned char ed25519_pub_prefix[] = {
+	0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
+	0x70, 0x03, 0x21, 0x00
+};
+
+static EVP_PKEY *pub_ed25519_to_ossl(const unsigned char *key)
+{
+	unsigned char buf[PUBPREFIXLEN + DNS_KEY_ED25519SIZE];
+	const unsigned char *p;
+
+	memmove(buf, ed25519_pub_prefix, PUBPREFIXLEN);
+	memmove(buf + PUBPREFIXLEN, key, DNS_KEY_ED25519SIZE);
+	p = buf;
+	return (d2i_PUBKEY(NULL, &p, PUBPREFIXLEN + DNS_KEY_ED25519SIZE));
+}
+
+static isc_result_t pub_ed25519_from_ossl(EVP_PKEY *pkey,
+					  unsigned char *key)
+{
+	unsigned char buf[PUBPREFIXLEN + DNS_KEY_ED25519SIZE];
+	unsigned char *p;
+	int len;
+
+	len = i2d_PUBKEY(pkey, NULL);
+	if ((len <= DNS_KEY_ED25519SIZE) ||
+	    (len > PUBPREFIXLEN + DNS_KEY_ED25519SIZE))
+		return (DST_R_OPENSSLFAILURE);
+	p = buf;
+	len = i2d_PUBKEY(pkey, &p);
+	if ((len <= DNS_KEY_ED25519SIZE) ||
+	    (len > PUBPREFIXLEN + DNS_KEY_ED25519SIZE))
+		return (DST_R_OPENSSLFAILURE);
+	memmove(key, buf + len - DNS_KEY_ED25519SIZE, DNS_KEY_ED25519SIZE);
+	return (ISC_R_SUCCESS);
+}
+
+static const unsigned char ed448_pub_prefix[] = {
+	0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
+	0x71, 0x03, 0x21, 0x00
+};
+
+static EVP_PKEY *pub_ed448_to_ossl(const unsigned char *key)
+{
+	unsigned char buf[PUBPREFIXLEN + DNS_KEY_ED448SIZE];
+	const unsigned char *p;
+
+	memmove(buf, ed448_pub_prefix, PUBPREFIXLEN);
+	memmove(buf + PUBPREFIXLEN, key, DNS_KEY_ED448SIZE);
+	p = buf;
+	return (d2i_PUBKEY(NULL, &p, PUBPREFIXLEN + DNS_KEY_ED448SIZE));
+}
+
+static isc_result_t pub_ed448_from_ossl(EVP_PKEY *pkey,
+					unsigned char *key)
+{
+	unsigned char buf[PUBPREFIXLEN + DNS_KEY_ED448SIZE];
+	unsigned char *p;
+	int len;
+
+	len = i2d_PUBKEY(pkey, NULL);
+	if ((len <= DNS_KEY_ED448SIZE) ||
+	    (len > PUBPREFIXLEN + DNS_KEY_ED448SIZE))
+		return (DST_R_OPENSSLFAILURE);
+	p = buf;
+	len = i2d_PUBKEY(pkey, &p);
+	if ((len <= DNS_KEY_ED448SIZE) ||
+	    (len > PUBPREFIXLEN + DNS_KEY_ED448SIZE))
+		return (DST_R_OPENSSLFAILURE);
+	memmove(key, buf + len - DNS_KEY_ED448SIZE, DNS_KEY_ED448SIZE);
+	return (ISC_R_SUCCESS);
+}
+
+#define PRIVPREFIXLEN	16
+
+static const unsigned char ed25519_priv_prefix[] = {
+	0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06,
+	0x03, 0x2b, 0x65, 0x70, 0x04, 0x22, 0x04, 0x20
+};
+
+static EVP_PKEY *priv_ed25519_to_ossl(const unsigned char *key)
+{
+	unsigned char buf[PRIVPREFIXLEN + DNS_KEY_ED25519SIZE];
+	const unsigned char *p;
+
+	memmove(buf, ed25519_priv_prefix, PRIVPREFIXLEN);
+	memmove(buf + PRIVPREFIXLEN, key, DNS_KEY_ED25519SIZE);
+	p = buf;
+	return (d2i_PrivateKey(NID_ED25519, NULL, &p,
+			       PRIVPREFIXLEN + DNS_KEY_ED25519SIZE));
+}
+
+static isc_result_t priv_ed25519_from_ossl(EVP_PKEY *pkey,
+					  unsigned char *key)
+{
+	unsigned char buf[PRIVPREFIXLEN + DNS_KEY_ED25519SIZE];
+	unsigned char *p;
+	int len;
+
+	len = i2d_PrivateKey(pkey, NULL);
+	if ((len <= DNS_KEY_ED25519SIZE) ||
+	    (len > PRIVPREFIXLEN + DNS_KEY_ED25519SIZE))
+		return (DST_R_OPENSSLFAILURE);
+	p = buf;
+	len = i2d_PrivateKey(pkey, &p);
+	if ((len <= DNS_KEY_ED25519SIZE) ||
+	    (len > PRIVPREFIXLEN + DNS_KEY_ED25519SIZE))
+		return (DST_R_OPENSSLFAILURE);
+	memmove(key, buf + len - DNS_KEY_ED25519SIZE, DNS_KEY_ED25519SIZE);
+	return (ISC_R_SUCCESS);
+}
+
+static const unsigned char ed448_priv_prefix[] = {
+	0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06,
+	0x03, 0x2b, 0x65, 0x71, 0x04, 0x22, 0x04, 0x20
+};
+
+static EVP_PKEY *priv_ed448_to_ossl(const unsigned char *key)
+{
+	unsigned char buf[PRIVPREFIXLEN + DNS_KEY_ED448SIZE];
+	const unsigned char *p;
+
+	memmove(buf, ed448_priv_prefix, PRIVPREFIXLEN);
+	memmove(buf + PRIVPREFIXLEN, key, DNS_KEY_ED448SIZE);
+	p = buf;
+	return (d2i_PrivateKey(NID_ED448, NULL, &p,
+			       PRIVPREFIXLEN + DNS_KEY_ED448SIZE));
+}
+
+static isc_result_t priv_ed448_from_ossl(EVP_PKEY *pkey,
+					unsigned char *key)
+{
+	unsigned char buf[PRIVPREFIXLEN + DNS_KEY_ED448SIZE];
+	unsigned char *p;
+	int len;
+
+	len = i2d_PrivateKey(pkey, NULL);
+	if ((len <= DNS_KEY_ED448SIZE) ||
+	    (len > PRIVPREFIXLEN + DNS_KEY_ED448SIZE))
+		return (DST_R_OPENSSLFAILURE);
+	p = buf;
+	len = i2d_PrivateKey(pkey, &p);
+	if ((len <= DNS_KEY_ED448SIZE) ||
+	    (len > PRIVPREFIXLEN + DNS_KEY_ED448SIZE))
+		return (DST_R_OPENSSLFAILURE);
+	memmove(key, buf + len - DNS_KEY_ED448SIZE, DNS_KEY_ED448SIZE);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t openssleddsa_todns(const dst_key_t *key,
+				       isc_buffer_t *data);
+
+static isc_result_t
+openssleddsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+	isc_buffer_t *buf = NULL;
+	isc_result_t result;
+
+	UNUSED(key);
+	REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 ||
+		dctx->key->key_alg == DST_ALG_ED448);
+
+	result = isc_buffer_allocate(dctx->mctx, &buf, 64);
+	dctx->ctxdata.generic = buf;
+
+	return (result);
+}
+
+static void
+openssleddsa_destroyctx(dst_context_t *dctx) {
+	isc_buffer_t *buf = (isc_buffer_t *) dctx->ctxdata.generic;
+
+	REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 ||
+		dctx->key->key_alg == DST_ALG_ED448);
+	if (buf != NULL)
+		isc_buffer_free(&buf);
+	dctx->ctxdata.generic = NULL;
+}
+
+static isc_result_t
+openssleddsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	isc_buffer_t *buf = (isc_buffer_t *) dctx->ctxdata.generic;
+	isc_buffer_t *nbuf = NULL;
+	isc_region_t r;
+	unsigned int length;
+	isc_result_t result;
+
+	REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 ||
+		dctx->key->key_alg == DST_ALG_ED448);
+
+	result = isc_buffer_copyregion(buf, data);
+	if (result == ISC_R_SUCCESS)
+		return (ISC_R_SUCCESS);
+
+	length = isc_buffer_length(buf) + data->length + 64;
+	result = isc_buffer_allocate(dctx->mctx, &nbuf, length);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_buffer_usedregion(buf, &r);
+	(void) isc_buffer_copyregion(nbuf, &r);
+	(void) isc_buffer_copyregion(nbuf, data);
+	isc_buffer_free(&buf);
+	dctx->ctxdata.generic = nbuf;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+openssleddsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	isc_result_t ret;
+	dst_key_t *key = dctx->key;
+	isc_region_t tbsreg;
+	isc_region_t sigreg;
+	EVP_PKEY *pkey = key->keydata.pkey;
+	EVP_MD_CTX* ctx = EVP_MD_CTX_new();
+	isc_buffer_t *buf = (isc_buffer_t *) dctx->ctxdata.generic;
+	size_t siglen;
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+
+	if (ctx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	if (key->key_alg == DST_ALG_ED25519)
+		siglen = DNS_SIG_ED25519SIZE;
+	else
+		siglen = DNS_SIG_ED448SIZE;
+
+	isc_buffer_availableregion(sig, &sigreg);
+	if (sigreg.length < (unsigned int) siglen)
+		DST_RET(ISC_R_NOSPACE);
+
+	isc_buffer_usedregion(buf, &tbsreg);
+
+	if (!EVP_DigestSignInit(ctx, NULL, NULL, NULL, pkey))
+		DST_RET(dst__openssl_toresult3(dctx->category,
+					       "EVP_DigestSignInit",
+					       ISC_R_FAILURE));
+	if (!EVP_DigestSign(ctx, sigreg.base, &siglen,
+			    tbsreg.base, tbsreg.length))
+		DST_RET(dst__openssl_toresult3(dctx->category,
+					       "EVP_DigestSign",
+					       DST_R_SIGNFAILURE));
+	isc_buffer_add(sig, (unsigned int) siglen);
+	ret = ISC_R_SUCCESS;
+
+ err:
+	if (ctx != NULL)
+		EVP_MD_CTX_free(ctx);
+	isc_buffer_free(&buf);
+	dctx->ctxdata.generic = NULL;
+
+	return (ret);
+}
+
+static isc_result_t
+openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	isc_result_t ret;
+	dst_key_t *key = dctx->key;
+	int status;
+	isc_region_t tbsreg;
+	EVP_PKEY *pkey = key->keydata.pkey;
+	EVP_MD_CTX* ctx = EVP_MD_CTX_new();
+	isc_buffer_t *buf = (isc_buffer_t *) dctx->ctxdata.generic;
+	unsigned int siglen;
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+
+	if (ctx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	if (key->key_alg == DST_ALG_ED25519)
+		siglen = DNS_SIG_ED25519SIZE;
+	else
+		siglen = DNS_SIG_ED448SIZE;
+
+	if (sig->length != siglen)
+		return (DST_R_VERIFYFAILURE);
+
+	isc_buffer_usedregion(buf, &tbsreg);
+
+	if (!EVP_DigestVerifyInit(ctx, NULL, NULL, NULL, pkey))
+		DST_RET(dst__openssl_toresult3(dctx->category,
+					       "EVP_DigestVerifyInit",
+					       ISC_R_FAILURE));
+
+	status = EVP_DigestVerify(ctx, sig->base, siglen,
+				  tbsreg.base, tbsreg.length);
+
+	switch (status) {
+	case 1:
+		ret = ISC_R_SUCCESS;
+		break;
+	case 0:
+		ret = dst__openssl_toresult(DST_R_VERIFYFAILURE);
+		break;
+	default:
+		ret = dst__openssl_toresult3(dctx->category,
+					     "EVP_DigestVerify",
+					     DST_R_VERIFYFAILURE);
+		break;
+	}
+
+ err:
+	if (ctx != NULL)
+		EVP_MD_CTX_free(ctx);
+	isc_buffer_free(&buf);
+	dctx->ctxdata.generic = NULL;
+
+	return (ret);
+}
+
+static isc_boolean_t
+openssleddsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	int status;
+	EVP_PKEY *pkey1 = key1->keydata.pkey;
+	EVP_PKEY *pkey2 = key2->keydata.pkey;
+
+	if (pkey1 == NULL && pkey2 == NULL)
+		return (ISC_TRUE);
+	else if (pkey1 == NULL || pkey2 == NULL)
+		return (ISC_FALSE);
+
+	status = EVP_PKEY_cmp(pkey1, pkey2);
+	if (status == 1)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+static isc_result_t
+openssleddsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
+	isc_result_t ret;
+	EVP_PKEY *pkey = NULL;
+	EVP_PKEY_CTX *ctx = NULL;
+	int nid, status;
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+	UNUSED(unused);
+	UNUSED(callback);
+
+	if (key->key_alg == DST_ALG_ED25519) {
+		nid = NID_ED25519;
+		key->key_size = DNS_KEY_ED25519SIZE;
+	} else {
+		nid = NID_ED448;
+		key->key_size = DNS_KEY_ED448SIZE;
+	}
+
+	ctx = EVP_PKEY_CTX_new_id(nid, NULL);
+	if (ctx == NULL)
+		return (dst__openssl_toresult2("EVP_PKEY_CTX_new_id",
+					       DST_R_OPENSSLFAILURE));
+
+	status = EVP_PKEY_keygen_init(ctx);
+	if (status != 1)
+		DST_RET (dst__openssl_toresult2("EVP_PKEY_keygen_init",
+						DST_R_OPENSSLFAILURE));
+
+	status = EVP_PKEY_keygen(ctx, &pkey);
+	if (status != 1)
+		DST_RET (dst__openssl_toresult2("EVP_PKEY_keygen",
+						DST_R_OPENSSLFAILURE));
+
+	key->keydata.pkey = pkey;
+	ret = ISC_R_SUCCESS;
+
+ err:
+	if (ctx != NULL)
+		EVP_PKEY_CTX_free(ctx);
+	return (ret);
+}
+
+static isc_boolean_t
+openssleddsa_isprivate(const dst_key_t *key) {
+	EVP_PKEY *pkey = key->keydata.pkey;
+	int len;
+	unsigned long err;
+
+	if (pkey == NULL)
+		return (ISC_FALSE);
+
+	len = i2d_PrivateKey(pkey, NULL);
+	if (len > 0)
+		return (ISC_TRUE);
+	/* can check if first error is EC_R_INVALID_PRIVATE_KEY */
+	while ((err = ERR_get_error()) != 0)
+		/**/;
+
+	return (ISC_FALSE);
+}
+
+static void
+openssleddsa_destroy(dst_key_t *key) {
+	EVP_PKEY *pkey = key->keydata.pkey;
+
+	EVP_PKEY_free(pkey);
+	key->keydata.pkey = NULL;
+}
+
+static isc_result_t
+openssleddsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+	EVP_PKEY *pkey = key->keydata.pkey;
+	isc_region_t r;
+	isc_result_t result;
+
+	REQUIRE(pkey != NULL);
+
+	pkey = key->keydata.pkey;
+	switch (key->key_alg) {
+	case DST_ALG_ED25519:
+		isc_buffer_availableregion(data, &r);
+		if (r.length < DNS_KEY_ED25519SIZE)
+			return (ISC_R_NOSPACE);
+		result = pub_ed25519_from_ossl(pkey, r.base);
+		if (result == ISC_R_SUCCESS)
+			isc_buffer_add(data, DNS_KEY_ED25519SIZE);
+		return (result);
+	case DST_ALG_ED448:
+		isc_buffer_availableregion(data, &r);
+		if (r.length < DNS_KEY_ED448SIZE)
+			return (ISC_R_NOSPACE);
+		result = pub_ed448_from_ossl(pkey, r.base);
+		if (result == ISC_R_SUCCESS)
+			isc_buffer_add(data, DNS_KEY_ED448SIZE);
+		return (result);
+	default:
+		INSIST(0);
+	}
+}
+
+static isc_result_t
+openssleddsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	EVP_PKEY *pkey;
+	isc_region_t r;
+	unsigned int len;
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0)
+		return (ISC_R_SUCCESS);
+	if (key->key_alg == DST_ALG_ED25519) {
+		len = DNS_KEY_ED25519SIZE;
+		if (r.length < len)
+			return (DST_R_INVALIDPUBLICKEY);
+		pkey = pub_ed25519_to_ossl(r.base);
+	} else {
+		len = DNS_KEY_ED448SIZE;
+		if (r.length < len)
+			return (DST_R_INVALIDPUBLICKEY);
+		pkey = pub_ed448_to_ossl(r.base);
+	}
+	if (pkey == NULL)
+		return (dst__openssl_toresult(ISC_R_FAILURE));
+	isc_buffer_forward(data, len);
+	key->keydata.pkey = pkey;
+	key->key_size = len;
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+openssleddsa_tofile(const dst_key_t *key, const char *directory) {
+	isc_result_t ret;
+	EVP_PKEY *pkey;
+	dst_private_t priv;
+	unsigned char *buf = NULL;
+	unsigned int len;
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+
+	if (key->keydata.pkey == NULL)
+		return (DST_R_NULLKEY);
+
+	if (key->external) {
+		priv.nelements = 0;
+		return (dst__privstruct_writefile(key, &priv, directory));
+	}
+
+	pkey = key->keydata.pkey;
+	if (key->key_alg == DST_ALG_ED25519) {
+		len = DNS_KEY_ED25519SIZE;
+		buf = isc_mem_get(key->mctx, len);
+		if (buf == NULL)
+			return (ISC_R_NOMEMORY);
+		priv.elements[0].tag = TAG_EDDSA_PRIVATEKEY;
+		priv.elements[0].length = len;
+		ret = priv_ed25519_from_ossl(pkey, buf);
+		if (ret != ISC_R_SUCCESS)
+			DST_RET (dst__openssl_toresult(ret));
+		priv.elements[0].data = buf;
+		priv.nelements = 1;
+		ret = dst__privstruct_writefile(key, &priv, directory);
+	} else {
+		len = DNS_KEY_ED448SIZE;
+		buf = isc_mem_get(key->mctx, len);
+		if (buf == NULL)
+			return (ISC_R_NOMEMORY);
+		priv.elements[0].tag = TAG_EDDSA_PRIVATEKEY;
+		priv.elements[0].length = len;
+		ret = priv_ed448_from_ossl(pkey, buf);
+		if (ret != ISC_R_SUCCESS)
+			DST_RET (dst__openssl_toresult(ret));
+		priv.elements[0].data = buf;
+		priv.nelements = 1;
+		ret = dst__privstruct_writefile(key, &priv, directory);
+	}
+
+ err:
+	if (buf != NULL)
+		isc_mem_put(key->mctx, buf, len);
+	return (ret);
+}
+
+static isc_result_t
+eddsa_check(EVP_PKEY *privkey, dst_key_t *pub)
+{
+	EVP_PKEY *pkey;
+
+	if (pub == NULL)
+		return (ISC_R_SUCCESS);
+	pkey = pub->keydata.pkey;
+	if (pkey == NULL)
+		return (ISC_R_SUCCESS);
+	if (EVP_PKEY_cmp(privkey, pkey) == 1)
+		return (ISC_R_SUCCESS);
+	return (ISC_R_FAILURE);
+}
+
+static isc_result_t
+openssleddsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+	dst_private_t priv;
+	isc_result_t ret;
+	EVP_PKEY *pkey = NULL;
+	unsigned int len;
+	isc_mem_t *mctx = key->mctx;
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+
+	/* read private key file */
+	ret = dst__privstruct_parse(key, DST_ALG_ED25519, lexer, mctx, &priv);
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	if (key->external) {
+		if (priv.nelements != 0)
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+		if (pub == NULL)
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+		key->keydata.pkey = pub->keydata.pkey;
+		pub->keydata.pkey = NULL;
+		dst__privstruct_free(&priv, mctx);
+		isc_safe_memwipe(&priv, sizeof(priv));
+		return (ISC_R_SUCCESS);
+	}
+
+	if (key->key_alg == DST_ALG_ED25519) {
+		len = DNS_KEY_ED25519SIZE;
+		if (priv.elements[0].length < len)
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+		pkey = priv_ed25519_to_ossl(priv.elements[0].data);
+	} else {
+		len = DNS_KEY_ED448SIZE;
+		if (priv.elements[0].length < len)
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+		pkey = priv_ed448_to_ossl(priv.elements[0].data);
+	}
+	if (pkey == NULL)
+		DST_RET (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	if (eddsa_check(pkey, pub) != ISC_R_SUCCESS) {
+		EVP_PKEY_free(pkey);
+		DST_RET(DST_R_INVALIDPRIVATEKEY);
+	}
+	key->keydata.pkey = pkey;
+	key->key_size = len;
+	ret = ISC_R_SUCCESS;
+
+ err:
+	dst__privstruct_free(&priv, mctx);
+	isc_safe_memwipe(&priv, sizeof(priv));
+	return (ret);
+}
+
+static dst_func_t openssleddsa_functions = {
+	openssleddsa_createctx,
+	NULL, /*%< createctx2 */
+	openssleddsa_destroyctx,
+	openssleddsa_adddata,
+	openssleddsa_sign,
+	openssleddsa_verify,
+	NULL, /*%< verify2 */
+	NULL, /*%< computesecret */
+	openssleddsa_compare,
+	NULL, /*%< paramcompare */
+	openssleddsa_generate,
+	openssleddsa_isprivate,
+	openssleddsa_destroy,
+	openssleddsa_todns,
+	openssleddsa_fromdns,
+	openssleddsa_tofile,
+	openssleddsa_parse,
+	NULL, /*%< cleanup */
+	NULL, /*%< fromlabel */
+	NULL, /*%< dump */
+	NULL, /*%< restore */
+};
+
+isc_result_t
+dst__openssleddsa_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL)
+		*funcp = &openssleddsa_functions;
+	return (ISC_R_SUCCESS);
+}
+
+#else /* HAVE_OPENSSL_EDxxx */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* HAVE_OPENSSL_EDxxx */
+/*! \file */
diff --git a/usr.sbin/bind/lib/dns/opensslgost_link.c b/usr.sbin/bind/lib/dns/opensslgost_link.c
index 55a7511644e..22ebe44bea0 100644
--- a/usr.sbin/bind/lib/dns/opensslgost_link.c
+++ b/usr.sbin/bind/lib/dns/opensslgost_link.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -479,7 +479,7 @@ opensslgost_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		pub->keydata.pkey = NULL;
 		key->key_size = pub->key_size;
 		dst__privstruct_free(&priv, mctx);
-		memset(&priv, 0, sizeof(priv));
+		isc_safe_memwipe(&priv, sizeof(priv));
 		return (ISC_R_SUCCESS);
 	}
 
@@ -531,7 +531,7 @@ opensslgost_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	key->keydata.pkey = pkey;
 	key->key_size = EVP_PKEY_bits(pkey);
 	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
+	isc_safe_memwipe(&priv, sizeof(priv));
 	return (ISC_R_SUCCESS);
 
  err:
@@ -541,7 +541,7 @@ opensslgost_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		EVP_PKEY_free(pkey);
 	opensslgost_destroy(key);
 	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
+	isc_safe_memwipe(&priv, sizeof(priv));
 	return (ret);
 }
 
diff --git a/usr.sbin/bind/lib/dns/opensslrsa_link.c b/usr.sbin/bind/lib/dns/opensslrsa_link.c
index f50ae07eff1..29de1079927 100644
--- a/usr.sbin/bind/lib/dns/opensslrsa_link.c
+++ b/usr.sbin/bind/lib/dns/opensslrsa_link.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2011-2017  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -269,6 +268,33 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
 		dctx->key->key_alg == DST_ALG_RSASHA512);
 #endif
 
+	/*
+	 * Reject incorrect RSA key lengths.
+	 */
+	switch (dctx->key->key_alg) {
+	case DST_ALG_RSAMD5:
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		/* From RFC 3110 */
+		if (dctx->key->key_size > 4096)
+			return (ISC_R_FAILURE);
+		break;
+	case DST_ALG_RSASHA256:
+		/* From RFC 5702 */
+		if ((dctx->key->key_size < 512) ||
+		    (dctx->key->key_size > 4096))
+			return (ISC_R_FAILURE);
+		break;
+	case DST_ALG_RSASHA512:
+		/* From RFC 5702 */
+		if ((dctx->key->key_size < 1024) ||
+		    (dctx->key->key_size > 4096))
+			return (ISC_R_FAILURE);
+		break;
+	default:
+		INSIST(0);
+	}
+
 #if USE_EVP
 	evp_md_ctx = EVP_MD_CTX_create();
 	if (evp_md_ctx == NULL)
@@ -966,6 +992,33 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
 	EVP_PKEY *pkey = EVP_PKEY_new();
 #endif
 
+	/*
+	 * Reject incorrect RSA key lengths.
+	 */
+	switch (key->key_alg) {
+	case DST_ALG_RSAMD5:
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		/* From RFC 3110 */
+		if (key->key_size > 4096)
+			goto err;
+		break;
+	case DST_ALG_RSASHA256:
+		/* From RFC 5702 */
+		if ((key->key_size < 512) ||
+		    (key->key_size > 4096))
+			goto err;
+		break;
+	case DST_ALG_RSASHA512:
+		/* From RFC 5702 */
+		if ((key->key_size < 1024) ||
+		    (key->key_size > 4096))
+			goto err;
+		break;
+	default:
+		INSIST(0);
+	}
+
 	if (rsa == NULL || e == NULL || cb == NULL)
 		goto err;
 #if USE_EVP
@@ -995,6 +1048,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
 	if (RSA_generate_key_ex(rsa, key->key_size, e, cb)) {
 		BN_free(e);
 		BN_GENCB_free(cb);
+		cb = NULL;
 		SET_FLAGS(rsa);
 #if USE_EVP
 		key->keydata.pkey = pkey;
@@ -1005,21 +1059,28 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
 #endif
 		return (ISC_R_SUCCESS);
 	}
-	BN_GENCB_free(cb);
 	ret = dst__openssl_toresult2("RSA_generate_key_ex",
 				     DST_R_OPENSSLFAILURE);
 
  err:
 #if USE_EVP
-	if (pkey != NULL)
+	if (pkey != NULL) {
 		EVP_PKEY_free(pkey);
+		pkey = NULL;
+	}
 #endif
-	if (e != NULL)
+	if (e != NULL) {
 		BN_free(e);
-	if (rsa != NULL)
+		e = NULL;
+	}
+	if (rsa != NULL) {
 		RSA_free(rsa);
-	if (cb != NULL)
+		rsa = NULL;
+	}
+	if (cb != NULL) {
 		BN_GENCB_free(cb);
+		cb = NULL;
+	}
 	return (dst__openssl_toresult(ret));
 #else
 	RSA *rsa;
@@ -1439,7 +1500,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		pub->keydata.pkey = NULL;
 		key->key_size = pub->key_size;
 		dst__privstruct_free(&priv, mctx);
-		memset(&priv, 0, sizeof(priv));
+		isc_safe_memwipe(&priv, sizeof(priv));
 		return (ISC_R_SUCCESS);
 	}
 
@@ -1507,7 +1568,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		EVP_PKEY_free(pkey);
 #endif
 		dst__privstruct_free(&priv, mctx);
-		memset(&priv, 0, sizeof(priv));
+		isc_safe_memwipe(&priv, sizeof(priv));
 		return (ISC_R_SUCCESS);
 #else
 		DST_RET(DST_R_NOENGINE);
@@ -1571,7 +1632,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		}
 	}
 	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
+	isc_safe_memwipe(&priv, sizeof(priv));
 
 	if (RSA_set0_key(rsa, n, e, d) == 0) {
 		if (n != NULL) BN_free(n);
@@ -1612,7 +1673,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		RSA_free(pubrsa);
 	key->keydata.generic = NULL;
 	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
+	isc_safe_memwipe(&priv, sizeof(priv));
 	return (ret);
 }
 
diff --git a/usr.sbin/bind/lib/dns/order.c b/usr.sbin/bind/lib/dns/order.c
index cb174d3c8f6..02412f3c9a2 100644
--- a/usr.sbin/bind/lib/dns/order.c
+++ b/usr.sbin/bind/lib/dns/order.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: order.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: order.c,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/dns/peer.c b/usr.sbin/bind/lib/dns/peer.c
index 8cf34363ae6..8e2b7a3d6d8 100644
--- a/usr.sbin/bind/lib/dns/peer.c
+++ b/usr.sbin/bind/lib/dns/peer.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2012-2014, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: peer.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: peer.c,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/dns/pkcs11.c b/usr.sbin/bind/lib/dns/pkcs11.c
index 4f4204c687f..85ddad412b4 100644
--- a/usr.sbin/bind/lib/dns/pkcs11.c
+++ b/usr.sbin/bind/lib/dns/pkcs11.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/pkcs11dh_link.c b/usr.sbin/bind/lib/dns/pkcs11dh_link.c
index 74c01ac9fd5..b3a572dd015 100644
--- a/usr.sbin/bind/lib/dns/pkcs11dh_link.c
+++ b/usr.sbin/bind/lib/dns/pkcs11dh_link.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -147,8 +147,8 @@ pkcs11dh_loadpriv(const dst_key_t *key,
     err:
 	for (i = 6; i <= 8; i++)
 		if (keyTemplate[i].pValue != NULL) {
-			memset(keyTemplate[i].pValue, 0,
-			       keyTemplate[i].ulValueLen);
+			isc_safe_memwipe(keyTemplate[i].pValue,
+					 keyTemplate[i].ulValueLen);
 			isc_mem_put(key->mctx,
 				    keyTemplate[i].pValue,
 				    keyTemplate[i].ulValueLen);
@@ -248,7 +248,8 @@ pkcs11dh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
 	if (hDerived != CK_INVALID_HANDLE)
 		(void) pkcs_C_DestroyObject(ctx.session, hDerived);
 	if (valTemplate[0].pValue != NULL) {
-		memset(valTemplate[0].pValue, 0, valTemplate[0].ulValueLen);
+		isc_safe_memwipe(valTemplate[0].pValue,
+				 valTemplate[0].ulValueLen);
 		isc_mem_put(pub->mctx,
 			    valTemplate[0].pValue,
 			    valTemplate[0].ulValueLen);
@@ -256,7 +257,7 @@ pkcs11dh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
 	if ((hKey != CK_INVALID_HANDLE) && !priv->keydata.pkey->ontoken)
 		(void) pkcs_C_DestroyObject(ctx.session, hKey);
 	if (mech.pParameter != NULL) {
-		memset(mech.pParameter, 0, mech.ulParameterLen);
+		isc_safe_memwipe(mech.pParameter, mech.ulParameterLen);
 		isc_mem_put(pub->mctx, mech.pParameter, mech.ulParameterLen);
 	}
 	pk11_return_session(&ctx);
@@ -548,7 +549,7 @@ pkcs11dh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
 	(void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
 	(void) pkcs_C_DestroyObject(pk11_ctx->session, domainparams);
 	pk11_return_session(pk11_ctx);
-	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
 	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
 
 	return (ISC_R_SUCCESS);
@@ -563,32 +564,36 @@ pkcs11dh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
 		(void) pkcs_C_DestroyObject(pk11_ctx->session, domainparams);
 
 	if (pubTemplate[4].pValue != NULL) {
-		memset(pubTemplate[4].pValue, 0, pubTemplate[4].ulValueLen);
+		isc_safe_memwipe(pubTemplate[4].pValue,
+				 pubTemplate[4].ulValueLen);
 		isc_mem_put(key->mctx,
 			    pubTemplate[4].pValue,
 			    pubTemplate[4].ulValueLen);
 	}
 	if (pubTemplate[5].pValue != NULL) {
-		memset(pubTemplate[5].pValue, 0, pubTemplate[5].ulValueLen);
+		isc_safe_memwipe(pubTemplate[5].pValue,
+				 pubTemplate[5].ulValueLen);
 		isc_mem_put(key->mctx,
 			    pubTemplate[5].pValue,
 			    pubTemplate[5].ulValueLen);
 	}
 	if (pTemplate[0].pValue != NULL) {
-		memset(pTemplate[0].pValue, 0, pTemplate[0].ulValueLen);
+		isc_safe_memwipe(pTemplate[0].pValue,
+				 pTemplate[0].ulValueLen);
 		isc_mem_put(key->mctx,
 			    pTemplate[0].pValue,
 			    pTemplate[0].ulValueLen);
 	}
 	if (pTemplate[1].pValue != NULL) {
-		memset(pTemplate[1].pValue, 0, pTemplate[1].ulValueLen);
+		isc_safe_memwipe(pTemplate[1].pValue,
+				 pTemplate[1].ulValueLen);
 		isc_mem_put(key->mctx,
 			    pTemplate[1].pValue,
 			    pTemplate[1].ulValueLen);
 	}
 
 	pk11_return_session(pk11_ctx);
-	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
 	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
 
 	return (ret);
@@ -624,7 +629,8 @@ pkcs11dh_destroy(dst_key_t *key) {
 		case CKA_PRIME:
 		case CKA_BASE:
 			if (attr->pValue != NULL) {
-				memset(attr->pValue, 0, attr->ulValueLen);
+				isc_safe_memwipe(attr->pValue,
+						 attr->ulValueLen);
 				isc_mem_put(key->mctx,
 					    attr->pValue,
 					    attr->ulValueLen);
@@ -632,10 +638,10 @@ pkcs11dh_destroy(dst_key_t *key) {
 			break;
 		}
 	if (dh->repr != NULL) {
-		memset(dh->repr, 0, dh->attrcnt * sizeof(*attr));
+		isc_safe_memwipe(dh->repr, dh->attrcnt * sizeof(*attr));
 		isc_mem_put(key->mctx, dh->repr, dh->attrcnt * sizeof(*attr));
 	}
-	memset(dh, 0, sizeof(*dh));
+	isc_safe_memwipe(dh, sizeof(*dh));
 	isc_mem_put(key->mctx, dh, sizeof(*dh));
 	key->keydata.pkey = NULL;
 }
@@ -740,42 +746,43 @@ pkcs11dh_todns(const dst_key_t *key, isc_buffer_t *data) {
 
 static isc_result_t
 pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) {
-	pk11_object_t *dh;
+	pk11_object_t *dh = NULL;
 	isc_region_t r;
 	isc_uint16_t plen, glen, plen_, glen_, publen;
 	CK_BYTE *prime = NULL, *base = NULL, *pub = NULL;
 	CK_ATTRIBUTE *attr;
 	int special = 0;
+	isc_result_t result;
 
 	isc_buffer_remainingregion(data, &r);
-	if (r.length == 0)
-		return (ISC_R_SUCCESS);
+	if (r.length == 0) {
+		result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
 
 	dh = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*dh));
-	if (dh == NULL)
-		return (ISC_R_NOMEMORY);
+	if (dh == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+
 	memset(dh, 0, sizeof(*dh));
+	result = DST_R_INVALIDPUBLICKEY;
 
 	/*
 	 * Read the prime length.  1 & 2 are table entries, > 16 means a
 	 * prime follows, otherwise an error.
 	 */
-	if (r.length < 2) {
-		memset(dh, 0, sizeof(*dh));
-		isc_mem_put(key->mctx, dh, sizeof(*dh));
-		return (DST_R_INVALIDPUBLICKEY);
-	}
+	if (r.length < 2)
+		goto cleanup;
+
 	plen = uint16_fromregion(&r);
-	if (plen < 16 && plen != 1 && plen != 2) {
-		memset(dh, 0, sizeof(*dh));
-		isc_mem_put(key->mctx, dh, sizeof(*dh));
-		return (DST_R_INVALIDPUBLICKEY);
-	}
-	if (r.length < plen) {
-		memset(dh, 0, sizeof(*dh));
-		isc_mem_put(key->mctx, dh, sizeof(*dh));
-		return (DST_R_INVALIDPUBLICKEY);
-	}
+	if (plen < 16 && plen != 1 && plen != 2)
+		goto cleanup;
+
+	if (r.length < plen)
+		goto cleanup;
+
 	plen_ = plen;
 	if (plen == 1 || plen == 2) {
 		if (plen == 1) {
@@ -798,9 +805,7 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) {
 				plen_ = sizeof(pk11_dh_bn1536);
 				break;
 			default:
-				memset(dh, 0, sizeof(*dh));
-				isc_mem_put(key->mctx, dh, sizeof(*dh));
-				return (DST_R_INVALIDPUBLICKEY);
+				goto cleanup;
 		}
 	}
 	else {
@@ -813,17 +818,13 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	 * special, but it might not be.  If it's 0 and the prime is not
 	 * special, we have a problem.
 	 */
-	if (r.length < 2) {
-		memset(dh, 0, sizeof(*dh));
-		isc_mem_put(key->mctx, dh, sizeof(*dh));
-		return (DST_R_INVALIDPUBLICKEY);
-	}
+	if (r.length < 2)
+		goto cleanup;
+
 	glen = uint16_fromregion(&r);
-	if (r.length < glen) {
-		memset(dh, 0, sizeof(*dh));
-		isc_mem_put(key->mctx, dh, sizeof(*dh));
-		return (DST_R_INVALIDPUBLICKEY);
-	}
+	if (r.length < glen)
+		goto cleanup;
+
 	glen_ = glen;
 	if (special != 0) {
 		if (glen == 0) {
@@ -832,38 +833,26 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) {
 		}
 		else {
 			base = r.base;
-			if (isc_safe_memequal(base, pk11_dh_bn2, glen)) {
-				base = pk11_dh_bn2;
-				glen_ = sizeof(pk11_dh_bn2);
-			}
-			else {
-				memset(dh, 0, sizeof(*dh));
-				isc_mem_put(key->mctx, dh, sizeof(*dh));
-				return (DST_R_INVALIDPUBLICKEY);
-			}
+			if (!isc_safe_memequal(base, pk11_dh_bn2, glen))
+				goto cleanup;
+			base = pk11_dh_bn2;
+			glen_ = sizeof(pk11_dh_bn2);
 		}
 	}
 	else {
-		if (glen == 0) {
-			memset(dh, 0, sizeof(*dh));
-			isc_mem_put(key->mctx, dh, sizeof(*dh));
-			return (DST_R_INVALIDPUBLICKEY);
-		}
+		if (glen == 0)
+			goto cleanup;
 		base = r.base;
 	}
 	isc_region_consume(&r, glen);
 
-	if (r.length < 2) {
-		memset(dh, 0, sizeof(*dh));
-		isc_mem_put(key->mctx, dh, sizeof(*dh));
-		return (DST_R_INVALIDPUBLICKEY);
-	}
+	if (r.length < 2)
+		goto cleanup;
+
 	publen = uint16_fromregion(&r);
-	if (r.length < publen) {
-		memset(dh, 0, sizeof(*dh));
-		isc_mem_put(key->mctx, dh, sizeof(*dh));
-		return (DST_R_INVALIDPUBLICKEY);
-	}
+	if (r.length < publen)
+		goto cleanup;
+
 	pub = r.base;
 	isc_region_consume(&r, publen);
 
@@ -903,7 +892,7 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
 	return (ISC_R_SUCCESS);
 
-    nomemory:
+ nomemory:
 	for (attr = pk11_attribute_first(dh);
 	     attr != NULL;
 	     attr = pk11_attribute_next(dh, attr))
@@ -912,7 +901,8 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) {
 		case CKA_PRIME:
 		case CKA_BASE:
 			if (attr->pValue != NULL) {
-				memset(attr->pValue, 0, attr->ulValueLen);
+				isc_safe_memwipe(attr->pValue,
+						 attr->ulValueLen);
 				isc_mem_put(key->mctx,
 					    attr->pValue,
 					    attr->ulValueLen);
@@ -920,12 +910,18 @@ pkcs11dh_fromdns(dst_key_t *key, isc_buffer_t *data) {
 			break;
 		}
 	if (dh->repr != NULL) {
-		memset(dh->repr, 0, dh->attrcnt * sizeof(*attr));
+		isc_safe_memwipe(dh->repr, dh->attrcnt * sizeof(*attr));
 		isc_mem_put(key->mctx, dh->repr, dh->attrcnt * sizeof(*attr));
 	}
-	memset(dh, 0, sizeof(*dh));
-	isc_mem_put(key->mctx, dh, sizeof(*dh));
-	return (ISC_R_NOMEMORY);
+
+	result = ISC_R_NOMEMORY;
+
+ cleanup:
+	if (dh != NULL) {
+		isc_safe_memwipe(dh, sizeof(*dh));
+		isc_mem_put(key->mctx, dh, sizeof(*dh));
+	}
+	return (result);
 }
 
 static isc_result_t
@@ -1009,7 +1005,7 @@ pkcs11dh_tofile(const dst_key_t *key, const char *directory) {
 	for (i = 0; i < 4; i++) {
 		if (bufs[i] == NULL)
 			break;
-		memset(bufs[i], 0, prime->ulValueLen);
+		isc_safe_memwipe(bufs[i], prime->ulValueLen);
 		isc_mem_put(key->mctx, bufs[i], prime->ulValueLen);
 	}
 	return (result);
@@ -1097,7 +1093,7 @@ pkcs11dh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
  err:
 	pkcs11dh_destroy(key);
 	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
+	isc_safe_memwipe(&priv, sizeof(priv));
 	return (ret);
 }
 
diff --git a/usr.sbin/bind/lib/dns/pkcs11dsa_link.c b/usr.sbin/bind/lib/dns/pkcs11dsa_link.c
index ebfd9791356..5bb1250926c 100644
--- a/usr.sbin/bind/lib/dns/pkcs11dsa_link.c
+++ b/usr.sbin/bind/lib/dns/pkcs11dsa_link.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -186,8 +186,8 @@ pkcs11dsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
 
 	for (i = 6; i <= 9; i++)
 		if (keyTemplate[i].pValue != NULL) {
-			memset(keyTemplate[i].pValue, 0,
-			       keyTemplate[i].ulValueLen);
+			isc_safe_memwipe(keyTemplate[i].pValue,
+					 keyTemplate[i].ulValueLen);
 			isc_mem_put(dctx->mctx,
 				    keyTemplate[i].pValue,
 				    keyTemplate[i].ulValueLen);
@@ -200,14 +200,14 @@ pkcs11dsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
 		(void) pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object);
 	for (i = 6; i <= 9; i++)
 		if (keyTemplate[i].pValue != NULL) {
-			memset(keyTemplate[i].pValue, 0,
-			       keyTemplate[i].ulValueLen);
+			isc_safe_memwipe(keyTemplate[i].pValue,
+					 keyTemplate[i].ulValueLen);
 			isc_mem_put(dctx->mctx,
 				    keyTemplate[i].pValue,
 				    keyTemplate[i].ulValueLen);
 		}
 	pk11_return_session(pk11_ctx);
-	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
 	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
 
 	return (ret);
@@ -318,8 +318,8 @@ pkcs11dsa_createctx_verify(dst_key_t *key, dst_context_t *dctx) {
 
 	for (i = 5; i <= 8; i++)
 		if (keyTemplate[i].pValue != NULL) {
-			memset(keyTemplate[i].pValue, 0,
-			       keyTemplate[i].ulValueLen);
+			isc_safe_memwipe(keyTemplate[i].pValue,
+					 keyTemplate[i].ulValueLen);
 			isc_mem_put(dctx->mctx,
 				    keyTemplate[i].pValue,
 				    keyTemplate[i].ulValueLen);
@@ -332,14 +332,14 @@ pkcs11dsa_createctx_verify(dst_key_t *key, dst_context_t *dctx) {
 		(void) pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object);
 	for (i = 5; i <= 8; i++)
 		if (keyTemplate[i].pValue != NULL) {
-			memset(keyTemplate[i].pValue, 0,
-			       keyTemplate[i].ulValueLen);
+			isc_safe_memwipe(keyTemplate[i].pValue,
+					 keyTemplate[i].ulValueLen);
 			isc_mem_put(dctx->mctx,
 				    keyTemplate[i].pValue,
 				    keyTemplate[i].ulValueLen);
 		}
 	pk11_return_session(pk11_ctx);
-	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
 	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
 
 	return (ret);
@@ -363,7 +363,7 @@ pkcs11dsa_destroyctx(dst_context_t *dctx) {
 			(void) pkcs_C_DestroyObject(pk11_ctx->session,
 					       pk11_ctx->object);
 		pk11_return_session(pk11_ctx);
-		memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+		isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
 		isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
 		dctx->ctxdata.pk11_ctx = NULL;
 	}
@@ -645,7 +645,7 @@ pkcs11dsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
 	(void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
 	(void) pkcs_C_DestroyObject(pk11_ctx->session, dp);
 	pk11_return_session(pk11_ctx);
-	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
 	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
 
 	return (ISC_R_SUCCESS);
@@ -659,7 +659,7 @@ pkcs11dsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
 	if (dp != CK_INVALID_HANDLE)
 		(void) pkcs_C_DestroyObject(pk11_ctx->session, dp);
 	pk11_return_session(pk11_ctx);
-	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
 	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
 
 	return (ret);
@@ -696,7 +696,8 @@ pkcs11dsa_destroy(dst_key_t *key) {
 		case CKA_VALUE:
 		case CKA_VALUE2:
 			if (attr->pValue != NULL) {
-				memset(attr->pValue, 0, attr->ulValueLen);
+				isc_safe_memwipe(attr->pValue,
+						 attr->ulValueLen);
 				isc_mem_put(key->mctx,
 					    attr->pValue,
 					    attr->ulValueLen);
@@ -704,12 +705,12 @@ pkcs11dsa_destroy(dst_key_t *key) {
 			break;
 		}
 	if (dsa->repr != NULL) {
-		memset(dsa->repr, 0, dsa->attrcnt * sizeof(*attr));
+		isc_safe_memwipe(dsa->repr, dsa->attrcnt * sizeof(*attr));
 		isc_mem_put(key->mctx,
 			    dsa->repr,
 			    dsa->attrcnt * sizeof(*attr));
 	}
-	memset(dsa, 0, sizeof(*dsa));
+	isc_safe_memwipe(dsa, sizeof(*dsa));
 	isc_mem_put(key->mctx, dsa, sizeof(*dsa));
 	key->keydata.pkey = NULL;
 }
@@ -807,14 +808,14 @@ pkcs11dsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	t = (unsigned int) *r.base;
 	isc_region_consume(&r, 1);
 	if (t > 8) {
-		memset(dsa, 0, sizeof(*dsa));
+		isc_safe_memwipe(dsa, sizeof(*dsa));
 		isc_mem_put(key->mctx, dsa, sizeof(*dsa));
 		return (DST_R_INVALIDPUBLICKEY);
 	}
 	p_bytes = 64 + 8 * t;
 
 	if (r.length < ISC_SHA1_DIGESTLENGTH + 3 * p_bytes) {
-		memset(dsa, 0, sizeof(*dsa));
+		isc_safe_memwipe(dsa, sizeof(*dsa));
 		isc_mem_put(key->mctx, dsa, sizeof(*dsa));
 		return (DST_R_INVALIDPUBLICKEY);
 	}
@@ -884,7 +885,8 @@ pkcs11dsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
 		case CKA_BASE:
 		case CKA_VALUE:
 			if (attr->pValue != NULL) {
-				memset(attr->pValue, 0, attr->ulValueLen);
+				isc_safe_memwipe(attr->pValue,
+						 attr->ulValueLen);
 				isc_mem_put(key->mctx,
 					    attr->pValue,
 					    attr->ulValueLen);
@@ -892,12 +894,12 @@ pkcs11dsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
 			break;
 		}
 	if (dsa->repr != NULL) {
-		memset(dsa->repr, 0, dsa->attrcnt * sizeof(*attr));
+		isc_safe_memwipe(dsa->repr, dsa->attrcnt * sizeof(*attr));
 		isc_mem_put(key->mctx,
 			    dsa->repr,
 			    dsa->attrcnt * sizeof(*attr));
 	}
-	memset(dsa, 0, sizeof(*dsa));
+	isc_safe_memwipe(dsa, sizeof(*dsa));
 	isc_mem_put(key->mctx, dsa, sizeof(*dsa));
 	return (ISC_R_NOMEMORY);
 }
@@ -1005,7 +1007,7 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		key->key_size = pub->key_size;
 
 		dst__privstruct_free(&priv, mctx);
-		memset(&priv, 0, sizeof(priv));
+		isc_safe_memwipe(&priv, sizeof(priv));
 
 		return (ISC_R_SUCCESS);
 	}
@@ -1081,7 +1083,7 @@ pkcs11dsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
  err:
 	pkcs11dsa_destroy(key);
 	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
+	isc_safe_memwipe(&priv, sizeof(priv));
 	return (ret);
 }
 
diff --git a/usr.sbin/bind/lib/dns/pkcs11ecdsa_link.c b/usr.sbin/bind/lib/dns/pkcs11ecdsa_link.c
index a78bedf99b8..7a0cba5a9d4 100644
--- a/usr.sbin/bind/lib/dns/pkcs11ecdsa_link.c
+++ b/usr.sbin/bind/lib/dns/pkcs11ecdsa_link.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/pkcs11eddsa_link.c b/usr.sbin/bind/lib/dns/pkcs11eddsa_link.c
new file mode 100644
index 00000000000..5eb78004356
--- /dev/null
+++ b/usr.sbin/bind/lib/dns/pkcs11eddsa_link.c
@@ -0,0 +1,1188 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <config.h>
+
+#if defined(PKCS11CRYPTO) && \
+    defined(HAVE_PKCS11_ED25519) || defined(HAVE_PKCS11_ED448)
+
+#include <isc/entropy.h>
+#include <isc/mem.h>
+#include <isc/safe.h>
+#include <isc/sha2.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+#include <dst/result.h>
+
+#include "dst_internal.h"
+#include "dst_parse.h"
+#include "dst_pkcs11.h"
+
+#include <pk11/pk11.h>
+#include <pk11/internal.h>
+#define WANT_ECC_CURVES
+#include <pk11/constants.h>
+
+#include <pkcs11/pkcs11.h>
+#include <pkcs11/eddsa.h>
+
+/*
+ * FIPS 186-3 EDDSA keys:
+ *  mechanisms:
+ *    CKM_EDDSA,
+ *    CKM_EDDSA_KEY_PAIR_GEN
+ *  domain parameters:
+ *    CKA_EC_PARAMS (choice with OID namedCurve)
+ *  public keys:
+ *    object class CKO_PUBLIC_KEY
+ *    key type CKK_EDDSA
+ *    attribute CKA_EC_PARAMS (choice with OID namedCurve)
+ *    attribute CKA_EC_POINT (big int A, CKA_VALUE on the token)
+ *  private keys:
+ *    object class CKO_PRIVATE_KEY
+ *    key type CKK_EDDSA
+ *    attribute CKA_EC_PARAMS (choice with OID namedCurve)
+ *    attribute CKA_VALUE (big int k)
+ */
+
+#define DST_RET(a) {ret = a; goto err;}
+
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+static isc_result_t pkcs11eddsa_todns(const dst_key_t *key,
+				      isc_buffer_t *data);
+static void pkcs11eddsa_destroy(dst_key_t *key);
+static isc_result_t pkcs11eddsa_fetch(dst_key_t *key, const char *engine,
+				      const char *label, dst_key_t *pub);
+
+static isc_result_t
+pkcs11eddsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+	isc_buffer_t *buf = NULL;
+	isc_result_t result;
+
+	UNUSED(key);
+	REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 ||
+		dctx->key->key_alg == DST_ALG_ED448);
+
+	result = isc_buffer_allocate(dctx->mctx, &buf, 16);
+	isc_buffer_setautorealloc(buf, ISC_TRUE);
+	dctx->ctxdata.generic = buf;
+
+	return (result);
+}
+
+static void
+pkcs11eddsa_destroyctx(dst_context_t *dctx) {
+	isc_buffer_t *buf = (isc_buffer_t *) dctx->ctxdata.generic;
+
+	REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 ||
+		dctx->key->key_alg == DST_ALG_ED448);
+	if (buf != NULL)
+		isc_buffer_free(&buf);
+	dctx->ctxdata.generic = NULL;
+}
+
+static isc_result_t
+pkcs11eddsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
+	isc_buffer_t *buf = (isc_buffer_t *) dctx->ctxdata.generic;
+	isc_buffer_t *nbuf = NULL;
+	isc_region_t r;
+	unsigned int length;
+	isc_result_t result;
+
+	REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 ||
+		dctx->key->key_alg == DST_ALG_ED448);
+
+	result = isc_buffer_copyregion(buf, data);
+	if (result == ISC_R_SUCCESS)
+		return (ISC_R_SUCCESS);
+
+	length = isc_buffer_length(buf) + data->length + 64;
+	result = isc_buffer_allocate(dctx->mctx, &nbuf, length);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	isc_buffer_usedregion(buf, &r);
+	(void) isc_buffer_copyregion(nbuf, &r);
+	(void) isc_buffer_copyregion(nbuf, data);
+	isc_buffer_free(&buf);
+	dctx->ctxdata.generic = nbuf;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+pkcs11eddsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
+	isc_buffer_t *buf = (isc_buffer_t *) dctx->ctxdata.generic;
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_EDDSA, NULL, 0 };
+	CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+	CK_KEY_TYPE keyType = CKK_EDDSA;
+	CK_ATTRIBUTE keyTemplate[] =
+	{
+		{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_EC_PARAMS, NULL, 0 },
+		{ CKA_VALUE, NULL, 0 }
+	};
+	CK_ATTRIBUTE *attr;
+	CK_ULONG siglen;
+	CK_SLOT_ID slotid;
+	pk11_context_t *pk11_ctx;
+	dst_key_t *key = dctx->key;
+	pk11_object_t *ec = key->keydata.pkey;
+	isc_region_t t;
+	isc_region_t r;
+	isc_result_t ret = ISC_R_SUCCESS;
+	unsigned int i;
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+	REQUIRE(ec != NULL);
+
+	if (key->key_alg == DST_ALG_ED25519)
+		siglen = DNS_SIG_ED25519SIZE;
+	else
+		siglen = DNS_SIG_ED448SIZE;
+
+	pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx,
+						  sizeof(*pk11_ctx));
+	if (pk11_ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	if (ec->ontoken && (dctx->use == DO_SIGN))
+		slotid = ec->slot;
+	else
+		slotid = pk11_get_best_token(OP_EC);
+	ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE,
+			       ec->reqlogon, NULL, slotid);
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	isc_buffer_availableregion(sig, &r);
+	if (r.length < siglen)
+		DST_RET(ISC_R_NOSPACE);
+
+	if (ec->ontoken && (ec->object != CK_INVALID_HANDLE)) {
+		pk11_ctx->ontoken = ec->ontoken;
+		pk11_ctx->object = ec->object;
+		goto token_key;
+	}
+
+	for (attr = pk11_attribute_first(ec);
+	     attr != NULL;
+	     attr = pk11_attribute_next(ec, attr))
+		switch (attr->type) {
+		case CKA_EC_PARAMS:
+			INSIST(keyTemplate[5].type == attr->type);
+			keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[5].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[5].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[5].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_VALUE:
+			INSIST(keyTemplate[6].type == attr->type);
+			keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[6].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[6].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[6].ulValueLen = attr->ulValueLen;
+			break;
+		}
+	pk11_ctx->object = CK_INVALID_HANDLE;
+	pk11_ctx->ontoken = ISC_FALSE;
+	PK11_RET(pkcs_C_CreateObject,
+		 (pk11_ctx->session,
+		  keyTemplate, (CK_ULONG) 7,
+		  &hKey),
+		 ISC_R_FAILURE);
+
+ token_key:
+
+	PK11_RET(pkcs_C_SignInit,
+		 (pk11_ctx->session, &mech,
+		  pk11_ctx->ontoken ? pk11_ctx->object : hKey),
+		 ISC_R_FAILURE);
+
+	isc_buffer_usedregion(buf, &t);
+
+	PK11_RET(pkcs_C_Sign,
+		 (pk11_ctx->session,
+		  (CK_BYTE_PTR) t.base, (CK_ULONG) t.length,
+		  (CK_BYTE_PTR) r.base, &siglen),
+		 DST_R_SIGNFAILURE);
+
+	isc_buffer_add(sig, (unsigned int) siglen);
+
+ err:
+
+	if (hKey != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(pk11_ctx->session, hKey);
+	for (i = 5; i <= 6; i++)
+		if (keyTemplate[i].pValue != NULL) {
+			memset(keyTemplate[i].pValue, 0,
+			       keyTemplate[i].ulValueLen);
+			isc_mem_put(dctx->mctx,
+				    keyTemplate[i].pValue,
+				    keyTemplate[i].ulValueLen);
+		}
+	pk11_return_session(pk11_ctx);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	isc_buffer_free(&buf);
+	dctx->ctxdata.generic = NULL;
+
+	return (ret);
+}
+
+static isc_result_t
+pkcs11eddsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
+	isc_buffer_t *buf = (isc_buffer_t *) dctx->ctxdata.generic;
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_EDDSA, NULL, 0 };
+	CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+	CK_KEY_TYPE keyType = CKK_EDDSA;
+	CK_ATTRIBUTE keyTemplate[] =
+	{
+		{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_EC_PARAMS, NULL, 0 },
+		{ CKA_VALUE, NULL, 0 }
+	};
+	CK_ATTRIBUTE *attr;
+	CK_SLOT_ID slotid;
+	pk11_context_t *pk11_ctx;
+	dst_key_t *key = dctx->key;
+	pk11_object_t *ec = key->keydata.pkey;
+	isc_region_t t;
+	isc_result_t ret = ISC_R_SUCCESS;
+	unsigned int i;
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+	REQUIRE(ec != NULL);
+
+	pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx,
+						  sizeof(*pk11_ctx));
+	if (pk11_ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	if (ec->ontoken && (dctx->use == DO_SIGN))
+		slotid = ec->slot;
+	else
+		slotid = pk11_get_best_token(OP_EC);
+	ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE,
+			       ec->reqlogon, NULL, slotid);
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	for (attr = pk11_attribute_first(ec);
+	     attr != NULL;
+	     attr = pk11_attribute_next(ec, attr))
+		switch (attr->type) {
+		case CKA_EC_PARAMS:
+			INSIST(keyTemplate[5].type == attr->type);
+			keyTemplate[5].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[5].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[5].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[5].ulValueLen = attr->ulValueLen;
+			break;
+		case CKA_EC_POINT:
+			/* keyTemplate[6].type is CKA_VALUE */
+			keyTemplate[6].pValue = isc_mem_get(dctx->mctx,
+							    attr->ulValueLen);
+			if (keyTemplate[6].pValue == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+			memmove(keyTemplate[6].pValue, attr->pValue,
+				attr->ulValueLen);
+			keyTemplate[6].ulValueLen = attr->ulValueLen;
+			break;
+		}
+	pk11_ctx->object = CK_INVALID_HANDLE;
+	pk11_ctx->ontoken = ISC_FALSE;
+	PK11_RET(pkcs_C_CreateObject,
+		 (pk11_ctx->session,
+		  keyTemplate, (CK_ULONG) 7,
+		  &hKey),
+		 ISC_R_FAILURE);
+
+	PK11_RET(pkcs_C_VerifyInit,
+		 (pk11_ctx->session, &mech, hKey),
+		 ISC_R_FAILURE);
+
+	isc_buffer_usedregion(buf, &t);
+
+	PK11_RET(pkcs_C_Verify,
+		 (pk11_ctx->session,
+		  (CK_BYTE_PTR) t.base, (CK_ULONG) t.length,
+		  (CK_BYTE_PTR) sig->base, (CK_ULONG) sig->length),
+		 DST_R_VERIFYFAILURE);
+
+ err:
+
+	if (hKey != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(pk11_ctx->session, hKey);
+	for (i = 5; i <= 6; i++)
+		if (keyTemplate[i].pValue != NULL) {
+			memset(keyTemplate[i].pValue, 0,
+			       keyTemplate[i].ulValueLen);
+			isc_mem_put(dctx->mctx,
+				    keyTemplate[i].pValue,
+				    keyTemplate[i].ulValueLen);
+		}
+	pk11_return_session(pk11_ctx);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	isc_buffer_free(&buf);
+	dctx->ctxdata.generic = NULL;
+
+	return (ret);
+}
+
+static isc_boolean_t
+pkcs11eddsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
+	pk11_object_t *ec1, *ec2;
+	CK_ATTRIBUTE *attr1, *attr2;
+
+	ec1 = key1->keydata.pkey;
+	ec2 = key2->keydata.pkey;
+
+	if ((ec1 == NULL) && (ec2 == NULL))
+		return (ISC_TRUE);
+	else if ((ec1 == NULL) || (ec2 == NULL))
+		return (ISC_FALSE);
+
+	attr1 = pk11_attribute_bytype(ec1, CKA_EC_PARAMS);
+	attr2 = pk11_attribute_bytype(ec2, CKA_EC_PARAMS);
+	if ((attr1 == NULL) && (attr2 == NULL))
+		return (ISC_TRUE);
+	else if ((attr1 == NULL) || (attr2 == NULL) ||
+		 (attr1->ulValueLen != attr2->ulValueLen) ||
+		 !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				    attr1->ulValueLen))
+		return (ISC_FALSE);
+
+	attr1 = pk11_attribute_bytype(ec1, CKA_EC_POINT);
+	attr2 = pk11_attribute_bytype(ec2, CKA_EC_POINT);
+	if ((attr1 == NULL) && (attr2 == NULL))
+		return (ISC_TRUE);
+	else if ((attr1 == NULL) || (attr2 == NULL) ||
+		 (attr1->ulValueLen != attr2->ulValueLen) ||
+		 !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				    attr1->ulValueLen))
+		return (ISC_FALSE);
+
+	attr1 = pk11_attribute_bytype(ec1, CKA_VALUE);
+	attr2 = pk11_attribute_bytype(ec2, CKA_VALUE);
+	if (((attr1 != NULL) || (attr2 != NULL)) &&
+	    ((attr1 == NULL) || (attr2 == NULL) ||
+	     (attr1->ulValueLen != attr2->ulValueLen) ||
+	     !isc_safe_memequal(attr1->pValue, attr2->pValue,
+				attr1->ulValueLen)))
+		return (ISC_FALSE);
+
+	if (!ec1->ontoken && !ec2->ontoken)
+		return (ISC_TRUE);
+	else if (ec1->ontoken || ec2->ontoken ||
+		 (ec1->object != ec2->object))
+		return (ISC_FALSE);
+
+	return (ISC_TRUE);
+}
+
+#define SETCURVE() \
+	if (key->key_alg == DST_ALG_ED25519) { \
+		attr->pValue = isc_mem_get(key->mctx, \
+					   sizeof(pk11_ecc_ed25519)); \
+		if (attr->pValue == NULL) \
+			DST_RET(ISC_R_NOMEMORY); \
+		memmove(attr->pValue, \
+			pk11_ecc_ed25519, sizeof(pk11_ecc_ed25519)); \
+		attr->ulValueLen = sizeof(pk11_ecc_ed25519); \
+	} else { \
+		attr->pValue = isc_mem_get(key->mctx, \
+					   sizeof(pk11_ecc_ed448)); \
+		if (attr->pValue == NULL) \
+			DST_RET(ISC_R_NOMEMORY); \
+		memmove(attr->pValue, \
+			pk11_ecc_ed448, sizeof(pk11_ecc_ed448)); \
+		attr->ulValueLen = sizeof(pk11_ecc_ed448); \
+	}
+
+#define FREECURVE() \
+	if (attr->pValue != NULL) { \
+		memset(attr->pValue, 0, attr->ulValueLen); \
+		isc_mem_put(key->mctx, attr->pValue, attr->ulValueLen); \
+		attr->pValue = NULL; \
+	}
+
+static isc_result_t
+pkcs11eddsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
+	CK_RV rv;
+	CK_MECHANISM mech = { CKM_EDDSA_KEY_PAIR_GEN, NULL, 0 };
+	CK_OBJECT_HANDLE pub = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS pubClass = CKO_PUBLIC_KEY;
+	CK_KEY_TYPE  keyType = CKK_EDDSA;
+	CK_ATTRIBUTE pubTemplate[] =
+	{
+		{ CKA_CLASS, &pubClass, (CK_ULONG) sizeof(pubClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_VERIFY, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_EC_PARAMS, NULL, 0 }
+	};
+	CK_OBJECT_HANDLE priv = CK_INVALID_HANDLE;
+	CK_OBJECT_HANDLE privClass = CKO_PRIVATE_KEY;
+	CK_ATTRIBUTE privTemplate[] =
+	{
+		{ CKA_CLASS, &privClass, (CK_ULONG) sizeof(privClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_PRIVATE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_SENSITIVE, &falsevalue, (CK_ULONG) sizeof(falsevalue) },
+		{ CKA_EXTRACTABLE, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) }
+	};
+	CK_ATTRIBUTE *attr;
+	pk11_object_t *ec;
+	pk11_context_t *pk11_ctx;
+	isc_result_t ret;
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+	UNUSED(unused);
+	UNUSED(callback);
+
+	pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx,
+						  sizeof(*pk11_ctx));
+	if (pk11_ctx == NULL)
+		return (ISC_R_NOMEMORY);
+	ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE,
+			       ISC_FALSE, NULL, pk11_get_best_token(OP_EC));
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	ec = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*ec));
+	if (ec == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(ec, 0, sizeof(*ec));
+	key->keydata.pkey = ec;
+	ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3);
+	if (ec->repr == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(ec->repr, 0, sizeof(*attr) * 3);
+	ec->attrcnt = 3;
+
+	attr = ec->repr;
+	attr[0].type = CKA_EC_PARAMS;
+	attr[1].type = CKA_VALUE;
+	attr[2].type = CKA_VALUE;
+
+	attr = &pubTemplate[5];
+	SETCURVE();
+
+	PK11_RET(pkcs_C_GenerateKeyPair,
+		 (pk11_ctx->session, &mech,
+		  pubTemplate, (CK_ULONG) 6,
+		  privTemplate, (CK_ULONG) 7,
+		  &pub, &priv),
+		 DST_R_CRYPTOFAILURE);
+
+	attr = &pubTemplate[5];
+	FREECURVE();
+
+	attr = ec->repr;
+	SETCURVE();
+
+	attr++;
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, pub, attr, 1),
+		 DST_R_CRYPTOFAILURE);
+	attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+	if (attr->pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(attr->pValue, 0, attr->ulValueLen);
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, pub, attr, 1),
+		 DST_R_CRYPTOFAILURE);
+	attr->type = CKA_EC_POINT;
+
+	attr++;
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, priv, attr, 1),
+		 DST_R_CRYPTOFAILURE);
+	attr->pValue = isc_mem_get(key->mctx, attr->ulValueLen);
+	if (attr->pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(attr->pValue, 0, attr->ulValueLen);
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, priv, attr, 1),
+		 DST_R_CRYPTOFAILURE);
+
+	(void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+	(void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+	pk11_return_session(pk11_ctx);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	if (key->key_alg == DST_ALG_ED25519)
+		key->key_size = DNS_KEY_ED25519SIZE;
+	else
+		key->key_size = DNS_KEY_ED448SIZE;
+
+	return (ISC_R_SUCCESS);
+
+ err:
+	pkcs11eddsa_destroy(key);
+	if (priv != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
+	if (pub != CK_INVALID_HANDLE)
+		(void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
+	pk11_return_session(pk11_ctx);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+
+	return (ret);
+}
+
+static isc_boolean_t
+pkcs11eddsa_isprivate(const dst_key_t *key) {
+	pk11_object_t *ec = key->keydata.pkey;
+	CK_ATTRIBUTE *attr;
+
+	if (ec == NULL)
+		return (ISC_FALSE);
+	attr = pk11_attribute_bytype(ec, CKA_VALUE);
+	return (ISC_TF((attr != NULL) || ec->ontoken));
+}
+
+static void
+pkcs11eddsa_destroy(dst_key_t *key) {
+	pk11_object_t *ec = key->keydata.pkey;
+	CK_ATTRIBUTE *attr;
+
+	if (ec == NULL)
+		return;
+
+	INSIST((ec->object == CK_INVALID_HANDLE) || ec->ontoken);
+
+	for (attr = pk11_attribute_first(ec);
+	     attr != NULL;
+	     attr = pk11_attribute_next(ec, attr))
+		switch (attr->type) {
+		case CKA_LABEL:
+		case CKA_ID:
+		case CKA_EC_PARAMS:
+		case CKA_EC_POINT:
+		case CKA_VALUE:
+			FREECURVE();
+			break;
+		}
+	if (ec->repr != NULL) {
+		memset(ec->repr, 0, ec->attrcnt * sizeof(*attr));
+		isc_mem_put(key->mctx,
+			    ec->repr,
+			    ec->attrcnt * sizeof(*attr));
+	}
+	memset(ec, 0, sizeof(*ec));
+	isc_mem_put(key->mctx, ec, sizeof(*ec));
+	key->keydata.pkey = NULL;
+}
+
+static isc_result_t
+pkcs11eddsa_todns(const dst_key_t *key, isc_buffer_t *data) {
+	pk11_object_t *ec;
+	isc_region_t r;
+	unsigned int len;
+	CK_ATTRIBUTE *attr;
+
+	REQUIRE(key->keydata.pkey != NULL);
+
+	if (key->key_alg == DST_ALG_ED25519)
+		len = DNS_KEY_ED25519SIZE;
+	else
+		len = DNS_KEY_ED448SIZE;
+
+	ec = key->keydata.pkey;
+	attr = pk11_attribute_bytype(ec, CKA_EC_POINT);
+	if ((attr == NULL) || (attr->ulValueLen != len))
+		return (ISC_R_FAILURE);
+
+	isc_buffer_availableregion(data, &r);
+	if (r.length < len)
+		return (ISC_R_NOSPACE);
+	memmove(r.base, (CK_BYTE_PTR) attr->pValue, len);
+	isc_buffer_add(data, len);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+pkcs11eddsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
+	pk11_object_t *ec;
+	isc_region_t r;
+	unsigned int len;
+	CK_ATTRIBUTE *attr;
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+
+	if (key->key_alg == DST_ALG_ED25519)
+		len = DNS_KEY_ED25519SIZE;
+	else
+		len = DNS_KEY_ED448SIZE;
+
+	isc_buffer_remainingregion(data, &r);
+	if (r.length == 0)
+		return (ISC_R_SUCCESS);
+	if (r.length != len)
+		return (DST_R_INVALIDPUBLICKEY);
+
+	ec = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*ec));
+	if (ec == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(ec, 0, sizeof(*ec));
+	ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2);
+	if (ec->repr == NULL)
+		goto nomemory;
+	ec->attrcnt = 2;
+
+	attr = ec->repr;
+	attr->type = CKA_EC_PARAMS;
+	if (key->key_alg == DST_ALG_ED25519) {
+		attr->pValue =
+			isc_mem_get(key->mctx, sizeof(pk11_ecc_ed25519));
+		if (attr->pValue == NULL)
+			goto nomemory;
+		memmove(attr->pValue,
+			pk11_ecc_ed25519, sizeof(pk11_ecc_ed25519));
+		attr->ulValueLen = sizeof(pk11_ecc_ed25519);
+	} else {
+		attr->pValue =
+			isc_mem_get(key->mctx, sizeof(pk11_ecc_ed448));
+		if (attr->pValue == NULL)
+			goto nomemory;
+		memmove(attr->pValue,
+			pk11_ecc_ed448, sizeof(pk11_ecc_ed448));
+		attr->ulValueLen = sizeof(pk11_ecc_ed448);
+	}
+
+	attr++;
+	attr->type = CKA_EC_POINT;
+	attr->pValue = isc_mem_get(key->mctx, len);
+	if (attr->pValue == NULL)
+		goto nomemory;
+	memmove((CK_BYTE_PTR) attr->pValue, r.base, len);
+	attr->ulValueLen = len;
+
+	isc_buffer_forward(data, len);
+	key->keydata.pkey = ec;
+	key->key_size = len;
+	return (ISC_R_SUCCESS);
+
+ nomemory:
+	for (attr = pk11_attribute_first(ec);
+	     attr != NULL;
+	     attr = pk11_attribute_next(ec, attr))
+		switch (attr->type) {
+		case CKA_EC_PARAMS:
+		case CKA_EC_POINT:
+			FREECURVE();
+			break;
+		}
+	if (ec->repr != NULL) {
+		memset(ec->repr, 0, ec->attrcnt * sizeof(*attr));
+		isc_mem_put(key->mctx,
+			    ec->repr,
+			    ec->attrcnt * sizeof(*attr));
+	}
+	memset(ec, 0, sizeof(*ec));
+	isc_mem_put(key->mctx, ec, sizeof(*ec));
+	return (ISC_R_NOMEMORY);
+}
+
+static isc_result_t
+pkcs11eddsa_tofile(const dst_key_t *key, const char *directory) {
+	isc_result_t ret;
+	pk11_object_t *ec;
+	dst_private_t priv;
+	unsigned char *buf = NULL;
+	unsigned int i = 0;
+	CK_ATTRIBUTE *attr;
+
+	if (key->keydata.pkey == NULL)
+		return (DST_R_NULLKEY);
+
+	if (key->external) {
+		priv.nelements = 0;
+		return (dst__privstruct_writefile(key, &priv, directory));
+	}
+
+	ec = key->keydata.pkey;
+	attr = pk11_attribute_bytype(ec, CKA_VALUE);
+	if (attr != NULL) {
+		buf = isc_mem_get(key->mctx, attr->ulValueLen);
+		if (buf == NULL)
+			return (ISC_R_NOMEMORY);
+		priv.elements[i].tag = TAG_EDDSA_PRIVATEKEY;
+		priv.elements[i].length = (unsigned short) attr->ulValueLen;
+		memmove(buf, attr->pValue, attr->ulValueLen);
+		priv.elements[i].data = buf;
+		i++;
+	}
+
+	if (key->engine != NULL) {
+		priv.elements[i].tag = TAG_EDDSA_ENGINE;
+		priv.elements[i].length = strlen(key->engine) + 1;
+		priv.elements[i].data = (unsigned char *)key->engine;
+		i++;
+	}
+
+	if (key->label != NULL) {
+		priv.elements[i].tag = TAG_EDDSA_LABEL;
+		priv.elements[i].length = strlen(key->label) + 1;
+		priv.elements[i].data = (unsigned char *)key->label;
+		i++;
+	}
+
+	priv.nelements = i;
+	ret = dst__privstruct_writefile(key, &priv, directory);
+
+	if (buf != NULL) {
+		memset(buf, 0, attr->ulValueLen);
+		isc_mem_put(key->mctx, buf, attr->ulValueLen);
+	}
+	return (ret);
+}
+
+static isc_result_t
+pkcs11eddsa_fetch(dst_key_t *key, const char *engine, const char *label,
+		  dst_key_t *pub)
+{
+	CK_RV rv;
+	CK_OBJECT_CLASS keyClass = CKO_PRIVATE_KEY;
+	CK_KEY_TYPE keyType = CKK_EDDSA;
+	CK_ATTRIBUTE searchTemplate[] =
+	{
+		{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_LABEL, NULL, 0 }
+	};
+	CK_ULONG cnt;
+	CK_ATTRIBUTE *attr;
+	CK_ATTRIBUTE *pubattr;
+	pk11_object_t *ec;
+	pk11_object_t *pubec;
+	pk11_context_t *pk11_ctx = NULL;
+	isc_result_t ret;
+
+	if (label == NULL)
+		return (DST_R_NOENGINE);
+
+	ec = key->keydata.pkey;
+	pubec = pub->keydata.pkey;
+
+	ec->object = CK_INVALID_HANDLE;
+	ec->ontoken = ISC_TRUE;
+	ec->reqlogon = ISC_TRUE;
+	ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2);
+	if (ec->repr == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(ec->repr, 0, sizeof(*attr) * 2);
+	ec->attrcnt = 2;
+	attr = ec->repr;
+
+	attr->type = CKA_EC_PARAMS;
+	pubattr = pk11_attribute_bytype(pubec, CKA_EC_PARAMS);
+	attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
+	if (attr->pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
+	attr->ulValueLen = pubattr->ulValueLen;
+	attr++;
+
+	attr->type = CKA_EC_POINT;
+	pubattr = pk11_attribute_bytype(pubec, CKA_EC_POINT);
+	attr->pValue = isc_mem_get(key->mctx, pubattr->ulValueLen);
+	if (attr->pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memmove(attr->pValue, pubattr->pValue, pubattr->ulValueLen);
+	attr->ulValueLen = pubattr->ulValueLen;
+
+	ret = pk11_parse_uri(ec, label, key->mctx, OP_EC);
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx,
+						  sizeof(*pk11_ctx));
+	if (pk11_ctx == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE,
+			       ec->reqlogon, NULL, ec->slot);
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	attr = pk11_attribute_bytype(ec, CKA_LABEL);
+	if (attr == NULL) {
+		attr = pk11_attribute_bytype(ec, CKA_ID);
+		INSIST(attr != NULL);
+		searchTemplate[3].type = CKA_ID;
+	}
+	searchTemplate[3].pValue = attr->pValue;
+	searchTemplate[3].ulValueLen = attr->ulValueLen;
+
+	PK11_RET(pkcs_C_FindObjectsInit,
+		 (pk11_ctx->session, searchTemplate, (CK_ULONG) 4),
+		 DST_R_CRYPTOFAILURE);
+	PK11_RET(pkcs_C_FindObjects,
+		 (pk11_ctx->session, &ec->object, (CK_ULONG) 1, &cnt),
+		 DST_R_CRYPTOFAILURE);
+	(void) pkcs_C_FindObjectsFinal(pk11_ctx->session);
+	if (cnt == 0)
+		DST_RET(ISC_R_NOTFOUND);
+	if (cnt > 1)
+		DST_RET(ISC_R_EXISTS);
+
+	if (engine != NULL) {
+		key->engine = isc_mem_strdup(key->mctx, engine);
+		if (key->engine == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+	}
+
+	key->label = isc_mem_strdup(key->mctx, label);
+	if (key->label == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+
+	pk11_return_session(pk11_ctx);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	return (ISC_R_SUCCESS);
+
+ err:
+	if (pk11_ctx != NULL) {
+		pk11_return_session(pk11_ctx);
+		memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+		isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	}
+	return (ret);
+}
+
+static isc_result_t
+pkcs11eddsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
+	dst_private_t priv;
+	isc_result_t ret;
+	pk11_object_t *ec = NULL;
+	CK_ATTRIBUTE *attr, *pattr;
+	isc_mem_t *mctx = key->mctx;
+	unsigned int i;
+	const char *engine = NULL, *label = NULL;
+
+	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
+		key->key_alg == DST_ALG_ED448);
+
+	if ((pub == NULL) || (pub->keydata.pkey == NULL))
+		DST_RET(DST_R_INVALIDPRIVATEKEY);
+
+	/* read private key file */
+	ret = dst__privstruct_parse(key, DST_ALG_ED25519, lexer, mctx, &priv);
+	if (ret != ISC_R_SUCCESS)
+		return (ret);
+
+	if (key->external) {
+		if (priv.nelements != 0)
+			DST_RET(DST_R_INVALIDPRIVATEKEY);
+
+		key->keydata.pkey = pub->keydata.pkey;
+		pub->keydata.pkey = NULL;
+		key->key_size = pub->key_size;
+
+		dst__privstruct_free(&priv, mctx);
+		memset(&priv, 0, sizeof(priv));
+
+		return (ISC_R_SUCCESS);
+	}
+
+	for (i = 0; i < priv.nelements; i++) {
+		switch (priv.elements[i].tag) {
+		case TAG_EDDSA_ENGINE:
+			engine = (char *)priv.elements[i].data;
+			break;
+		case TAG_EDDSA_LABEL:
+			label = (char *)priv.elements[i].data;
+			break;
+		default:
+			break;
+		}
+	}
+	ec = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*ec));
+	if (ec == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(ec, 0, sizeof(*ec));
+	key->keydata.pkey = ec;
+
+	/* Is this key is stored in a HSM? See if we can fetch it. */
+	if ((label != NULL) || (engine != NULL)) {
+		ret = pkcs11eddsa_fetch(key, engine, label, pub);
+		if (ret != ISC_R_SUCCESS)
+			goto err;
+		dst__privstruct_free(&priv, mctx);
+		memset(&priv, 0, sizeof(priv));
+		return (ret);
+	}
+
+	ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 3);
+	if (ec->repr == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(ec->repr, 0, sizeof(*attr) * 3);
+	ec->attrcnt = 3;
+
+	attr = ec->repr;
+	attr->type = CKA_EC_PARAMS;
+	pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_EC_PARAMS);
+	INSIST(pattr != NULL);
+	attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen);
+	if (attr->pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memmove(attr->pValue, pattr->pValue, pattr->ulValueLen);
+	attr->ulValueLen = pattr->ulValueLen;
+
+	attr++;
+	attr->type = CKA_EC_POINT;
+	pattr = pk11_attribute_bytype(pub->keydata.pkey, CKA_EC_POINT);
+	INSIST(pattr != NULL);
+	attr->pValue = isc_mem_get(key->mctx, pattr->ulValueLen);
+	if (attr->pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memmove(attr->pValue, pattr->pValue, pattr->ulValueLen);
+	attr->ulValueLen = pattr->ulValueLen;
+
+	attr++;
+	attr->type = CKA_VALUE;
+	attr->pValue = isc_mem_get(key->mctx, priv.elements[0].length);
+	if (attr->pValue == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memmove(attr->pValue, priv.elements[0].data, priv.elements[0].length);
+	attr->ulValueLen = priv.elements[0].length;
+
+	dst__privstruct_free(&priv, mctx);
+	memset(&priv, 0, sizeof(priv));
+	if (key->key_alg == DST_ALG_ED25519)
+		key->key_size = DNS_KEY_ED25519SIZE;
+	else
+		key->key_size = DNS_KEY_ED448SIZE;
+
+	return (ISC_R_SUCCESS);
+
+ err:
+	pkcs11eddsa_destroy(key);
+	dst__privstruct_free(&priv, mctx);
+	memset(&priv, 0, sizeof(priv));
+	return (ret);
+}
+
+static isc_result_t
+pkcs11eddsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+		      const char *pin)
+{
+	CK_RV rv;
+	CK_OBJECT_HANDLE hKey = CK_INVALID_HANDLE;
+	CK_OBJECT_CLASS keyClass = CKO_PUBLIC_KEY;
+	CK_KEY_TYPE keyType = CKK_EDDSA;
+	CK_ATTRIBUTE searchTemplate[] =
+	{
+		{ CKA_CLASS, &keyClass, (CK_ULONG) sizeof(keyClass) },
+		{ CKA_KEY_TYPE, &keyType, (CK_ULONG) sizeof(keyType) },
+		{ CKA_TOKEN, &truevalue, (CK_ULONG) sizeof(truevalue) },
+		{ CKA_LABEL, NULL, 0 }
+	};
+	CK_ULONG cnt;
+	CK_ATTRIBUTE *attr;
+	pk11_object_t *ec;
+	pk11_context_t *pk11_ctx = NULL;
+	isc_result_t ret;
+	unsigned int i;
+
+	UNUSED(pin);
+
+	ec = (pk11_object_t *) isc_mem_get(key->mctx, sizeof(*ec));
+	if (ec == NULL)
+		return (ISC_R_NOMEMORY);
+	memset(ec, 0, sizeof(*ec));
+	ec->object = CK_INVALID_HANDLE;
+	ec->ontoken = ISC_TRUE;
+	ec->reqlogon = ISC_TRUE;
+	key->keydata.pkey = ec;
+
+	ec->repr = (CK_ATTRIBUTE *) isc_mem_get(key->mctx, sizeof(*attr) * 2);
+	if (ec->repr == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	memset(ec->repr, 0, sizeof(*attr) * 2);
+	ec->attrcnt = 2;
+	attr = ec->repr;
+	attr[0].type = CKA_EC_PARAMS;
+	attr[1].type = CKA_VALUE;
+
+	ret = pk11_parse_uri(ec, label, key->mctx, OP_EC);
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx,
+						  sizeof(*pk11_ctx));
+	if (pk11_ctx == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	ret = pk11_get_session(pk11_ctx, OP_EC, ISC_TRUE, ISC_FALSE,
+			       ec->reqlogon, NULL, ec->slot);
+	if (ret != ISC_R_SUCCESS)
+		goto err;
+
+	attr = pk11_attribute_bytype(ec, CKA_LABEL);
+	if (attr == NULL) {
+		attr = pk11_attribute_bytype(ec, CKA_ID);
+		INSIST(attr != NULL);
+		searchTemplate[3].type = CKA_ID;
+	}
+	searchTemplate[3].pValue = attr->pValue;
+	searchTemplate[3].ulValueLen = attr->ulValueLen;
+
+	PK11_RET(pkcs_C_FindObjectsInit,
+		 (pk11_ctx->session, searchTemplate, (CK_ULONG) 4),
+		 DST_R_CRYPTOFAILURE);
+	PK11_RET(pkcs_C_FindObjects,
+		 (pk11_ctx->session, &hKey, (CK_ULONG) 1, &cnt),
+		 DST_R_CRYPTOFAILURE);
+	(void) pkcs_C_FindObjectsFinal(pk11_ctx->session);
+	if (cnt == 0)
+		DST_RET(ISC_R_NOTFOUND);
+	if (cnt > 1)
+		DST_RET(ISC_R_EXISTS);
+
+	attr = ec->repr;
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, hKey, attr, 2),
+		 DST_R_CRYPTOFAILURE);
+	for (i = 0; i <= 1; i++) {
+		attr[i].pValue = isc_mem_get(key->mctx, attr[i].ulValueLen);
+		if (attr[i].pValue == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+		memset(attr[i].pValue, 0, attr[i].ulValueLen);
+	}
+	PK11_RET(pkcs_C_GetAttributeValue,
+		 (pk11_ctx->session, hKey, attr, 2),
+		 DST_R_CRYPTOFAILURE);
+	attr[1].type = CKA_EC_POINT;
+
+	keyClass = CKO_PRIVATE_KEY;
+	PK11_RET(pkcs_C_FindObjectsInit,
+		 (pk11_ctx->session, searchTemplate, (CK_ULONG) 4),
+		 DST_R_CRYPTOFAILURE);
+	PK11_RET(pkcs_C_FindObjects,
+		 (pk11_ctx->session, &ec->object, (CK_ULONG) 1, &cnt),
+		 DST_R_CRYPTOFAILURE);
+	(void) pkcs_C_FindObjectsFinal(pk11_ctx->session);
+	if (cnt == 0)
+		DST_RET(ISC_R_NOTFOUND);
+	if (cnt > 1)
+		DST_RET(ISC_R_EXISTS);
+
+	if (engine != NULL) {
+		key->engine = isc_mem_strdup(key->mctx, engine);
+		if (key->engine == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+	}
+
+	key->label = isc_mem_strdup(key->mctx, label);
+	if (key->label == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	if (key->key_alg == DST_ALG_ED25519)
+		key->key_size = DNS_KEY_ED25519SIZE;
+	else
+		key->key_size = DNS_KEY_ED448SIZE;
+
+	pk11_return_session(pk11_ctx);
+	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	return (ISC_R_SUCCESS);
+
+ err:
+	pkcs11eddsa_destroy(key);
+	if (pk11_ctx != NULL) {
+		pk11_return_session(pk11_ctx);
+		memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+		isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
+	}
+	return (ret);
+}
+
+static dst_func_t pkcs11eddsa_functions = {
+	pkcs11eddsa_createctx,
+	NULL, /*%< createctx2 */
+	pkcs11eddsa_destroyctx,
+	pkcs11eddsa_adddata,
+	pkcs11eddsa_sign,
+	pkcs11eddsa_verify,
+	NULL, /*%< verify2 */
+	NULL, /*%< computesecret */
+	pkcs11eddsa_compare,
+	NULL, /*%< paramcompare */
+	pkcs11eddsa_generate,
+	pkcs11eddsa_isprivate,
+	pkcs11eddsa_destroy,
+	pkcs11eddsa_todns,
+	pkcs11eddsa_fromdns,
+	pkcs11eddsa_tofile,
+	pkcs11eddsa_parse,
+	NULL, /*%< cleanup */
+	pkcs11eddsa_fromlabel,
+	NULL, /*%< dump */
+	NULL, /*%< restore */
+};
+
+isc_result_t
+dst__pkcs11eddsa_init(dst_func_t **funcp) {
+	REQUIRE(funcp != NULL);
+	if (*funcp == NULL)
+		*funcp = &pkcs11eddsa_functions;
+	return (ISC_R_SUCCESS);
+}
+
+#else /* PKCS11CRYPTO && HAVE_PKCS11_EDxxx */
+
+#include <isc/util.h>
+
+EMPTY_TRANSLATION_UNIT
+
+#endif /* PKCS11CRYPTO && HAVE_PKCS11_EDxxx */
+/*! \file */
diff --git a/usr.sbin/bind/lib/dns/pkcs11gost_link.c b/usr.sbin/bind/lib/dns/pkcs11gost_link.c
index 6561a1916c2..6b5922f8259 100644
--- a/usr.sbin/bind/lib/dns/pkcs11gost_link.c
+++ b/usr.sbin/bind/lib/dns/pkcs11gost_link.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -98,7 +98,7 @@ isc_gost_invalidate(isc_gost_t *ctx) {
 	if (ctx->handle == NULL)
 		return;
 	(void) pkcs_C_DigestFinal(ctx->session, garbage, &len);
-	memset(garbage, 0, sizeof(garbage));
+	isc_safe_memwipe(garbage, sizeof(garbage));
 	pk11_return_session(ctx);
 }
 
@@ -217,8 +217,8 @@ pkcs11gost_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
 
 	for (i = 6; i <= 6; i++)
 		if (keyTemplate[i].pValue != NULL) {
-			memset(keyTemplate[i].pValue, 0,
-			       keyTemplate[i].ulValueLen);
+			isc_safe_memwipe(keyTemplate[i].pValue,
+					 keyTemplate[i].ulValueLen);
 			isc_mem_put(dctx->mctx,
 				    keyTemplate[i].pValue,
 				    keyTemplate[i].ulValueLen);
@@ -231,14 +231,14 @@ pkcs11gost_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
 		(void) pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object);
 	for (i = 6; i <= 6; i++)
 		if (keyTemplate[i].pValue != NULL) {
-			memset(keyTemplate[i].pValue, 0,
-			       keyTemplate[i].ulValueLen);
+			isc_safe_memwipe(keyTemplate[i].pValue,
+					 keyTemplate[i].ulValueLen);
 			isc_mem_put(dctx->mctx,
 				    keyTemplate[i].pValue,
 				    keyTemplate[i].ulValueLen);
 		}
 	pk11_return_session(pk11_ctx);
-	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
 	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
 
 	return (ret);
@@ -322,8 +322,8 @@ pkcs11gost_createctx_verify(dst_key_t *key, dst_context_t *dctx) {
 
 	for (i = 5; i <= 5; i++)
 		if (keyTemplate[i].pValue != NULL) {
-			memset(keyTemplate[i].pValue, 0,
-			       keyTemplate[i].ulValueLen);
+			isc_safe_memwipe(keyTemplate[i].pValue,
+					 keyTemplate[i].ulValueLen);
 			isc_mem_put(dctx->mctx,
 				    keyTemplate[i].pValue,
 				    keyTemplate[i].ulValueLen);
@@ -336,14 +336,14 @@ pkcs11gost_createctx_verify(dst_key_t *key, dst_context_t *dctx) {
 		(void) pkcs_C_DestroyObject(pk11_ctx->session, pk11_ctx->object);
 	for (i = 5; i <= 5; i++)
 		if (keyTemplate[i].pValue != NULL) {
-			memset(keyTemplate[i].pValue, 0,
-			       keyTemplate[i].ulValueLen);
+			isc_safe_memwipe(keyTemplate[i].pValue,
+					 keyTemplate[i].ulValueLen);
 			isc_mem_put(dctx->mctx,
 				    keyTemplate[i].pValue,
 				    keyTemplate[i].ulValueLen);
 		}
 	pk11_return_session(pk11_ctx);
-	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
 	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
 
 	return (ret);
@@ -367,7 +367,7 @@ pkcs11gost_destroyctx(dst_context_t *dctx) {
 			(void) pkcs_C_DestroyObject(pk11_ctx->session,
 					       pk11_ctx->object);
 		pk11_return_session(pk11_ctx);
-		memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+		isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
 		isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
 		dctx->ctxdata.pk11_ctx = NULL;
 	}
@@ -574,7 +574,7 @@ pkcs11gost_generate(dst_key_t *key, int unused, void (*callback)(int)) {
 	(void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
 	(void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
 	pk11_return_session(pk11_ctx);
-	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
 	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
 
 	return (ISC_R_SUCCESS);
@@ -586,7 +586,7 @@ pkcs11gost_generate(dst_key_t *key, int unused, void (*callback)(int)) {
 	if (pub != CK_INVALID_HANDLE)
 		(void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
 	pk11_return_session(pk11_ctx);
-	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
 	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
 
 	return (ret);
@@ -620,7 +620,8 @@ pkcs11gost_destroy(dst_key_t *key) {
 		case CKA_VALUE:
 		case CKA_VALUE2:
 			if (attr->pValue != NULL) {
-				memset(attr->pValue, 0, attr->ulValueLen);
+				isc_safe_memwipe(attr->pValue,
+						 attr->ulValueLen);
 				isc_mem_put(key->mctx,
 					    attr->pValue,
 					    attr->ulValueLen);
@@ -628,12 +629,11 @@ pkcs11gost_destroy(dst_key_t *key) {
 			break;
 		}
 	if (gost->repr != NULL) {
-		memset(gost->repr, 0, gost->attrcnt * sizeof(*attr));
+		isc_safe_memwipe(gost->repr, gost->attrcnt * sizeof(*attr));
 		isc_mem_put(key->mctx,
-			    gost->repr,
-			    gost->attrcnt * sizeof(*attr));
+			    gost->repr, gost->attrcnt * sizeof(*attr));
 	}
-	memset(gost, 0, sizeof(*gost));
+	isc_safe_memwipe(gost, sizeof(*gost));
 	isc_mem_put(key->mctx, gost, sizeof(*gost));
 	key->keydata.pkey = NULL;
 }
@@ -701,7 +701,8 @@ pkcs11gost_fromdns(dst_key_t *key, isc_buffer_t *data) {
 		switch (attr->type) {
 		case CKA_VALUE:
 			if (attr->pValue != NULL) {
-				memset(attr->pValue, 0, attr->ulValueLen);
+				isc_safe_memwipe(attr->pValue,
+						 attr->ulValueLen);
 				isc_mem_put(key->mctx,
 					    attr->pValue,
 					    attr->ulValueLen);
@@ -709,12 +710,11 @@ pkcs11gost_fromdns(dst_key_t *key, isc_buffer_t *data) {
 			break;
 		}
 	if (gost->repr != NULL) {
-		memset(gost->repr, 0, gost->attrcnt * sizeof(*attr));
+		isc_safe_memwipe(gost->repr, gost->attrcnt * sizeof(*attr));
 		isc_mem_put(key->mctx,
-			    gost->repr,
-			    gost->attrcnt * sizeof(*attr));
+			    gost->repr, gost->attrcnt * sizeof(*attr));
 	}
-	memset(gost, 0, sizeof(*gost));
+	isc_safe_memwipe(gost, sizeof(*gost));
 	isc_mem_put(key->mctx, gost, sizeof(*gost));
 	return (ISC_R_NOMEMORY);
 }
@@ -773,7 +773,7 @@ pkcs11gost_tofile(const dst_key_t *key, const char *directory) {
 	ret = dst__privstruct_writefile(key, &priv, directory);
 
 	if (buf != NULL) {
-		memset(buf, 0, attr->ulValueLen);
+		isc_safe_memwipe(buf, attr->ulValueLen);
 		isc_mem_put(key->mctx, buf, attr->ulValueLen);
 	}
 	return (ret);
@@ -816,7 +816,7 @@ pkcs11gost_tofile(const dst_key_t *key, const char *directory) {
 	ret = dst__privstruct_writefile(key, &priv, directory);
 
 	if (buf != NULL) {
-		memset(buf, 0, attr->ulValueLen);
+		isc_safe_memwipe(buf, attr->ulValueLen);
 		isc_mem_put(key->mctx, buf, attr->ulValueLen);
 	}
 	return (ret);
@@ -848,7 +848,7 @@ pkcs11gost_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		key->key_size = pub->key_size;
 
 		dst__privstruct_free(&priv, mctx);
-		memset(&priv, 0, sizeof(priv));
+		isc_safe_memwipe(&priv, sizeof(priv));
 
 		return (ISC_R_SUCCESS);
 	}
@@ -907,14 +907,14 @@ pkcs11gost_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 	attr->ulValueLen = priv.elements[0].length;
 
 	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
+	isc_safe_memwipe(&priv, sizeof(priv));
 
 	return (ISC_R_SUCCESS);
 
  err:
 	pkcs11gost_destroy(key);
 	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
+	isc_safe_memwipe(&priv, sizeof(priv));
 	return (ret);
 }
 
diff --git a/usr.sbin/bind/lib/dns/pkcs11rsa_link.c b/usr.sbin/bind/lib/dns/pkcs11rsa_link.c
index 8f5d47c6dfb..f2979762650 100644
--- a/usr.sbin/bind/lib/dns/pkcs11rsa_link.c
+++ b/usr.sbin/bind/lib/dns/pkcs11rsa_link.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -98,6 +98,33 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
 		key->key_alg == DST_ALG_RSASHA512);
 #endif
 
+	/*
+	 * Reject incorrect RSA key lengths.
+	 */
+	switch (dctx->key->key_alg) {
+	case DST_ALG_RSAMD5:
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		/* From RFC 3110 */
+		if (dctx->key->key_size > 4096)
+			return (ISC_R_FAILURE);
+		break;
+	case DST_ALG_RSASHA256:
+		/* From RFC 5702 */
+		if ((dctx->key->key_size < 512) ||
+		    (dctx->key->key_size > 4096))
+			return (ISC_R_FAILURE);
+		break;
+	case DST_ALG_RSASHA512:
+		/* From RFC 5702 */
+		if ((dctx->key->key_size < 1024) ||
+		    (dctx->key->key_size > 4096))
+			return (ISC_R_FAILURE);
+		break;
+	default:
+		INSIST(0);
+	}
+
 	rsa = key->keydata.pkey;
 
 	pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx,
@@ -243,8 +270,8 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
 
 	for (i = 6; i <= 13; i++)
 		if (keyTemplate[i].pValue != NULL) {
-			memset(keyTemplate[i].pValue, 0,
-			       keyTemplate[i].ulValueLen);
+			isc_safe_memwipe(keyTemplate[i].pValue,
+					 keyTemplate[i].ulValueLen);
 			isc_mem_put(dctx->mctx,
 				    keyTemplate[i].pValue,
 				    keyTemplate[i].ulValueLen);
@@ -258,14 +285,14 @@ pkcs11rsa_createctx_sign(dst_key_t *key, dst_context_t *dctx) {
 					    pk11_ctx->object);
 	for (i = 6; i <= 13; i++)
 		if (keyTemplate[i].pValue != NULL) {
-			memset(keyTemplate[i].pValue, 0,
-			       keyTemplate[i].ulValueLen);
+			isc_safe_memwipe(keyTemplate[i].pValue,
+					 keyTemplate[i].ulValueLen);
 			isc_mem_put(dctx->mctx,
 				    keyTemplate[i].pValue,
 				    keyTemplate[i].ulValueLen);
 		}
 	pk11_return_session(pk11_ctx);
-	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
 	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
 
 	return (ret);
@@ -307,6 +334,33 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
 		key->key_alg == DST_ALG_RSASHA512);
 #endif
 
+	/*
+	 * Reject incorrect RSA key lengths.
+	 */
+	switch (dctx->key->key_alg) {
+	case DST_ALG_RSAMD5:
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		/* From RFC 3110 */
+		if (dctx->key->key_size > 4096)
+			return (ISC_R_FAILURE);
+		break;
+	case DST_ALG_RSASHA256:
+		/* From RFC 5702 */
+		if ((dctx->key->key_size < 512) ||
+		    (dctx->key->key_size > 4096))
+			return (ISC_R_FAILURE);
+		break;
+	case DST_ALG_RSASHA512:
+		/* From RFC 5702 */
+		if ((dctx->key->key_size < 1024) ||
+		    (dctx->key->key_size > 4096))
+			return (ISC_R_FAILURE);
+		break;
+	default:
+		INSIST(0);
+	}
+
 	rsa = key->keydata.pkey;
 
 	pk11_ctx = (pk11_context_t *) isc_mem_get(dctx->mctx,
@@ -384,8 +438,8 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
 
 	for (i = 5; i <= 6; i++)
 		if (keyTemplate[i].pValue != NULL) {
-			memset(keyTemplate[i].pValue, 0,
-			       keyTemplate[i].ulValueLen);
+			isc_safe_memwipe(keyTemplate[i].pValue,
+					 keyTemplate[i].ulValueLen);
 			isc_mem_put(dctx->mctx,
 				    keyTemplate[i].pValue,
 				    keyTemplate[i].ulValueLen);
@@ -399,14 +453,14 @@ pkcs11rsa_createctx_verify(dst_key_t *key, unsigned int maxbits,
 					    pk11_ctx->object);
 	for (i = 5; i <= 6; i++)
 		if (keyTemplate[i].pValue != NULL) {
-			memset(keyTemplate[i].pValue, 0,
-			       keyTemplate[i].ulValueLen);
+			isc_safe_memwipe(keyTemplate[i].pValue,
+					 keyTemplate[i].ulValueLen);
 			isc_mem_put(dctx->mctx,
 				    keyTemplate[i].pValue,
 				    keyTemplate[i].ulValueLen);
 		}
 	pk11_return_session(pk11_ctx);
-	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
 	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
 
 	return (ret);
@@ -439,7 +493,7 @@ pkcs11rsa_destroyctx(dst_context_t *dctx) {
 			(void) pkcs_C_DestroyObject(pk11_ctx->session,
 						    pk11_ctx->object);
 		pk11_return_session(pk11_ctx);
-		memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+		isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
 		isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
 		dctx->ctxdata.pk11_ctx = NULL;
 	}
@@ -555,6 +609,33 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) {
 #endif
 	REQUIRE(rsa != NULL);
 
+	/*
+	 * Reject incorrect RSA key lengths.
+	 */
+	switch (dctx->key->key_alg) {
+	case DST_ALG_RSAMD5:
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		/* From RFC 3110 */
+		if (dctx->key->key_size > 4096)
+			return (ISC_R_FAILURE);
+		break;
+	case DST_ALG_RSASHA256:
+		/* From RFC 5702 */
+		if ((dctx->key->key_size < 512) ||
+		    (dctx->key->key_size > 4096))
+			return (ISC_R_FAILURE);
+		break;
+	case DST_ALG_RSASHA512:
+		/* From RFC 5702 */
+		if ((dctx->key->key_size < 1024) ||
+		    (dctx->key->key_size > 4096))
+			return (ISC_R_FAILURE);
+		break;
+	default:
+		INSIST(0);
+	}
+
 	switch (key->key_alg) {
 #ifndef PK11_MD5_DISABLE
 	case DST_ALG_RSAMD5:
@@ -595,7 +676,7 @@ pkcs11rsa_createctx(dst_key_t *key, dst_context_t *dctx) {
 
     err:
 	pk11_return_session(pk11_ctx);
-	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
 	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
 
 	return (ret);
@@ -609,9 +690,9 @@ pkcs11rsa_destroyctx(dst_context_t *dctx) {
 
 	if (pk11_ctx != NULL) {
 		(void) pkcs_C_DigestFinal(pk11_ctx->session, garbage, &len);
-		memset(garbage, 0, sizeof(garbage));
+		isc_safe_memwipe(garbage, sizeof(garbage));
 		pk11_return_session(pk11_ctx);
-		memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+		isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
 		isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
 		dctx->ctxdata.pk11_ctx = NULL;
 	}
@@ -684,6 +765,33 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 #endif
 	REQUIRE(rsa != NULL);
 
+	/*
+	 * Reject incorrect RSA key lengths.
+	 */
+	switch (dctx->key->key_alg) {
+	case DST_ALG_RSAMD5:
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		/* From RFC 3110 */
+		if (dctx->key->key_size > 4096)
+			return (ISC_R_FAILURE);
+		break;
+	case DST_ALG_RSASHA256:
+		/* From RFC 5702 */
+		if ((dctx->key->key_size < 512) ||
+		    (dctx->key->key_size > 4096))
+			return (ISC_R_FAILURE);
+		break;
+	case DST_ALG_RSASHA512:
+		/* From RFC 5702 */
+		if ((dctx->key->key_size < 1024) ||
+		    (dctx->key->key_size > 4096))
+			return (ISC_R_FAILURE);
+		break;
+	default:
+		INSIST(0);
+	}
+
 	switch (key->key_alg) {
 #ifndef PK11_MD5_DISABLE
 	case DST_ALG_RSAMD5:
@@ -851,14 +959,14 @@ pkcs11rsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 		(void) pkcs_C_DestroyObject(pk11_ctx->session, hKey);
 	for (i = 6; i <= 13; i++)
 		if (keyTemplate[i].pValue != NULL) {
-			memset(keyTemplate[i].pValue, 0,
-			       keyTemplate[i].ulValueLen);
+			isc_safe_memwipe(keyTemplate[i].pValue,
+					 keyTemplate[i].ulValueLen);
 			isc_mem_put(dctx->mctx,
 				    keyTemplate[i].pValue,
 				    keyTemplate[i].ulValueLen);
 		}
 	pk11_return_session(pk11_ctx);
-	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
 	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
 	dctx->ctxdata.pk11_ctx = NULL;
 
@@ -995,14 +1103,14 @@ pkcs11rsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 		(void) pkcs_C_DestroyObject(pk11_ctx->session, hKey);
 	for (i = 5; i <= 6; i++)
 		if (keyTemplate[i].pValue != NULL) {
-			memset(keyTemplate[i].pValue, 0,
-			       keyTemplate[i].ulValueLen);
+			isc_safe_memwipe(keyTemplate[i].pValue,
+					 keyTemplate[i].ulValueLen);
 			isc_mem_put(dctx->mctx,
 				    keyTemplate[i].pValue,
 				    keyTemplate[i].ulValueLen);
 		}
 	pk11_return_session(pk11_ctx);
-	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
 	isc_mem_put(dctx->mctx, pk11_ctx, sizeof(*pk11_ctx));
 	dctx->ctxdata.pk11_ctx = NULL;
 
@@ -1100,6 +1208,33 @@ pkcs11rsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
 
 	UNUSED(callback);
 
+	/*
+	 * Reject incorrect RSA key lengths.
+	 */
+	switch (key->key_alg) {
+	case DST_ALG_RSAMD5:
+	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
+		/* From RFC 3110 */
+		if (key->key_size > 4096)
+			return (ISC_R_FAILURE);
+		break;
+	case DST_ALG_RSASHA256:
+		/* From RFC 5702 */
+		if ((key->key_size < 512) ||
+		    (key->key_size > 4096))
+			return (ISC_R_FAILURE);
+		break;
+	case DST_ALG_RSASHA512:
+		/* From RFC 5702 */
+		if ((key->key_size < 1024) ||
+		    (key->key_size > 4096))
+			return (ISC_R_FAILURE);
+		break;
+	default:
+		INSIST(0);
+	}
+
 	pk11_ctx = (pk11_context_t *) isc_mem_get(key->mctx,
 						  sizeof(*pk11_ctx));
 	if (pk11_ctx == NULL)
@@ -1184,7 +1319,7 @@ pkcs11rsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
 	(void) pkcs_C_DestroyObject(pk11_ctx->session, priv);
 	(void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
 	pk11_return_session(pk11_ctx);
-	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
 	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
 
 	return (ISC_R_SUCCESS);
@@ -1196,7 +1331,7 @@ pkcs11rsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
 	if (pub != CK_INVALID_HANDLE)
 		(void) pkcs_C_DestroyObject(pk11_ctx->session, pub);
 	pk11_return_session(pk11_ctx);
-	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
 	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
 
 	return (ret);
@@ -1238,7 +1373,8 @@ pkcs11rsa_destroy(dst_key_t *key) {
 		case CKA_EXPONENT_2:
 		case CKA_COEFFICIENT:
 			if (attr->pValue != NULL) {
-				memset(attr->pValue, 0, attr->ulValueLen);
+				isc_safe_memwipe(attr->pValue,
+						 attr->ulValueLen);
 				isc_mem_put(key->mctx,
 					    attr->pValue,
 					    attr->ulValueLen);
@@ -1246,12 +1382,12 @@ pkcs11rsa_destroy(dst_key_t *key) {
 			break;
 		}
 	if (rsa->repr != NULL) {
-		memset(rsa->repr, 0, rsa->attrcnt * sizeof(*attr));
+		isc_safe_memwipe(rsa->repr, rsa->attrcnt * sizeof(*attr));
 		isc_mem_put(key->mctx,
 			    rsa->repr,
 			    rsa->attrcnt * sizeof(*attr));
 	}
-	memset(rsa, 0, sizeof(*rsa));
+	isc_safe_memwipe(rsa, sizeof(*rsa));
 	isc_mem_put(key->mctx, rsa, sizeof(*rsa));
 	key->keydata.pkey = NULL;
 }
@@ -1335,7 +1471,7 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
 	if (e_bytes == 0) {
 		if (r.length < 2) {
-			memset(rsa, 0, sizeof(*rsa));
+			isc_safe_memwipe(rsa, sizeof(*rsa));
 			isc_mem_put(key->mctx, rsa, sizeof(*rsa));
 			return (DST_R_INVALIDPUBLICKEY);
 		}
@@ -1346,7 +1482,7 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	}
 
 	if (r.length < e_bytes) {
-		memset(rsa, 0, sizeof(*rsa));
+		isc_safe_memwipe(rsa, sizeof(*rsa));
 		isc_mem_put(key->mctx, rsa, sizeof(*rsa));
 		return (DST_R_INVALIDPUBLICKEY);
 	}
@@ -1390,7 +1526,8 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
 		case CKA_MODULUS:
 		case CKA_PUBLIC_EXPONENT:
 			if (attr->pValue != NULL) {
-				memset(attr->pValue, 0, attr->ulValueLen);
+				isc_safe_memwipe(attr->pValue,
+						 attr->ulValueLen);
 				isc_mem_put(key->mctx,
 					    attr->pValue,
 					    attr->ulValueLen);
@@ -1398,12 +1535,13 @@ pkcs11rsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
 			break;
 		}
 	if (rsa->repr != NULL) {
-		memset(rsa->repr, 0, rsa->attrcnt * sizeof(*attr));
+		isc_safe_memwipe(rsa->repr,
+				 rsa->attrcnt * sizeof(*attr));
 		isc_mem_put(key->mctx,
 			    rsa->repr,
 			    rsa->attrcnt * sizeof(*attr));
 	}
-	memset(rsa, 0, sizeof(*rsa));
+	isc_safe_memwipe(rsa, sizeof(*rsa));
 	isc_mem_put(key->mctx, rsa, sizeof(*rsa));
 	return (ISC_R_NOMEMORY);
 }
@@ -1555,7 +1693,7 @@ pkcs11rsa_tofile(const dst_key_t *key, const char *directory) {
 	for (i = 0; i < 10; i++) {
 		if (bufs[i] == NULL)
 			break;
-		memset(bufs[i], 0, modulus->ulValueLen);
+		isc_safe_memwipe(bufs[i], modulus->ulValueLen);
 		isc_mem_put(key->mctx, bufs[i], modulus->ulValueLen);
 	}
 	return (result);
@@ -1661,7 +1799,7 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label,
 		DST_RET(ISC_R_NOMEMORY);
 
 	pk11_return_session(pk11_ctx);
-	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
 	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
 
 	attr = pk11_attribute_bytype(rsa, CKA_MODULUS);
@@ -1673,7 +1811,7 @@ pkcs11rsa_fetch(dst_key_t *key, const char *engine, const char *label,
     err:
 	if (pk11_ctx != NULL) {
 		pk11_return_session(pk11_ctx);
-		memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+		isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
 		isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
 	}
 
@@ -1769,7 +1907,7 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		key->key_size = pub->key_size;
 
 		dst__privstruct_free(&priv, mctx);
-		memset(&priv, 0, sizeof(priv));
+		isc_safe_memwipe(&priv, sizeof(priv));
 
 		return (ISC_R_SUCCESS);
 	}
@@ -1798,7 +1936,7 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		if (ret != ISC_R_SUCCESS)
 			goto err;
 		dst__privstruct_free(&priv, mctx);
-		memset(&priv, 0, sizeof(priv));
+		isc_safe_memwipe(&priv, sizeof(priv));
 		return (ret);
 	}
 
@@ -1903,14 +2041,14 @@ pkcs11rsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		DST_RET(ISC_R_RANGE);
 
 	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
+	isc_safe_memwipe(&priv, sizeof(priv));
 
 	return (ISC_R_SUCCESS);
 
  err:
 	pkcs11rsa_destroy(key);
 	dst__privstruct_free(&priv, mctx);
-	memset(&priv, 0, sizeof(priv));
+	isc_safe_memwipe(&priv, sizeof(priv));
 	return (ret);
 }
 
@@ -2037,7 +2175,7 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 	key->key_size = pk11_numbits(attr->pValue, attr->ulValueLen);
 
 	pk11_return_session(pk11_ctx);
-	memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+	isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
 	isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
 
 	return (ISC_R_SUCCESS);
@@ -2046,7 +2184,7 @@ pkcs11rsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 	pkcs11rsa_destroy(key);
 	if (pk11_ctx != NULL) {
 		pk11_return_session(pk11_ctx);
-		memset(pk11_ctx, 0, sizeof(*pk11_ctx));
+		isc_safe_memwipe(pk11_ctx, sizeof(*pk11_ctx));
 		isc_mem_put(key->mctx, pk11_ctx, sizeof(*pk11_ctx));
 	}
 
diff --git a/usr.sbin/bind/lib/dns/portlist.c b/usr.sbin/bind/lib/dns/portlist.c
index 1f0c23d89d7..72e5398f64c 100644
--- a/usr.sbin/bind/lib/dns/portlist.c
+++ b/usr.sbin/bind/lib/dns/portlist.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: portlist.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: portlist.c,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/dns/private.c b/usr.sbin/bind/lib/dns/private.c
index 3bfe726f00c..841c99d2140 100644
--- a/usr.sbin/bind/lib/dns/private.c
+++ b/usr.sbin/bind/lib/dns/private.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2011, 2012, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: private.c,v 1.1 2019/12/16 16:31:33 deraadt Exp $ */
+/* $Id: private.c,v 1.2 2019/12/17 01:46:32 sthen Exp $ */
 
 #include "config.h"
 
@@ -23,6 +23,7 @@
 #include <isc/result.h>
 #include <isc/string.h>
 #include <isc/types.h>
+#include <isc/util.h>
 
 #include <dns/nsec3.h>
 #include <dns/private.h>
@@ -307,7 +308,7 @@ dns_private_totext(dns_rdata_t *private, isc_buffer_t *buf) {
 		unsigned char newbuf[DNS_NSEC3PARAM_BUFFERSIZE];
 		dns_rdata_t rdata = DNS_RDATA_INIT;
 		dns_rdata_nsec3param_t nsec3param;
-		isc_boolean_t delete, init, nonsec;
+		isc_boolean_t del, init, nonsec;
 		isc_buffer_t b;
 
 		if (!dns_nsec3param_fromprivate(private, &rdata, nsec3buf,
@@ -316,7 +317,7 @@ dns_private_totext(dns_rdata_t *private, isc_buffer_t *buf) {
 
 		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
 
-		delete = ISC_TF((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0);
+		del = ISC_TF((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0);
 		init = ISC_TF((nsec3param.flags & DNS_NSEC3FLAG_INITIAL) != 0);
 		nonsec = ISC_TF((nsec3param.flags & DNS_NSEC3FLAG_NONSEC) != 0);
 
@@ -327,7 +328,7 @@ dns_private_totext(dns_rdata_t *private, isc_buffer_t *buf) {
 
 		if (init)
 			isc_buffer_putstr(buf, "Pending NSEC3 chain ");
-		else if (delete)
+		else if (del)
 			isc_buffer_putstr(buf, "Removing NSEC3 chain ");
 		else
 			isc_buffer_putstr(buf, "Creating NSEC3 chain ");
@@ -340,18 +341,18 @@ dns_private_totext(dns_rdata_t *private, isc_buffer_t *buf) {
 
 		CHECK(dns_rdata_totext(&rdata, NULL, buf));
 
-		if (delete && !nonsec)
+		if (del && !nonsec)
 			isc_buffer_putstr(buf, " / creating NSEC chain");
 	} else if (private->length == 5) {
 		unsigned char alg = private->data[0];
 		dns_keytag_t keyid = (private->data[2] | private->data[1] << 8);
 		char keybuf[BUFSIZ], algbuf[DNS_SECALG_FORMATSIZE];
-		isc_boolean_t delete = ISC_TF(private->data[3] != 0);
+		isc_boolean_t del = ISC_TF(private->data[3] != 0);
 		isc_boolean_t complete = ISC_TF(private->data[4] != 0);
 
-		if (delete && complete)
+		if (del && complete)
 			isc_buffer_putstr(buf, "Done removing signatures for ");
-		else if (delete)
+		else if (del)
 			isc_buffer_putstr(buf, "Removing signatures for ");
 		else if (complete)
 			isc_buffer_putstr(buf, "Done signing with ");
@@ -359,7 +360,7 @@ dns_private_totext(dns_rdata_t *private, isc_buffer_t *buf) {
 			isc_buffer_putstr(buf, "Signing with ");
 
 		dns_secalg_format(alg, algbuf, sizeof(algbuf));
-		sprintf(keybuf, "key %d/%s", keyid, algbuf);
+		snprintf(keybuf, sizeof(keybuf), "key %d/%s", keyid, algbuf);
 		isc_buffer_putstr(buf, keybuf);
 	} else
 		return (ISC_R_NOTFOUND);
diff --git a/usr.sbin/bind/lib/dns/rbt.c b/usr.sbin/bind/lib/dns/rbt.c
index 92d4aca8851..78971a4732a 100644
--- a/usr.sbin/bind/lib/dns/rbt.c
+++ b/usr.sbin/bind/lib/dns/rbt.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007-2009, 2011-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -30,6 +29,7 @@
 #include <isc/file.h>
 #include <isc/hex.h>
 #include <isc/mem.h>
+#include <isc/once.h>
 #include <isc/platform.h>
 #include <isc/print.h>
 #include <isc/refcount.h>
@@ -147,6 +147,9 @@ static isc_result_t
 write_header(FILE *file, dns_rbt_t *rbt, isc_uint64_t first_node_offset,
 	     isc_uint64_t crc);
 
+static isc_boolean_t
+match_header_version(file_header_t *header);
+
 static isc_result_t
 serialize_node(FILE *file, dns_rbtnode_t *node, uintptr_t left,
 	       uintptr_t right, uintptr_t down, uintptr_t parent,
@@ -235,11 +238,11 @@ getdata(dns_rbtnode_t *node, file_header_t *header) {
  * The variable length stuff stored after the node has the following
  * structure.
  *
- *	<name_data>{1..255}<oldoffsetlen>{1}<offsets>{1..128}
+ *	&lt;name_data&gt;{1..255}&lt;oldoffsetlen&gt;{1}&lt;offsets&gt;{1..128}
  *
- * <name_data> contains the name of the node when it was created.
- * <oldoffsetlen> contains the length of <offsets> when the node was created.
- * <offsets> contains the offets into name for each label when the node was
+ * &lt;name_data&gt; contains the name of the node when it was created.
+ * &lt;oldoffsetlen&gt; contains the length of &lt;offsets&gt; when the node was created.
+ * &lt;offsets&gt; contains the offets into name for each label when the node was
  * created.
  */
 
@@ -452,7 +455,7 @@ addonlevel(dns_rbtnode_t *node, dns_rbtnode_t *current, int order,
 	   dns_rbtnode_t **rootp);
 
 static void
-deletefromlevel(dns_rbtnode_t *delete, dns_rbtnode_t **rootp);
+deletefromlevel(dns_rbtnode_t *item, dns_rbtnode_t **rootp);
 
 static isc_result_t
 treefix(dns_rbt_t *rbt, void *base, size_t size,
@@ -492,6 +495,18 @@ dns_rbt_zero_header(FILE *file) {
 	return (ISC_R_SUCCESS);
 }
 
+static isc_once_t once = ISC_ONCE_INIT;
+
+static void
+init_file_version(void) {
+	int n;
+
+	memset(FILE_VERSION, 0, sizeof(FILE_VERSION));
+	n = snprintf(FILE_VERSION, sizeof(FILE_VERSION),
+		 "RBT Image %s %s", dns_major, dns_mapapi);
+	INSIST(n > 0 && (unsigned int)n < sizeof(FILE_VERSION));
+}
+
 /*
  * Write out the real header, including NodeDump version information
  * and the offset of the first node.
@@ -507,11 +522,7 @@ write_header(FILE *file, dns_rbt_t *rbt, isc_uint64_t first_node_offset,
 	isc_result_t result;
 	off_t location;
 
-	if (FILE_VERSION[0] == '\0') {
-		memset(FILE_VERSION, 0, sizeof(FILE_VERSION));
-		snprintf(FILE_VERSION, sizeof(FILE_VERSION),
-			 "RBT Image %s %s", dns_major, dns_mapapi);
-	}
+	RUNTIME_CHECK(isc_once_do(&once, init_file_version) == ISC_R_SUCCESS);
 
 	memset(&header, 0, sizeof(file_header_t));
 	memmove(header.version1, FILE_VERSION, sizeof(header.version1));
@@ -543,6 +554,21 @@ write_header(FILE *file, dns_rbt_t *rbt, isc_uint64_t first_node_offset,
 	return (result);
 }
 
+static isc_boolean_t
+match_header_version(file_header_t *header) {
+	RUNTIME_CHECK(isc_once_do(&once, init_file_version) == ISC_R_SUCCESS);
+
+	if (memcmp(header->version1, FILE_VERSION,
+		   sizeof(header->version1)) != 0 ||
+	    memcmp(header->version2, FILE_VERSION,
+		   sizeof(header->version1)) != 0)
+	{
+		return (ISC_FALSE);
+	}
+
+	return (ISC_TRUE);
+}
+
 static isc_result_t
 serialize_node(FILE *file, dns_rbtnode_t *node, uintptr_t left,
 	       uintptr_t right, uintptr_t down, uintptr_t parent,
@@ -617,7 +643,7 @@ serialize_node(FILE *file, dns_rbtnode_t *node, uintptr_t left,
 #endif
 
 	isc_crc64_update(crc, (const isc_uint8_t *) &temp_node,
-			sizeof(dns_rbtnode_t));
+			 sizeof(dns_rbtnode_t));
 	isc_crc64_update(crc, (const isc_uint8_t *) node_data, datasize);
 
  cleanup:
@@ -877,6 +903,7 @@ dns_rbt_deserialize_tree(void *base_address, size_t filesize,
 	file_header_t *header;
 	dns_rbt_t *rbt = NULL;
 	isc_uint64_t crc;
+	unsigned int host_big_endian;
 
 	REQUIRE(originp == NULL || *originp == NULL);
 	REQUIRE(rbtp != NULL && *rbtp == NULL);
@@ -888,6 +915,10 @@ dns_rbt_deserialize_tree(void *base_address, size_t filesize,
 	rbt->mmap_location = base_address;
 
 	header = (file_header_t *)((char *)base_address + header_offset);
+	if (!match_header_version(header)) {
+		result = ISC_R_INVALIDFILE;
+		goto cleanup;
+	}
 
 #ifdef DNS_RDATASET_FIXED
 	if (header->rdataset_fixed != 1) {
@@ -906,7 +937,9 @@ dns_rbt_deserialize_tree(void *base_address, size_t filesize,
 		result = ISC_R_INVALIDFILE;
 		goto cleanup;
 	}
-	if (header->bigendian != (1 == htonl(1)) ? 1 : 0) {
+
+	host_big_endian = (1 == htonl(1));
+	if (header->bigendian != host_big_endian) {
 		result = ISC_R_INVALIDFILE;
 		goto cleanup;
 	}
@@ -2561,25 +2594,25 @@ addonlevel(dns_rbtnode_t *node, dns_rbtnode_t *current, int order,
  * true red/black tree on a single level.
  */
 static void
-deletefromlevel(dns_rbtnode_t *delete, dns_rbtnode_t **rootp) {
+deletefromlevel(dns_rbtnode_t *item, dns_rbtnode_t **rootp) {
 	dns_rbtnode_t *child, *sibling, *parent;
 	dns_rbtnode_t *successor;
 
-	REQUIRE(delete != NULL);
+	REQUIRE(item != NULL);
 
 	/*
 	 * Verify that the parent history is (apparently) correct.
 	 */
-	INSIST((IS_ROOT(delete) && *rootp == delete) ||
-	       (! IS_ROOT(delete) &&
-		(LEFT(PARENT(delete)) == delete ||
-		 RIGHT(PARENT(delete)) == delete)));
+	INSIST((IS_ROOT(item) && *rootp == item) ||
+	       (! IS_ROOT(item) &&
+		(LEFT(PARENT(item)) == item ||
+		 RIGHT(PARENT(item)) == item)));
 
 	child = NULL;
 
-	if (LEFT(delete) == NULL) {
-		if (RIGHT(delete) == NULL) {
-			if (IS_ROOT(delete)) {
+	if (LEFT(item) == NULL) {
+		if (RIGHT(item) == NULL) {
+			if (IS_ROOT(item)) {
 				/*
 				 * This is the only item in the tree.
 				 */
@@ -2590,13 +2623,13 @@ deletefromlevel(dns_rbtnode_t *delete, dns_rbtnode_t **rootp) {
 			/*
 			 * This node has one child, on the right.
 			 */
-			child = RIGHT(delete);
+			child = RIGHT(item);
 
-	} else if (RIGHT(delete) == NULL)
+	} else if (RIGHT(item) == NULL)
 		/*
 		 * This node has one child, on the left.
 		 */
-		child = LEFT(delete);
+		child = LEFT(item);
 	else {
 		dns_rbtnode_t holder, *tmp = &holder;
 
@@ -2606,7 +2639,7 @@ deletefromlevel(dns_rbtnode_t *delete, dns_rbtnode_t **rootp) {
 		 * move it to this location, then do the deletion at the
 		 * old site of the successor.
 		 */
-		successor = RIGHT(delete);
+		successor = RIGHT(item);
 		while (LEFT(successor) != NULL)
 			successor = LEFT(successor);
 
@@ -2634,21 +2667,21 @@ deletefromlevel(dns_rbtnode_t *delete, dns_rbtnode_t **rootp) {
 		 */
 		memmove(tmp, successor, sizeof(dns_rbtnode_t));
 
-		if (IS_ROOT(delete)) {
+		if (IS_ROOT(item)) {
 			*rootp = successor;
 			successor->is_root = ISC_TRUE;
-			delete->is_root = ISC_FALSE;
+			item->is_root = ISC_FALSE;
 
 		} else
-			if (LEFT(PARENT(delete)) == delete)
-				LEFT(PARENT(delete)) = successor;
+			if (LEFT(PARENT(item)) == item)
+				LEFT(PARENT(item)) = successor;
 			else
-				RIGHT(PARENT(delete)) = successor;
+				RIGHT(PARENT(item)) = successor;
 
-		PARENT(successor) = PARENT(delete);
-		LEFT(successor)   = LEFT(delete);
-		RIGHT(successor)  = RIGHT(delete);
-		COLOR(successor)  = COLOR(delete);
+		PARENT(successor) = PARENT(item);
+		LEFT(successor)   = LEFT(item);
+		RIGHT(successor)  = RIGHT(item);
+		COLOR(successor)  = COLOR(item);
 
 		if (LEFT(successor) != NULL)
 			PARENT(LEFT(successor)) = successor;
@@ -2660,39 +2693,39 @@ deletefromlevel(dns_rbtnode_t *delete, dns_rbtnode_t **rootp) {
 		 * successor's previous tree location.  PARENT(tmp)
 		 * is the successor's original parent.
 		 */
-		INSIST(! IS_ROOT(delete));
+		INSIST(! IS_ROOT(item));
 
-		if (PARENT(tmp) == delete) {
+		if (PARENT(tmp) == item) {
 			/*
 			 * Node being deleted was successor's parent.
 			 */
-			RIGHT(successor) = delete;
-			PARENT(delete) = successor;
+			RIGHT(successor) = item;
+			PARENT(item) = successor;
 
 		} else {
-			LEFT(PARENT(tmp)) = delete;
-			PARENT(delete) = PARENT(tmp);
+			LEFT(PARENT(tmp)) = item;
+			PARENT(item) = PARENT(tmp);
 		}
 
 		/*
 		 * Original location of successor node has no left.
 		 */
-		LEFT(delete)   = NULL;
-		RIGHT(delete)  = RIGHT(tmp);
-		COLOR(delete)  = COLOR(tmp);
+		LEFT(item)   = NULL;
+		RIGHT(item)  = RIGHT(tmp);
+		COLOR(item)  = COLOR(tmp);
 	}
 
 	/*
 	 * Remove the node by removing the links from its parent.
 	 */
-	if (! IS_ROOT(delete)) {
-		if (LEFT(PARENT(delete)) == delete)
-			LEFT(PARENT(delete)) = child;
+	if (! IS_ROOT(item)) {
+		if (LEFT(PARENT(item)) == item)
+			LEFT(PARENT(item)) = child;
 		else
-			RIGHT(PARENT(delete)) = child;
+			RIGHT(PARENT(item)) = child;
 
 		if (child != NULL)
-			PARENT(child) = PARENT(delete);
+			PARENT(child) = PARENT(item);
 
 	} else {
 		/*
@@ -2701,14 +2734,14 @@ deletefromlevel(dns_rbtnode_t *delete, dns_rbtnode_t **rootp) {
 		 */
 		*rootp = child;
 		child->is_root = 1;
-		PARENT(child) = PARENT(delete);
+		PARENT(child) = PARENT(item);
 	}
 
 	/*
 	 * Fix color violations.
 	 */
-	if (IS_BLACK(delete)) {
-		parent = PARENT(delete);
+	if (IS_BLACK(item)) {
+		parent = PARENT(item);
 
 		while (child != *rootp && IS_BLACK(child)) {
 			INSIST(child == NULL || ! IS_ROOT(child));
@@ -2993,7 +3026,7 @@ dns_rbt_printnodeinfo(dns_rbtnode_t *n, FILE *f) {
 			(n->down_is_relative == 1 ? " D" : ""),
 			(n->data_is_relative == 1 ? " T" : ""));
 
-	fprintf(f, "node lock address = %d\n", n->locknum);
+	fprintf(f, "node lock address = %u\n", n->locknum);
 
 	fprintf(f, "Parent: %p\n", n->parent);
 	fprintf(f, "Right: %p\n", n->right);
@@ -3499,8 +3532,22 @@ dns_rbtnodechain_next(dns_rbtnodechain_t *chain, dns_name_t *name,
 				 * Reached the root without having traversed
 				 * any left pointers, so this level is done.
 				 */
-				if (chain->level_count == 0)
+				if (chain->level_count == 0) {
+					/*
+					 * If the tree we are iterating over
+					 * was modified since this chain was
+					 * initialized in a way that caused
+					 * node splits to occur, "current" may
+					 * now be pointing to a root node which
+					 * appears to be at level 0, but still
+					 * has a parent.  If that happens,
+					 * abort.  Otherwise, we are done
+					 * looking for a successor as we really
+					 * reached the root node on level 0.
+					 */
+					INSIST(PARENT(current) == NULL);
 					break;
+				}
 
 				current = chain->levels[--chain->level_count];
 				new_origin = ISC_TRUE;
@@ -3521,6 +3568,12 @@ dns_rbtnodechain_next(dns_rbtnodechain_t *chain, dns_name_t *name,
 	}
 
 	if (successor != NULL) {
+		/*
+		 * If we determine that the current node is the successor to
+		 * itself, we will run into an infinite loop, so abort instead.
+		 */
+		INSIST(chain->end != successor);
+
 		chain->end = successor;
 
 		/*
diff --git a/usr.sbin/bind/lib/dns/rbtdb.c b/usr.sbin/bind/lib/dns/rbtdb.c
index e6658e469cc..c7d5d0fd48a 100644
--- a/usr.sbin/bind/lib/dns/rbtdb.c
+++ b/usr.sbin/bind/lib/dns/rbtdb.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2017  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -160,7 +159,11 @@ typedef isc_uint64_t                    rbtdb_serial_t;
 #define add_changed add_changed64
 #define add_empty_wildcards add_empty_wildcards64
 #define add_wildcard_magic add_wildcard_magic64
+#define addclosest addclosest64
+#define addnoqname addnoqname64
 #define addrdataset addrdataset64
+#define adjust_quantum adjust_quantum64
+#define allocate_version allocate_version64
 #define allrdatasets allrdatasets64
 #define attach attach64
 #define attachnode attachnode64
@@ -172,9 +175,14 @@ typedef isc_uint64_t                    rbtdb_serial_t;
 #define cache_findzonecut cache_findzonecut64
 #define cache_zonecut_callback cache_zonecut_callback64
 #define check_stale_header check_stale_header64
+#define clean_cache_node clean_cache_node64
+#define clean_stale_headers clean_stale_headers64
+#define clean_zone_node clean_zone_node64
 #define cleanup_dead_nodes cleanup_dead_nodes64
 #define cleanup_dead_nodes_callback cleanup_dead_nodes_callback64
+#define cleanup_nondirty cleanup_nondirty64
 #define closeversion closeversion64
+#define cname_and_other_data cname_and_other_data64
 #define createiterator createiterator64
 #define currentversion currentversion64
 #define dbiterator_current dbiterator_current64
@@ -187,9 +195,11 @@ typedef isc_uint64_t                    rbtdb_serial_t;
 #define dbiterator_prev dbiterator_prev64
 #define dbiterator_seek dbiterator_seek64
 #define decrement_reference decrement_reference64
+#define delegating_type delegating_type64
 #define delete_callback delete_callback64
 #define delete_node delete_node64
 #define deleterdataset deleterdataset64
+#define dereference_iter_node dereference_iter_node64
 #define deserialize32 deserialize64
 #define detach detach64
 #define detachnode detachnode64
@@ -200,6 +210,7 @@ typedef isc_uint64_t                    rbtdb_serial_t;
 #define find_closest_nsec find_closest_nsec64
 #define find_coveringnsec find_coveringnsec64
 #define find_deepest_zonecut find_deepest_zonecut64
+#define find_wildcard find_wildcard64
 #define findnode findnode64
 #define findnodeintree findnodeintree64
 #define findnsec3node findnsec3node64
@@ -216,24 +227,31 @@ typedef isc_uint64_t                    rbtdb_serial_t;
 #define getsize getsize64
 #define hashsize hashsize64
 #define init_file_version init_file_version64
+#define init_rdataset init_rdataset64
 #define isdnssec isdnssec64
 #define ispersistent ispersistent64
 #define issecure issecure64
 #define iszonesecure iszonesecure64
 #define loading_addrdataset loading_addrdataset64
 #define loadnode loadnode64
+#define make_least_version make_least_version64
 #define mark_stale_header mark_stale_header64
+#define match_header_version match_header_version64
 #define matchparams matchparams64
 #define maybe_free_rbtdb maybe_free_rbtdb64
+#define need_headerupdate need_headerupdate64
+#define new_rdataset new_rdataset64
 #define new_reference new_reference64
 #define newversion newversion64
 #define nodecount nodecount64
 #define overmem overmem64
+#define overmem_purge overmem_purge64
 #define previous_closest_nsec previous_closest_nsec64
 #define printnode printnode64
 #define prune_tree prune_tree64
 #define rbt_datafixer rbt_datafixer64
 #define rbt_datawriter rbt_datawriter64
+#define rbtdb_write_header rbtdb_write_header64
 #define rbtdb_zero_header rbtdb_zero_header64
 #define rdataset_clearprefetch rdataset_clearprefetch64
 #define rdataset_clone rdataset_clone64
@@ -254,16 +272,20 @@ typedef isc_uint64_t                    rbtdb_serial_t;
 #define rdatasetiter_first rdatasetiter_first64
 #define rdatasetiter_next rdatasetiter_next64
 #define reactivate_node reactivate_node64
+#define reference_iter_node reference_iter_node64
 #define resign_delete resign_delete64
 #define resign_insert resign_insert64
 #define resign_sooner resign_sooner64
 #define resigned resigned64
+#define resume_iteration resume_iteration64
+#define rollback_node rollback_node64
 #define rpz_attach rpz_attach64
 #define rpz_ready rpz_ready64
 #define serialize serialize64
 #define set_index set_index64
 #define set_ttl set_ttl64
 #define setcachestats setcachestats64
+#define setnsec3parameters setnsec3parameters64
 #define setsigningtime setsigningtime64
 #define settask settask64
 #define setup_delegation setup_delegation64
@@ -272,7 +294,9 @@ typedef isc_uint64_t                    rbtdb_serial_t;
 #define update_cachestats update_cachestats64
 #define update_header update_header64
 #define update_newheader update_newheader64
+#define update_recordsandbytes  update_recordsandbytes64
 #define update_rrsetstats update_rrsetstats64
+#define valid_glue valid_glue64
 #define zone_find zone_find64
 #define zone_findrdataset zone_findrdataset64
 #define zone_findzonecut zone_findzonecut64
@@ -630,6 +654,7 @@ struct dns_rbtdb {
 	unsigned int                    node_lock_count;
 	rbtdb_nodelock_t *              node_locks;
 	dns_rbtnode_t *                 origin_node;
+	dns_rbtnode_t *			nsec3_origin_node;
 	dns_stats_t *			rrsetstats; /* cache DB only */
 	isc_stats_t *			cachestats; /* cache DB only */
 	/* Locked by lock. */
@@ -665,7 +690,7 @@ struct dns_rbtdb {
 	 * context to use for the heap (which differs from the main
 	 * database memory context in the case of a cache).
 	 */
-	isc_mem_t *			hmctx;
+	isc_mem_t			*hmctx;
 	isc_heap_t                      **heaps;
 
 	/*
@@ -809,6 +834,15 @@ typedef struct rbtdb_rdatasetiter {
 	rdatasetheader_t *              current;
 } rbtdb_rdatasetiter_t;
 
+/*
+ * Note that these iterators, unless created with either DNS_DB_NSEC3ONLY or
+ * DNS_DB_NONSEC3, will transparently move between the last node of the
+ * "regular" RBT ("chain" field) and the root node of the NSEC3 RBT
+ * ("nsec3chain" field) of the database in question, as if the latter was a
+ * successor to the former in lexical order.  The "current" field always holds
+ * the address of either "chain" or "nsec3chain", depending on which RBT is
+ * being traversed at given time.
+ */
 static void             dbiterator_destroy(dns_dbiterator_t **iteratorp);
 static isc_result_t     dbiterator_first(dns_dbiterator_t *iterator);
 static isc_result_t     dbiterator_last(dns_dbiterator_t *iterator);
@@ -853,7 +887,7 @@ typedef struct rbtdb_dbiterator {
 	dns_rbtnodechain_t		*current;
 	dns_rbtnode_t                   *node;
 	dns_rbtnode_t                   *deletions[DELETION_BATCH_MAX];
-	int                             delete;
+	int                             delcnt;
 	isc_boolean_t			nsec3only;
 	isc_boolean_t			nonsec3;
 } rbtdb_dbiterator_t;
@@ -867,6 +901,8 @@ static void free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log,
 static void overmem(dns_db_t *db, isc_boolean_t over);
 static void setnsec3parameters(dns_db_t *db, rbtdb_version_t *version);
 
+static isc_boolean_t match_header_version(rbtdb_file_header_t *header);
+
 /* Pad to 32 bytes */
 static char FILE_VERSION[32] = "\0";
 
@@ -1054,9 +1090,7 @@ ttl_sooner(void *v1, void *v2) {
 	rdatasetheader_t *h1 = v1;
 	rdatasetheader_t *h2 = v2;
 
-	if (h1->rdh_ttl < h2->rdh_ttl)
-		return (ISC_TRUE);
-	return (ISC_FALSE);
+	return (ISC_TF(h1->rdh_ttl < h2->rdh_ttl));
 }
 
 static isc_boolean_t
@@ -1064,10 +1098,9 @@ resign_sooner(void *v1, void *v2) {
 	rdatasetheader_t *h1 = v1;
 	rdatasetheader_t *h2 = v2;
 
-	if (h1->resign < h2->resign ||
-	    (h1->resign == h2->resign && h1->resign_lsb < h2->resign_lsb))
-		return (ISC_TRUE);
-	return (ISC_FALSE);
+	return (ISC_TF(h1->resign < h2->resign ||
+		       (h1->resign == h2->resign &&
+			h1->resign_lsb < h2->resign_lsb)));
 }
 
 /*%
@@ -1092,7 +1125,7 @@ adjust_quantum(unsigned int old, isc_time_t *start) {
 	unsigned int interval;
 	isc_uint64_t usecs;
 	isc_time_t end;
-	unsigned int new;
+	unsigned int nodes;
 
 	if (pps < 100)
 		pps = 100;
@@ -1112,22 +1145,22 @@ adjust_quantum(unsigned int old, isc_time_t *start) {
 			old = 1000;
 		return (old);
 	}
-	new = old * interval;
-	new /= (unsigned int)usecs;
-	if (new == 0)
-		new = 1;
-	else if (new > 1000)
-		new = 1000;
+	nodes = old * interval;
+	nodes /= (unsigned int)usecs;
+	if (nodes == 0)
+		nodes = 1;
+	else if (nodes > 1000)
+		nodes = 1000;
 
 	/* Smooth */
-	new = (new + old * 3) / 4;
+	nodes = (nodes + old * 3) / 4;
 
-	if (new != old)
+	if (nodes != old)
 		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
 			      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
-			      "adjust_quantum: old=%d, new=%d", old, new);
+			      "adjust_quantum: old=%d, new=%d", old, nodes);
 
-	return (new);
+	return (nodes);
 }
 
 static void
@@ -1221,7 +1254,7 @@ free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log, isc_event_t *event) {
 			dns_name_format(&rbtdb->common.origin, buf,
 					sizeof(buf));
 		else
-			strcpy(buf, "<UNKNOWN>");
+			strlcpy(buf, "<UNKNOWN>", sizeof(buf));
 		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
 			      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
 			      "done free_rbtdb(%s)", buf);
@@ -1336,11 +1369,12 @@ maybe_free_rbtdb(dns_rbtdb_t *rbtdb) {
 		RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_write);
 		if (want_free) {
 			char buf[DNS_NAME_FORMATSIZE];
-			if (dns_name_dynamic(&rbtdb->common.origin))
+			if (dns_name_dynamic(&rbtdb->common.origin)) {
 				dns_name_format(&rbtdb->common.origin, buf,
 						sizeof(buf));
-			else
-				strcpy(buf, "<UNKNOWN>");
+			} else {
+				strlcpy(buf, "<UNKNOWN>", sizeof(buf));
+			}
 			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
 				      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
 				      "calling free_rbtdb(%s)", buf);
@@ -1581,18 +1615,18 @@ init_rdataset(dns_rbtdb_t *rbtdb, rdatasetheader_t *h) {
  * Update the copied values of 'next' and 'node' if they are relative.
  */
 static void
-update_newheader(rdatasetheader_t *new, rdatasetheader_t *old) {
+update_newheader(rdatasetheader_t *newh, rdatasetheader_t *old) {
 	char *p;
 
 	if (old->next_is_relative) {
 		p = (char *) old;
 		p += (uintptr_t)old->next;
-		new->next = (rdatasetheader_t *)p;
+		newh->next = (rdatasetheader_t *)p;
 	}
 	if (old->node_is_relative) {
 		p = (char *) old;
 		p += (uintptr_t)old->node;
-		new->node = (dns_rbtnode_t *)p;
+		newh->node = (dns_rbtnode_t *)p;
 	}
 }
 
@@ -1907,7 +1941,13 @@ delete_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
 		name = dns_fixedname_name(&fname);
 		dns_rbt_fullnamefromnode(node, name);
 
+		/*
+		 * dns_rbt_deletenode() may keep the node if it has a
+		 * down pointer, but we mustn't call dns_rpz_delete() on
+		 * it again.
+		 */
 		node_has_rpz = node->rpz;
+		node->rpz = 0;
 		result = dns_rbt_deletenode(rbtdb->tree, node, ISC_FALSE);
 		if (result == ISC_R_SUCCESS &&
 		    rbtdb->rpzs != NULL && node_has_rpz)
@@ -1944,7 +1984,13 @@ delete_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
 					      isc_result_totext(result));
 			}
 		}
+		/*
+		 * dns_rbt_deletenode() may keep the node if it has a
+		 * down pointer, but we mustn't call dns_rpz_delete() on
+		 * it again.
+		 */
 		node_has_rpz = node->rpz;
+		node->rpz = 0;
 		result = dns_rbt_deletenode(rbtdb->tree, node, ISC_FALSE);
 		if (result == ISC_R_SUCCESS &&
 		    rbtdb->rpzs != NULL && node_has_rpz)
@@ -2099,8 +2145,12 @@ reactivate_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
  * have to be protected, but we must avoid a race condition where multiple
  * threads are decreasing the reference to zero simultaneously and at least
  * one of them is going to free the node.
+ *
  * This function returns ISC_TRUE if and only if the node reference decreases
  * to zero.
+ *
+ * NOTE: Decrementing the reference count of a node to zero does not mean it
+ * will be immediately freed.
  */
 static isc_boolean_t
 decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
@@ -2118,7 +2168,8 @@ decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 	nodelock = &rbtdb->node_locks[bucket];
 
 #define KEEP_NODE(n, r) \
-	((n)->data != NULL || (n)->down != NULL || (n) == (r)->origin_node)
+	((n)->data != NULL || (n)->down != NULL || \
+	 (n) == (r)->origin_node || (n) == (r)->nsec3_origin_node)
 
 	/* Handle easy and typical case first. */
 	if (!node->dirty && KEEP_NODE(node, rbtdb)) {
@@ -5452,7 +5503,7 @@ detachnode(dns_db_t *db, dns_dbnode_t **targetp) {
 				dns_name_format(&rbtdb->common.origin, buf,
 						sizeof(buf));
 			else
-				strcpy(buf, "<UNKNOWN>");
+				strlcpy(buf, "<UNKNOWN>", sizeof(buf));
 			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
 				      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
 				      "calling free_rbtdb(%s)", buf);
@@ -5630,7 +5681,7 @@ createiterator(dns_db_t *db, unsigned int options, dns_dbiterator_t **iteratorp)
 	dns_fixedname_init(&rbtdbiter->name);
 	dns_fixedname_init(&rbtdbiter->origin);
 	rbtdbiter->node = NULL;
-	rbtdbiter->delete = 0;
+	rbtdbiter->delcnt = 0;
 	rbtdbiter->nsec3only = ISC_TF((options & DNS_DB_NSEC3ONLY) != 0);
 	rbtdbiter->nonsec3 = ISC_TF((options & DNS_DB_NONSEC3) != 0);
 	memset(rbtdbiter->deletions, 0, sizeof(rbtdbiter->deletions));
@@ -5989,6 +6040,22 @@ resign_delete(dns_rbtdb_t *rbtdb, rbtdb_version_t *version,
 	}
 }
 
+static void
+update_recordsandbytes(isc_boolean_t add, rbtdb_version_t *rbtversion,
+		       rdatasetheader_t *header)
+{
+	unsigned char *hdr = (unsigned char *)header;
+	size_t hdrsize = sizeof (*header);
+
+	if (add) {
+		rbtversion->records += dns_rdataslab_count(hdr, hdrsize);
+		rbtversion->bytes += dns_rdataslab_size(hdr, hdrsize);
+	} else {
+		rbtversion->records -= dns_rdataslab_count(hdr, hdrsize);
+		rbtversion->bytes -= dns_rdataslab_size(hdr, hdrsize);
+	}
+}
+
 static isc_result_t
 add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
       rdatasetheader_t *newheader, unsigned int options, isc_boolean_t loading,
@@ -6221,7 +6288,8 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 				update_newheader(newheader, header);
 				if (loading && RESIGN(newheader) &&
 				    RESIGN(header) &&
-				    header->resign < newheader->resign) {
+				    resign_sooner(header, newheader))
+				{
 					newheader->resign = header->resign;
 					newheader->resign_lsb =
 							header->resign_lsb;
@@ -6318,54 +6386,93 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 		}
 		INSIST(rbtversion == NULL ||
 		       rbtversion->serial >= topheader->serial);
-		if (topheader_prev != NULL)
-			topheader_prev->next = newheader;
-		else
-			rbtnode->data = newheader;
-		newheader->next = topheader->next;
-		if (rbtversion != NULL)
-			RWLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
-		if (rbtversion != NULL && !header_nx) {
-			rbtversion->records -=
-				dns_rdataslab_count((unsigned char *)header,
-						    sizeof(*header));
-			rbtversion->bytes -=
-				dns_rdataslab_size((unsigned char *)header,
-						   sizeof(*header));
-		}
-		if (rbtversion != NULL && !newheader_nx) {
-			rbtversion->records +=
-				dns_rdataslab_count((unsigned char *)newheader,
-						    sizeof(*newheader));
-			rbtversion->bytes +=
-				dns_rdataslab_size((unsigned char *)newheader,
-						   sizeof(*newheader));
-		}
-		if (rbtversion != NULL)
-			RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
 		if (loading) {
+			newheader->down = NULL;
+			idx = newheader->node->locknum;
+			if (IS_CACHE(rbtdb)) {
+				if (ZEROTTL(newheader))
+					ISC_LIST_APPEND(rbtdb->rdatasets[idx],
+							newheader, link);
+				else
+					ISC_LIST_PREPEND(rbtdb->rdatasets[idx],
+							 newheader, link);
+				INSIST(rbtdb->heaps != NULL);
+				result = isc_heap_insert(rbtdb->heaps[idx],
+							 newheader);
+				if (result != ISC_R_SUCCESS) {
+					free_rdataset(rbtdb,
+						      rbtdb->common.mctx,
+						      newheader);
+					return (result);
+				}
+			} else if (RESIGN(newheader)) {
+				result = resign_insert(rbtdb, idx, newheader);
+				if (result != ISC_R_SUCCESS) {
+					free_rdataset(rbtdb,
+						      rbtdb->common.mctx,
+						      newheader);
+					return (result);
+				}
+				/*
+				 * Don't call resign_delete as we don't need
+				 * to reverse the delete.  The free_rdataset
+				 * call below will clean up the heap entry.
+				 */
+			}
+
 			/*
 			 * There are no other references to 'header' when
 			 * loading, so we MAY clean up 'header' now.
 			 * Since we don't generate changed records when
 			 * loading, we MUST clean up 'header' now.
 			 */
-			newheader->down = NULL;
+			if (topheader_prev != NULL)
+				topheader_prev->next = newheader;
+			else
+				rbtnode->data = newheader;
+			newheader->next = topheader->next;
+			if (rbtversion != NULL && !header_nx) {
+				RWLOCK(&rbtversion->rwlock,
+				       isc_rwlocktype_write);
+				update_recordsandbytes(ISC_FALSE, rbtversion,
+						       header);
+				RWUNLOCK(&rbtversion->rwlock,
+					 isc_rwlocktype_write);
+			}
 			free_rdataset(rbtdb, rbtdb->common.mctx, header);
-
+		} else {
 			idx = newheader->node->locknum;
 			if (IS_CACHE(rbtdb)) {
-				ISC_LIST_PREPEND(rbtdb->rdatasets[idx],
-						 newheader, link);
 				INSIST(rbtdb->heaps != NULL);
-				(void)isc_heap_insert(rbtdb->heaps[idx],
+				result = isc_heap_insert(rbtdb->heaps[idx],
+							 newheader);
+				if (result != ISC_R_SUCCESS) {
+					free_rdataset(rbtdb,
+						      rbtdb->common.mctx,
 						      newheader);
+					return (result);
+				}
+				if (ZEROTTL(newheader))
+					ISC_LIST_APPEND(rbtdb->rdatasets[idx],
+							newheader, link);
+				else
+					ISC_LIST_PREPEND(rbtdb->rdatasets[idx],
+							 newheader, link);
 			} else if (RESIGN(newheader)) {
 				result = resign_insert(rbtdb, idx, newheader);
-				if (result != ISC_R_SUCCESS)
+				if (result != ISC_R_SUCCESS) {
+					free_rdataset(rbtdb,
+						      rbtdb->common.mctx,
+						      newheader);
 					return (result);
+				}
+				resign_delete(rbtdb, rbtversion, header);
 			}
-		} else {
+			if (topheader_prev != NULL)
+				topheader_prev->next = newheader;
+			else
+				rbtnode->data = newheader;
+			newheader->next = topheader->next;
 			newheader->down = topheader;
 			topheader->next = newheader;
 			rbtnode->dirty = 1;
@@ -6379,25 +6486,13 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 					mark_stale_header(rbtdb, sigheader);
 				}
 			}
-			idx = newheader->node->locknum;
-			if (IS_CACHE(rbtdb)) {
-				ISC_LIST_PREPEND(rbtdb->rdatasets[idx],
-						 newheader, link);
-				/*
-				 * XXXMLG We don't check the return value
-				 * here.  If it fails, we will not do TTL
-				 * based expiry on this node.  However, we
-				 * will do it on the LRU side, so memory
-				 * will not leak... for long.
-				 */
-				INSIST(rbtdb->heaps != NULL);
-				(void)isc_heap_insert(rbtdb->heaps[idx],
-						      newheader);
-			} else if (RESIGN(newheader)) {
-				resign_delete(rbtdb, rbtversion, header);
-				result = resign_insert(rbtdb, idx, newheader);
-				if (result != ISC_R_SUCCESS)
-					return (result);
+			if (rbtversion != NULL && !header_nx) {
+				RWLOCK(&rbtversion->rwlock,
+				       isc_rwlocktype_write);
+				update_recordsandbytes(ISC_FALSE, rbtversion,
+						       header);
+				RWUNLOCK(&rbtversion->rwlock,
+					 isc_rwlocktype_write);
 			}
 		}
 	} else {
@@ -6414,6 +6509,30 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 			return (DNS_R_UNCHANGED);
 		}
 
+		idx = newheader->node->locknum;
+		if (IS_CACHE(rbtdb)) {
+			result = isc_heap_insert(rbtdb->heaps[idx], newheader);
+			if (result != ISC_R_SUCCESS) {
+				free_rdataset(rbtdb, rbtdb->common.mctx,
+					      newheader);
+				return (result);
+			}
+			if (ZEROTTL(newheader))
+				ISC_LIST_APPEND(rbtdb->rdatasets[idx],
+						newheader, link);
+			else
+				ISC_LIST_PREPEND(rbtdb->rdatasets[idx],
+						 newheader, link);
+		} else if (RESIGN(newheader)) {
+			result = resign_insert(rbtdb, idx, newheader);
+			if (result != ISC_R_SUCCESS) {
+				free_rdataset(rbtdb, rbtdb->common.mctx,
+					      newheader);
+				return (result);
+			}
+			resign_delete(rbtdb, rbtversion, header);
+		}
+
 		if (topheader != NULL) {
 			/*
 			 * We have an list of rdatasets of the given type,
@@ -6444,27 +6563,12 @@ add32(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 			newheader->down = NULL;
 			rbtnode->data = newheader;
 		}
-		if (rbtversion != NULL && !newheader_nx) {
-			RWLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
-			rbtversion->records +=
-				dns_rdataslab_count((unsigned char *)newheader,
-						    sizeof(*newheader));
-			rbtversion->bytes +=
-				dns_rdataslab_size((unsigned char *)newheader,
-						   sizeof(*newheader));
-			RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
-		}
-		idx = newheader->node->locknum;
-		if (IS_CACHE(rbtdb)) {
-			ISC_LIST_PREPEND(rbtdb->rdatasets[idx],
-					 newheader, link);
-			isc_heap_insert(rbtdb->heaps[idx], newheader);
-		} else if (RESIGN(newheader)) {
-			resign_delete(rbtdb, rbtversion, header);
-			result = resign_insert(rbtdb, idx, newheader);
-			if (result != ISC_R_SUCCESS)
-				return (result);
-		}
+	}
+
+	if (rbtversion != NULL && !newheader_nx) {
+		RWLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
+		update_recordsandbytes(ISC_TRUE, rbtversion, newheader);
+		RWUNLOCK(&rbtversion->rwlock, isc_rwlocktype_write);
 	}
 
 	/*
@@ -6908,6 +7012,19 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 			newheader = (rdatasetheader_t *)subresult;
 			init_rdataset(rbtdb, newheader);
 			update_newheader(newheader, header);
+			if (RESIGN(header)) {
+				newheader->attributes |= RDATASET_ATTR_RESIGN;
+				newheader->resign = header->resign;
+				newheader->resign_lsb = header->resign_lsb;
+				result = resign_insert(rbtdb, rbtnode->locknum,
+						       newheader);
+				if (result != ISC_R_SUCCESS) {
+					free_rdataset(rbtdb,
+						      rbtdb->common.mctx,
+						      newheader);
+					goto unlock;
+				}
+			}
 			/*
 			 * We have to set the serial since the rdataslab
 			 * subtraction routine copies the reserved portion of
@@ -6921,12 +7038,7 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 			 */
 			newheader->additional_auth = NULL;
 			newheader->additional_glue = NULL;
-			rbtversion->records +=
-				dns_rdataslab_count((unsigned char *)newheader,
-						    sizeof(*newheader));
-			rbtversion->bytes +=
-				dns_rdataslab_size((unsigned char *)newheader,
-						   sizeof(*newheader));
+			update_recordsandbytes(ISC_TRUE, rbtversion, newheader);
 		} else if (result == DNS_R_NXRRSET) {
 			/*
 			 * This subtraction would remove all of the rdata;
@@ -6963,12 +7075,7 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 		 * topheader.
 		 */
 		INSIST(rbtversion->serial >= topheader->serial);
-		rbtversion->records -=
-				dns_rdataslab_count((unsigned char *)header,
-						    sizeof(*header));
-		rbtversion->bytes -=
-				dns_rdataslab_size((unsigned char *)header,
-						   sizeof(*header));
+		update_recordsandbytes(ISC_FALSE, rbtversion, header);
 		if (topheader_prev != NULL)
 			topheader_prev->next = newheader;
 		else
@@ -7145,8 +7252,12 @@ loadnode(dns_rbtdb_t *rbtdb, dns_name_t *name, dns_rbtnode_t **nodep,
 
 		/*
 		 * Remove the node we just added above.
+		 * dns_rbt_deletenode() may keep the node if it has a
+		 * down pointer, but we mustn't call dns_rpz_delete() on
+		 * it again.
 		 */
 		node_has_rpz = node->rpz;
+		node->rpz = 0;
 		tmpresult = dns_rbt_deletenode(rbtdb->tree, node, ISC_FALSE);
 		if (tmpresult == ISC_R_SUCCESS) {
 			/*
@@ -7323,7 +7434,9 @@ rbt_datafixer(dns_rbtnode_t *rbtnode, void *base, size_t filesize,
 		header->node = rbtnode;
 		header->node_is_relative = 0;
 
-		if (rbtdb != NULL && RESIGN(header) && header->resign != 0) {
+		if (rbtdb != NULL && RESIGN(header) &&
+		    (header->resign != 0 || header->resign_lsb != 0))
+		{
 			int idx = header->node->locknum;
 			result = isc_heap_insert(rbtdb->heaps[idx], header);
 			if (result != ISC_R_SUCCESS)
@@ -7380,10 +7493,15 @@ deserialize32(void *arg, FILE *f, off_t offset) {
 #endif
 
 	base = isc_file_mmap(NULL, filesize, protect, flags, fd, 0);
-	if (base == NULL || base == MAP_FAILED)
+	if (base == NULL || base == MAP_FAILED) {
 		return (ISC_R_FAILURE);
+	}
 
 	header = (rbtdb_file_header_t *)(base + offset);
+	if (!match_header_version(header)) {
+		result = ISC_R_INVALIDFILE;
+		goto cleanup;
+	}
 
 	if (header->tree != 0) {
 		result = dns_rbt_deserialize_tree(base, filesize,
@@ -7699,6 +7817,21 @@ rbtdb_write_header(FILE *rbtfile, off_t tree_location, off_t nsec_location,
 	return (result);
 }
 
+static isc_boolean_t
+match_header_version(rbtdb_file_header_t *header) {
+	RUNTIME_CHECK(isc_once_do(&once, init_file_version) == ISC_R_SUCCESS);
+
+	if (memcmp(header->version1, FILE_VERSION,
+		   sizeof(header->version1)) != 0 ||
+	    memcmp(header->version2, FILE_VERSION,
+		   sizeof(header->version1)) != 0)
+	{
+		return (ISC_FALSE);
+	}
+
+	return (ISC_TRUE);
+}
+
 static isc_result_t
 serialize(dns_db_t *db, dns_dbversion_t *ver, FILE *rbtfile) {
 	rbtdb_version_t *version = (rbtdb_version_t *) ver;
@@ -7957,9 +8090,8 @@ getsize(dns_db_t *db, dns_dbversion_t *version, isc_uint64_t *records,
 static isc_result_t
 setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, isc_stdtime_t resign) {
 	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
-	isc_stdtime_t oldresign;
 	isc_result_t result = ISC_R_SUCCESS;
-	rdatasetheader_t *header;
+	rdatasetheader_t *header, oldheader;
 
 	REQUIRE(VALID_RBTDB(rbtdb));
 	REQUIRE(!IS_CACHE(rbtdb));
@@ -7971,22 +8103,31 @@ setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, isc_stdtime_t resign) {
 	NODE_LOCK(&rbtdb->node_locks[header->node->locknum].lock,
 		  isc_rwlocktype_write);
 
-	oldresign = header->resign;
-	header->resign = (isc_stdtime_t)(dns_time64_from32(resign) >> 1);
-	header->resign_lsb = resign & 0x1;
+	oldheader = *header;
+	/*
+	 * Only break the heap invariant (by adjusting resign and resign_lsb)
+	 * if we are going to be restoring it by calling isc_heap_increased
+	 * or isc_heap_decreased.
+	 */
+	if (resign != 0) {
+		header->resign =
+			 (isc_stdtime_t)(dns_time64_from32(resign) >> 1);
+		header->resign_lsb = resign & 0x1;
+	}
 	if (header->heap_index != 0) {
 		INSIST(RESIGN(header));
 		if (resign == 0) {
 			isc_heap_delete(rbtdb->heaps[header->node->locknum],
 					header->heap_index);
 			header->heap_index = 0;
-		} else if (resign < oldresign)
+		} else if (resign_sooner(header, &oldheader)) {
 			isc_heap_increased(rbtdb->heaps[header->node->locknum],
 					   header->heap_index);
-		else if (resign > oldresign)
+		} else if (resign_sooner(&oldheader, header)) {
 			isc_heap_decreased(rbtdb->heaps[header->node->locknum],
 					   header->heap_index);
-	} else if (resign && header->heap_index == 0) {
+		}
+	} else if (resign != 0) {
 		header->attributes |= RDATASET_ATTR_RESIGN;
 		result = resign_insert(rbtdb, header->node->locknum, header);
 	}
@@ -8019,7 +8160,7 @@ getsigningtime(dns_db_t *db, dns_rdataset_t *rdataset,
 		}
 		if (header == NULL)
 			header = this;
-		else if (isc_serial_lt(this->resign, header->resign)) {
+		else if (resign_sooner(this, header)) {
 			locknum = header->node->locknum;
 			NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
 				    isc_rwlocktype_read);
@@ -8402,8 +8543,6 @@ dns_rbtdb_create
 	 * change.
 	 */
 	if (!IS_CACHE(rbtdb)) {
-		dns_rbtnode_t *nsec3node;
-
 		rbtdb->origin_node = NULL;
 		result = dns_rbt_addnode(rbtdb->tree, &rbtdb->common.origin,
 					 &rbtdb->origin_node);
@@ -8412,6 +8551,7 @@ dns_rbtdb_create
 			free_rbtdb(rbtdb, ISC_FALSE, NULL);
 			return (result);
 		}
+		INSIST(rbtdb->origin_node != NULL);
 		rbtdb->origin_node->nsec = DNS_RBT_NSEC_NORMAL;
 		/*
 		 * We need to give the origin node the right locknum.
@@ -8432,25 +8572,27 @@ dns_rbtdb_create
 		 * return partial matches when there is only a single NSEC3
 		 * record in the tree.
 		 */
-		nsec3node = NULL;
+		rbtdb->nsec3_origin_node = NULL;
 		result = dns_rbt_addnode(rbtdb->nsec3, &rbtdb->common.origin,
-					 &nsec3node);
+					 &rbtdb->nsec3_origin_node);
 		if (result != ISC_R_SUCCESS) {
 			INSIST(result != ISC_R_EXISTS);
 			free_rbtdb(rbtdb, ISC_FALSE, NULL);
 			return (result);
 		}
-		nsec3node->nsec = DNS_RBT_NSEC_NSEC3;
+		rbtdb->nsec3_origin_node->nsec = DNS_RBT_NSEC_NSEC3;
 		/*
 		 * We need to give the nsec3 origin node the right locknum.
 		 */
 		dns_name_init(&name, NULL);
-		dns_rbt_namefromnode(nsec3node, &name);
+		dns_rbt_namefromnode(rbtdb->nsec3_origin_node, &name);
 #ifdef DNS_RBT_USEHASH
-		nsec3node->locknum = nsec3node->hashval %
+		rbtdb->nsec3_origin_node->locknum =
+			rbtdb->nsec3_origin_node->hashval %
 			rbtdb->node_lock_count;
 #else
-		nsec3node->locknum = dns_name_hash(&name, ISC_TRUE) %
+		rbtdb->nsec3_origin_node->locknum =
+			dns_name_hash(&name, ISC_TRUE) %
 			rbtdb->node_lock_count;
 #endif
 	}
@@ -9054,7 +9196,7 @@ flush_deletions(rbtdb_dbiterator_t *rbtdbiter) {
 	nodelock_t *lock;
 	int i;
 
-	if (rbtdbiter->delete != 0) {
+	if (rbtdbiter->delcnt != 0) {
 		/*
 		 * Note that "%d node of %d in tree" can report things like
 		 * "flush_deletions: 59 nodes of 41 in tree".  This means
@@ -9064,7 +9206,7 @@ flush_deletions(rbtdb_dbiterator_t *rbtdbiter) {
 		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
 			      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
 			      "flush_deletions: %d nodes of %d in tree",
-			      rbtdbiter->delete,
+			      rbtdbiter->delcnt,
 			      dns_rbt_nodecount(rbtdb->tree));
 
 		if (rbtdbiter->tree_locked == isc_rwlocktype_read) {
@@ -9074,7 +9216,7 @@ flush_deletions(rbtdb_dbiterator_t *rbtdbiter) {
 		RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
 		rbtdbiter->tree_locked = isc_rwlocktype_write;
 
-		for (i = 0; i < rbtdbiter->delete; i++) {
+		for (i = 0; i < rbtdbiter->delcnt; i++) {
 			node = rbtdbiter->deletions[i];
 			lock = &rbtdb->node_locks[node->locknum].lock;
 
@@ -9085,7 +9227,7 @@ flush_deletions(rbtdb_dbiterator_t *rbtdbiter) {
 			NODE_UNLOCK(lock, isc_rwlocktype_read);
 		}
 
-		rbtdbiter->delete = 0;
+		rbtdbiter->delcnt = 0;
 
 		RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
 		if (was_read_locked) {
@@ -9454,7 +9596,7 @@ dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
 		 * to expire the current node.  The current node can't
 		 * fully deleted while the iteration cursor is still on it.
 		 */
-		if (rbtdbiter->delete == DELETION_BATCH_MAX)
+		if (rbtdbiter->delcnt == DELETION_BATCH_MAX)
 			flush_deletions(rbtdbiter);
 
 		expire_result = expirenode(iterator->db, *nodep, 0);
@@ -9465,7 +9607,7 @@ dbiterator_current(dns_dbiterator_t *iterator, dns_dbnode_t **nodep,
 		if (expire_result == ISC_R_SUCCESS && node->down == NULL) {
 			unsigned int refs;
 
-			rbtdbiter->deletions[rbtdbiter->delete++] = node;
+			rbtdbiter->deletions[rbtdbiter->delcnt++] = node;
 			NODE_STRONGLOCK(&rbtdb->node_locks[node->locknum].lock);
 			dns_rbtnode_refincrement(node, &refs);
 			INSIST(refs != 0);
@@ -9889,7 +10031,9 @@ rdataset_putadditional(dns_acache_t *acache, dns_rdataset_t *rdataset,
 static inline isc_boolean_t
 need_headerupdate(rdatasetheader_t *header, isc_stdtime_t now) {
 	if ((header->attributes &
-	     (RDATASET_ATTR_NONEXISTENT|RDATASET_ATTR_STALE)) != 0)
+	     (RDATASET_ATTR_NONEXISTENT |
+	      RDATASET_ATTR_STALE |
+	      RDATASET_ATTR_ZEROTTL)) != 0)
 		return (ISC_FALSE);
 
 #if DNS_RBTDB_LIMITLRUUPDATE
diff --git a/usr.sbin/bind/lib/dns/rbtdb.h b/usr.sbin/bind/lib/dns/rbtdb.h
index ac842cfc1de..ef3b80363d0 100644
--- a/usr.sbin/bind/lib/dns/rbtdb.h
+++ b/usr.sbin/bind/lib/dns/rbtdb.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.h,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: rbtdb.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_RBTDB_H
 #define DNS_RBTDB_H 1
diff --git a/usr.sbin/bind/lib/dns/rbtdb64.c b/usr.sbin/bind/lib/dns/rbtdb64.c
index 0f20a4a400a..7e79decaecb 100644
--- a/usr.sbin/bind/lib/dns/rbtdb64.c
+++ b/usr.sbin/bind/lib/dns/rbtdb64.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb64.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: rbtdb64.c,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/dns/rbtdb64.h b/usr.sbin/bind/lib/dns/rbtdb64.h
index b9ef88e4f34..ff5c9b182f5 100644
--- a/usr.sbin/bind/lib/dns/rbtdb64.h
+++ b/usr.sbin/bind/lib/dns/rbtdb64.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb64.h,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: rbtdb64.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_RBTDB64_H
 #define DNS_RBTDB64_H 1
diff --git a/usr.sbin/bind/lib/dns/rcode.c b/usr.sbin/bind/lib/dns/rcode.c
index 94bd019626d..749ddf41098 100644
--- a/usr.sbin/bind/lib/dns/rcode.c
+++ b/usr.sbin/bind/lib/dns/rcode.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rcode.c,v 1.5 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: rcode.c,v 1.6 2019/12/17 01:46:32 sthen Exp $ */
 
 #include <config.h>
 #include <ctype.h>
@@ -141,6 +140,8 @@
 	{ DNS_KEYALG_ECCGOST, "ECCGOST", 0 }, \
 	{ DNS_KEYALG_ECDSA256, "ECDSAP256SHA256", 0 }, \
 	{ DNS_KEYALG_ECDSA384, "ECDSAP384SHA384", 0 }, \
+	{ DNS_KEYALG_ED25519, "ED25519", 0 }, \
+	{ DNS_KEYALG_ED448, "ED448", 0 }, \
 	{ DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \
 	{ DNS_KEYALG_PRIVATEDNS, "PRIVATEDNS", 0 }, \
 	{ DNS_KEYALG_PRIVATEOID, "PRIVATEOID", 0 }, \
@@ -257,8 +258,8 @@ maybe_numeric(unsigned int *valuep, isc_textregion_t *source,
 	 * isc_parse_uint32().	isc_parse_uint32() requires
 	 * null termination, so we must make a copy.
 	 */
-	strncpy(buffer, source->base, sizeof(buffer));
-	buffer[sizeof(buffer) - 1] = '\0';
+	snprintf(buffer, sizeof(buffer), "%.*s",
+		 (int)source->length, source->base);
 
 	INSIST(buffer[source->length] == '\0');
 
@@ -509,8 +510,12 @@ dns_rdataclass_fromtext(dns_rdataclass_t *classp, isc_textregion_t *source) {
 			char *endp;
 			unsigned int val;
 
-			strncpy(buf, source->base + 5, source->length - 5);
-			buf[source->length - 5] = '\0';
+			/*
+			 * source->base is not required to be NUL terminated.
+			 * Copy up to remaining bytes and NUL terminate.
+			 */
+			snprintf(buf, sizeof(buf), "%.*s",
+				 (int)(source->length - 5), source->base + 5);
 			val = strtoul(buf, &endp, 10);
 			if (*endp == '\0' && val <= 0xffff) {
 				*classp = (dns_rdataclass_t)val;
diff --git a/usr.sbin/bind/lib/dns/rdata.c b/usr.sbin/bind/lib/dns/rdata.c
index 74d3cfaf4b5..6bb024c04d4 100644
--- a/usr.sbin/bind/lib/dns/rdata.c
+++ b/usr.sbin/bind/lib/dns/rdata.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdata.c,v 1.13 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: rdata.c,v 1.14 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file */
 
@@ -102,7 +101,7 @@
 #define ARGS_FROMSTRUCT	int rdclass, dns_rdatatype_t type, \
 			void *source, isc_buffer_t *target
 
-#define ARGS_TOSTRUCT	dns_rdata_t *rdata, void *target, isc_mem_t *mctx
+#define ARGS_TOSTRUCT	const dns_rdata_t *rdata, void *target, isc_mem_t *mctx
 
 #define ARGS_FREESTRUCT void *source
 
@@ -116,6 +115,24 @@
 
 #define ARGS_CHECKNAMES dns_rdata_t *rdata, dns_name_t *owner, dns_name_t *bad
 
+#ifndef DNS_NAME_INITABSOLUTE
+#define DNS_NAME_INITABSOLUTE(A,B) { \
+	DNS_NAME_MAGIC, \
+	A, sizeof(A), sizeof(B), \
+	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE, \
+	B, NULL, { (void *)-1, (void *)-1}, \
+	{NULL, NULL} \
+}
+#endif
+#ifndef DNS_NAME_INITNONABSOLUTE
+#define DNS_NAME_INITNONABSOLUTE(A,B) { \
+	DNS_NAME_MAGIC, \
+	A, (sizeof(A) - 1), sizeof(B), \
+	DNS_NAMEATTR_READONLY, \
+	B, NULL, { (void *)-1, (void *)-1}, \
+	{NULL, NULL} \
+}
+#endif
 
 /*%
  * Context structure for the totext_ functions.
@@ -321,14 +338,8 @@ generic_freestruct_tlsa(ARGS_FREESTRUCT);
 static unsigned char gc_msdcs_data[]  = "\002gc\006_msdcs";
 static unsigned char gc_msdcs_offset [] = { 0, 3 };
 
-static const dns_name_t gc_msdcs = {
-	DNS_NAME_MAGIC,
-	gc_msdcs_data, 10, 2,
-	DNS_NAMEATTR_READONLY,
-	gc_msdcs_offset, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
+static dns_name_t const gc_msdcs =
+	DNS_NAME_INITNONABSOLUTE(gc_msdcs_data, gc_msdcs_offset);
 
 /*%
  *	convert presentation level address to network order binary form.
@@ -394,7 +405,7 @@ getquad(const void *src, struct in_addr *dst,
 	isc_lex_t *lexer, dns_rdatacallbacks_t *callbacks)
 {
 	int result;
-	struct in_addr *tmp;
+	struct in_addr tmp;
 
 	result = inet_aton(src, dst);
 	if (result == 1 && callbacks != NULL &&
@@ -501,7 +512,7 @@ typemap_totext(isc_region_t *sr, dns_rdata_textctx_t *tctx,
 {
 	unsigned int i, j, k;
 	unsigned int window, len;
-	isc_boolean_t first = ISC_FALSE;
+	isc_boolean_t first = ISC_TRUE;
 
 	for (i = 0; i < sr->length; i += len) {
 		if (tctx != NULL &&
@@ -530,7 +541,7 @@ typemap_totext(isc_region_t *sr, dns_rdata_textctx_t *tctx,
 					RETERR(dns_rdatatype_totext(t, target));
 				} else {
 					char buf[sizeof("TYPE65535")];
-					sprintf(buf, "TYPE%u", t);
+					snprintf(buf, sizeof(buf), "TYPE%u", t);
 					RETERR(str_totext(buf, target));
 				}
 			}
@@ -1212,7 +1223,7 @@ dns_rdata_fromstruct(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
 }
 
 isc_result_t
-dns_rdata_tostruct(dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
+dns_rdata_tostruct(const dns_rdata_t *rdata, void *target, isc_mem_t *mctx) {
 	isc_result_t result = ISC_R_NOTIMPLEMENTED;
 	isc_boolean_t use_default = ISC_FALSE;
 
@@ -1341,8 +1352,12 @@ dns_rdatatype_fromtext(dns_rdatatype_t *typep, isc_textregion_t *source) {
 		char *endp;
 		unsigned int val;
 
-		strncpy(buf, source->base + 4, source->length - 4);
-		buf[source->length - 4] = '\0';
+		/*
+		 * source->base is not required to be NUL terminated.
+		 * Copy up to remaining bytes and NUL terminate.
+		 */
+		snprintf(buf, sizeof(buf), "%.*s",
+			 (int)(source->length - 4), source->base + 4);
 		val = strtoul(buf, &endp, 10);
 		if (*endp == '\0' && val <= 0xffff) {
 			*typep = (dns_rdatatype_t)val;
@@ -1458,6 +1473,7 @@ txt_totext(isc_region_t *source, isc_boolean_t quote, isc_buffer_t *target) {
 			return (ISC_R_NOSPACE);
 		*tp++ = '"';
 		tl--;
+		POST(tl);
 	}
 	isc_buffer_add(target, (unsigned int)(tp - (char *)region.base));
 	isc_region_consume(source, *source->base + 1);
@@ -1590,8 +1606,8 @@ multitxt_totext(isc_region_t *source, isc_buffer_t *target) {
 				tl -= 4;
 				continue;
 			}
-			/* double quote, semi-colon, backslash */
-			if (*sp == 0x22 || *sp == 0x3b || *sp == 0x5c) {
+			/* double quote, backslash */
+			if (*sp == 0x22 || *sp == 0x5c) {
 				if (tl < 2)
 					return (ISC_R_NOSPACE);
 				*tp++ = '\\';
@@ -1608,6 +1624,7 @@ multitxt_totext(isc_region_t *source, isc_buffer_t *target) {
 		return (ISC_R_NOSPACE);
 	*tp++ = '"';
 	tl--;
+	POST(tl);
 	isc_buffer_add(target, (unsigned int)(tp - (char *)region.base));
 	return (ISC_R_SUCCESS);
 }
diff --git a/usr.sbin/bind/lib/dns/rdata/any_255/tsig_250.c b/usr.sbin/bind/lib/dns/rdata/any_255/tsig_250.c
index 009d17cfb1d..c401ba16a1d 100644
--- a/usr.sbin/bind/lib/dns/rdata/any_255/tsig_250.c
+++ b/usr.sbin/bind/lib/dns/rdata/any_255/tsig_250.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2011, 2012, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsig_250.c,v 1.7 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: tsig_250.c,v 1.8 2019/12/17 01:46:33 sthen Exp $ */
 
 /* Reviewed: Thu Mar 16 13:39:43 PST 2000 by gson */
 
@@ -183,7 +182,7 @@ totext_any_tsig(ARGS_TOTEXT) {
 	 */
 	n = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
-	sprintf(buf, "%u ", n);
+	snprintf(buf, sizeof(buf), "%u ", n);
 	RETERR(str_totext(buf, target));
 
 	/*
@@ -191,7 +190,7 @@ totext_any_tsig(ARGS_TOTEXT) {
 	 */
 	n = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
-	sprintf(buf, "%u", n);
+	snprintf(buf, sizeof(buf), "%u", n);
 	RETERR(str_totext(buf, target));
 
 	/*
@@ -219,7 +218,7 @@ totext_any_tsig(ARGS_TOTEXT) {
 	 */
 	n = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
-	sprintf(buf, "%u ", n);
+	snprintf(buf, sizeof(buf), "%u ", n);
 	RETERR(str_totext(buf, target));
 
 	/*
@@ -234,7 +233,7 @@ totext_any_tsig(ARGS_TOTEXT) {
 	 */
 	n = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
-	sprintf(buf, " %u ", n);
+	snprintf(buf, sizeof(buf), " %u ", n);
 	RETERR(str_totext(buf, target));
 
 	/*
diff --git a/usr.sbin/bind/lib/dns/rdata/any_255/tsig_250.h b/usr.sbin/bind/lib/dns/rdata/any_255/tsig_250.h
index c0af536f75c..26f0799d2c2 100644
--- a/usr.sbin/bind/lib/dns/rdata/any_255/tsig_250.h
+++ b/usr.sbin/bind/lib/dns/rdata/any_255/tsig_250.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsig_250.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: tsig_250.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 #ifndef ANY_255_TSIG_250_H
 #define ANY_255_TSIG_250_H 1
diff --git a/usr.sbin/bind/lib/dns/rdata/ch_3/a_1.c b/usr.sbin/bind/lib/dns/rdata/ch_3/a_1.c
index f7198e7c7c1..a608f0c5fde 100644
--- a/usr.sbin/bind/lib/dns/rdata/ch_3/a_1.c
+++ b/usr.sbin/bind/lib/dns/rdata/ch_3/a_1.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005, 2007, 2009, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: a_1.c,v 1.3 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: a_1.c,v 1.4 2019/12/17 01:46:33 sthen Exp $ */
 
 /* by Bjorn.Victor@it.uu.se, 2005-05-07 */
 /* Based on generic/soa_6.c and generic/mx_15.c */
@@ -88,7 +88,7 @@ totext_ch_a(ARGS_TOTEXT) {
 	sub = name_prefix(&name, tctx->origin, &prefix);
 	RETERR(dns_name_totext(&prefix, sub, target));
 
-	sprintf(buf, "%o", addr); /* note octal */
+	snprintf(buf, sizeof(buf), "%o", addr); /* note octal */
 	RETERR(str_totext(" ", target));
 	return (str_totext(buf, target));
 }
diff --git a/usr.sbin/bind/lib/dns/rdata/ch_3/a_1.h b/usr.sbin/bind/lib/dns/rdata/ch_3/a_1.h
index 67b799885c4..59394e55e38 100644
--- a/usr.sbin/bind/lib/dns/rdata/ch_3/a_1.h
+++ b/usr.sbin/bind/lib/dns/rdata/ch_3/a_1.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: a_1.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: a_1.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /* by Bjorn.Victor@it.uu.se, 2005-05-07 */
 /* Based on generic/mx_15.h */
@@ -27,7 +27,7 @@ typedef isc_uint16_t ch_addr_t;
 typedef struct dns_rdata_ch_a {
 	dns_rdatacommon_t	common;
 	isc_mem_t		*mctx;
-  	dns_name_t		ch_addr_dom; /* ch-addr domain for back mapping */
+	dns_name_t		ch_addr_dom; /* ch-addr domain for back mapping */
 	ch_addr_t		ch_addr; /* chaos address (16 bit) network order */
 } dns_rdata_ch_a_t;
 
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/afsdb_18.c b/usr.sbin/bind/lib/dns/rdata/generic/afsdb_18.c
index 3a115d303ab..c259dea724b 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/afsdb_18.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/afsdb_18.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: afsdb_18.c,v 1.6 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: afsdb_18.c,v 1.7 2019/12/17 01:46:33 sthen Exp $ */
 
 /* Reviewed: Wed Mar 15 14:59:00 PST 2000 by explorer */
 
@@ -86,7 +85,7 @@ totext_afsdb(ARGS_TOTEXT) {
 	dns_rdata_toregion(rdata, &region);
 	num = uint16_fromregion(&region);
 	isc_region_consume(&region, 2);
-	sprintf(buf, "%u ", num);
+	snprintf(buf, sizeof(buf), "%u ", num);
 	RETERR(str_totext(buf, target));
 	dns_name_fromregion(&name, &region);
 	sub = name_prefix(&name, tctx->origin, &prefix);
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/afsdb_18.h b/usr.sbin/bind/lib/dns/rdata/generic/afsdb_18.h
index 39bd1731b30..dbc4842a25c 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/afsdb_18.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/afsdb_18.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +17,7 @@
 #ifndef GENERIC_AFSDB_18_H
 #define GENERIC_AFSDB_18_H 1
 
-/* $Id: afsdb_18.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: afsdb_18.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /*!
  *  \brief Per RFC1183 */
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/avc_258.c b/usr.sbin/bind/lib/dns/rdata/generic/avc_258.c
index e74903f4855..553e0442f4b 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/avc_258.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/avc_258.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/avc_258.h b/usr.sbin/bind/lib/dns/rdata/generic/avc_258.h
index d32282e3d06..414b04a043a 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/avc_258.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/avc_258.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/caa_257.c b/usr.sbin/bind/lib/dns/rdata/generic/caa_257.c
index 1a681652afc..42155f6bc1f 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/caa_257.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/caa_257.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -103,7 +103,7 @@ totext_caa(ARGS_TOTEXT) {
 	 * Flags
 	 */
 	flags = uint8_consume_fromregion(&region);
-	sprintf(buf, "%u ", flags);
+	snprintf(buf, sizeof(buf), "%u ", flags);
 	RETERR(str_totext(buf, target));
 
 	/*
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/caa_257.h b/usr.sbin/bind/lib/dns/rdata/generic/caa_257.h
index 447c8a34502..41168746368 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/caa_257.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/caa_257.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -17,7 +17,7 @@
 #ifndef GENERIC_CAA_257_H
 #define GENERIC_CAA_257_H 1
 
-/* $Id: caa_257.h,v 1.1 2019/12/16 16:31:34 deraadt Exp $ */
+/* $Id: caa_257.h,v 1.2 2019/12/17 01:46:33 sthen Exp $ */
 
 typedef struct dns_rdata_caa {
 	dns_rdatacommon_t	common;
@@ -26,7 +26,7 @@ typedef struct dns_rdata_caa {
 	unsigned char *		tag;
 	isc_uint8_t		tag_len;
 	unsigned char		*value;
-	isc_uint8_t		value_len;
+	isc_uint16_t		value_len;
 } dns_rdata_caa_t;
 
 #endif /* GENERIC_CAA_257_H */
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/cdnskey_60.c b/usr.sbin/bind/lib/dns/rdata/generic/cdnskey_60.c
index 9b4305d5dba..7120f39ffa2 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/cdnskey_60.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/cdnskey_60.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/cdnskey_60.h b/usr.sbin/bind/lib/dns/rdata/generic/cdnskey_60.h
index c52035eacee..ee0e6c6b61d 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/cdnskey_60.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/cdnskey_60.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/cds_59.c b/usr.sbin/bind/lib/dns/rdata/generic/cds_59.c
index 2d64e3106df..2c562714f06 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/cds_59.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/cds_59.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/cds_59.h b/usr.sbin/bind/lib/dns/rdata/generic/cds_59.h
index c51cefbf27c..650edf15255 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/cds_59.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/cds_59.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/cert_37.c b/usr.sbin/bind/lib/dns/rdata/generic/cert_37.c
index a8224f2fed4..8d1711a747e 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/cert_37.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/cert_37.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2011, 2012, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cert_37.c,v 1.6 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: cert_37.c,v 1.7 2019/12/17 01:46:33 sthen Exp $ */
 
 /* Reviewed: Wed Mar 15 21:14:32 EST 2000 by tale */
 
@@ -94,7 +93,7 @@ totext_cert(ARGS_TOTEXT) {
 	 */
 	n = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
-	sprintf(buf, "%u ", n);
+	snprintf(buf, sizeof(buf), "%u ", n);
 	RETERR(str_totext(buf, target));
 
 	/*
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/cert_37.h b/usr.sbin/bind/lib/dns/rdata/generic/cert_37.h
index 0f7247c82a2..9c6bb717c13 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/cert_37.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/cert_37.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cert_37.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: cert_37.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 #ifndef GENERIC_CERT_37_H
 #define GENERIC_CERT_37_H 1
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/cname_5.c b/usr.sbin/bind/lib/dns/rdata/generic/cname_5.c
index 13b66535bb4..97ea9a0e2fc 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/cname_5.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/cname_5.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2009, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cname_5.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: cname_5.c,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /* reviewed: Wed Mar 15 16:48:45 PST 2000 by brister */
 
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/cname_5.h b/usr.sbin/bind/lib/dns/rdata/generic/cname_5.h
index 284b8d9764c..3abbd5bd193 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/cname_5.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/cname_5.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cname_5.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: cname_5.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 #ifndef GENERIC_CNAME_5_H
 #define GENERIC_CNAME_5_H 1
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/csync_62.c b/usr.sbin/bind/lib/dns/rdata/generic/csync_62.c
index cd801959307..0d5dcc58061 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/csync_62.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/csync_62.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -64,16 +64,22 @@ totext_csync(ARGS_TOTEXT) {
 
 	num = uint32_fromregion(&sr);
 	isc_region_consume(&sr, 4);
-	sprintf(buf, "%lu", num);
+	snprintf(buf, sizeof(buf), "%lu", num);
 	RETERR(str_totext(buf, target));
 
 	RETERR(str_totext(" ", target));
 
 	num = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
-	sprintf(buf, "%lu", num);
+	snprintf(buf, sizeof(buf), "%lu", num);
 	RETERR(str_totext(buf, target));
 
+	/*
+	 * Don't leave a trailing space when there's no typemap present.
+	 */
+	if (sr.length > 0) {
+		RETERR(str_totext(" ", target));
+	}
 	return (typemap_totext(&sr, NULL, target));
 }
 
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/csync_62.h b/usr.sbin/bind/lib/dns/rdata/generic/csync_62.h
index 1e4d3de4281..1a70a49d4a2 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/csync_62.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/csync_62.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/dlv_32769.c b/usr.sbin/bind/lib/dns/rdata/generic/dlv_32769.c
index c43b257749b..ee58fe3c0a4 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/dlv_32769.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/dlv_32769.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006, 2007, 2009-2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dlv_32769.c,v 1.4 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: dlv_32769.c,v 1.5 2019/12/17 01:46:33 sthen Exp $ */
 
 /* RFC3658 */
 
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/dlv_32769.h b/usr.sbin/bind/lib/dns/rdata/generic/dlv_32769.h
index 92ab16b24b8..5a2c2887585 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/dlv_32769.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/dlv_32769.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2006, 2007, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dlv_32769.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: dlv_32769.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /* draft-ietf-dnsext-delegation-signer-05.txt */
 #ifndef GENERIC_DLV_32769_H
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/dname_39.c b/usr.sbin/bind/lib/dns/rdata/generic/dname_39.c
index 4aafd56aa0f..72330afc194 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/dname_39.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/dname_39.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2009, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dname_39.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: dname_39.c,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /* Reviewed: Wed Mar 15 16:52:38 PST 2000 by explorer */
 
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/dname_39.h b/usr.sbin/bind/lib/dns/rdata/generic/dname_39.h
index 5e51be51486..669b493df54 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/dname_39.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/dname_39.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,9 +17,9 @@
 #ifndef GENERIC_DNAME_39_H
 #define GENERIC_DNAME_39_H 1
 
-/* $Id: dname_39.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: dname_39.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
-/*! 
+/*!
  *  \brief per RFC2672 */
 
 typedef struct dns_rdata_dname {
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/dnskey_48.c b/usr.sbin/bind/lib/dns/rdata/generic/dnskey_48.c
index 09cb1e422b6..634049f79d8 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/dnskey_48.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/dnskey_48.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2011-2013, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnskey_48.c,v 1.4 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: dnskey_48.c,v 1.5 2019/12/17 01:46:33 sthen Exp $ */
 
 /*
  * Reviewed: Wed Mar 15 16:47:10 PST 2000 by halley.
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/dnskey_48.h b/usr.sbin/bind/lib/dns/rdata/generic/dnskey_48.h
index 67b1d7a3573..5e71254a3af 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/dnskey_48.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/dnskey_48.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/doa_259.c b/usr.sbin/bind/lib/dns/rdata/generic/doa_259.c
new file mode 100644
index 00000000000..555a72bfa5c
--- /dev/null
+++ b/usr.sbin/bind/lib/dns/rdata/generic/doa_259.c
@@ -0,0 +1,363 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef RDATA_GENERIC_DOA_259_C
+#define RDATA_GENERIC_DOA_259_C
+
+#define RRTYPE_DOA_ATTRIBUTES (0)
+
+static inline isc_result_t
+fromtext_doa(ARGS_FROMTEXT) {
+	isc_token_t token;
+
+	REQUIRE(type == dns_rdatatype_doa);
+
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	/*
+	 * DOA-ENTERPRISE
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	RETERR(uint32_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * DOA-TYPE
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	RETERR(uint32_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * DOA-LOCATION
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffU) {
+		RETTOK(ISC_R_RANGE);
+	}
+	RETERR(uint8_tobuffer(token.value.as_ulong, target));
+
+	/*
+	 * DOA-MEDIA-TYPE
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_qstring,
+				      ISC_FALSE));
+	RETTOK(txt_fromtext(&token.value.as_textregion, target));
+
+	/*
+	 * DOA-DATA
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	if (strcmp(DNS_AS_STR(token), "-") == 0) {
+		return (ISC_R_SUCCESS);
+	} else {
+		isc_lex_ungettoken(lexer, &token);
+		return (isc_base64_tobuffer(lexer, target, -1));
+	}
+}
+
+static inline isc_result_t
+totext_doa(ARGS_TOTEXT) {
+	char buf[sizeof("4294967295 ")];
+	isc_region_t region;
+	isc_uint32_t n;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_doa);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &region);
+
+	/*
+	 * DOA-ENTERPRISE
+	 */
+	n = uint32_fromregion(&region);
+	isc_region_consume(&region, 4);
+	snprintf(buf, sizeof(buf), "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * DOA-TYPE
+	 */
+	n = uint32_fromregion(&region);
+	isc_region_consume(&region, 4);
+	snprintf(buf, sizeof(buf), "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * DOA-LOCATION
+	 */
+	n = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	snprintf(buf, sizeof(buf), "%u ", n);
+	RETERR(str_totext(buf, target));
+
+	/*
+	 * DOA-MEDIA-TYPE
+	 */
+	RETERR(txt_totext(&region, ISC_TRUE, target));
+	RETERR(str_totext(" ", target));
+
+	/*
+	 * DOA-DATA
+	 */
+	if (region.length == 0) {
+		return (str_totext("-", target));
+	} else {
+		return (isc_base64_totext(&region, 60, "", target));
+	}
+}
+
+static inline isc_result_t
+fromwire_doa(ARGS_FROMWIRE) {
+	isc_region_t region;
+
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	REQUIRE(type == dns_rdatatype_doa);
+
+	isc_buffer_activeregion(source, &region);
+	/*
+	 * DOA-MEDIA-TYPE may be an empty <character-string> (i.e.,
+	 * comprising of just the length octet) and DOA-DATA can have
+	 * zero length.
+	 */
+	if (region.length < 4 + 4 + 1 + 1) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	/*
+	 * Check whether DOA-MEDIA-TYPE length is not malformed.
+	 */
+	if (region.base[9] > region.length - 10) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+
+	isc_buffer_forward(source, region.length);
+	return (mem_tobuffer(target, region.base, region.length));
+}
+
+static inline isc_result_t
+towire_doa(ARGS_TOWIRE) {
+	isc_region_t region;
+
+	UNUSED(cctx);
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_doa);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &region);
+	return (mem_tobuffer(target, region.base, region.length));
+}
+
+static inline int
+compare_doa(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1 != NULL);
+	REQUIRE(rdata2 != NULL);
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->type == dns_rdatatype_doa);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_doa(ARGS_FROMSTRUCT) {
+	dns_rdata_doa_t *doa = source;
+
+	REQUIRE(type == dns_rdatatype_doa);
+	REQUIRE(source != NULL);
+	REQUIRE(doa->common.rdtype == dns_rdatatype_doa);
+	REQUIRE(doa->common.rdclass == rdclass);
+
+	RETERR(uint32_tobuffer(doa->enterprise, target));
+	RETERR(uint32_tobuffer(doa->type, target));
+	RETERR(uint8_tobuffer(doa->location, target));
+	RETERR(uint8_tobuffer(doa->mediatype_len, target));
+	RETERR(mem_tobuffer(target, doa->mediatype, doa->mediatype_len));
+	return (mem_tobuffer(target, doa->data, doa->data_len));
+}
+
+static inline isc_result_t
+tostruct_doa(ARGS_TOSTRUCT) {
+	dns_rdata_doa_t *doa = target;
+	isc_region_t region;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_doa);
+	REQUIRE(rdata->length != 0);
+
+	doa->common.rdclass = rdata->rdclass;
+	doa->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&doa->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	/*
+	 * DOA-ENTERPRISE
+	 */
+	if (region.length < 4) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	doa->enterprise = uint32_fromregion(&region);
+	isc_region_consume(&region, 4);
+
+	/*
+	 * DOA-TYPE
+	 */
+	if (region.length < 4) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	doa->type = uint32_fromregion(&region);
+	isc_region_consume(&region, 4);
+
+	/*
+	 * DOA-LOCATION
+	 */
+	if (region.length < 1) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	doa->location = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+
+	/*
+	 * DOA-MEDIA-TYPE
+	 */
+	if (region.length < 1) {
+		return (ISC_R_UNEXPECTEDEND);
+	}
+	doa->mediatype_len = uint8_fromregion(&region);
+	isc_region_consume(&region, 1);
+	INSIST(doa->mediatype_len <= region.length);
+	doa->mediatype = mem_maybedup(mctx, region.base, doa->mediatype_len);
+	if (doa->mediatype == NULL) {
+		goto cleanup;
+	}
+	isc_region_consume(&region, doa->mediatype_len);
+
+	/*
+	 * DOA-DATA
+	 */
+	doa->data_len = region.length;
+	doa->data = NULL;
+	if (doa->data_len > 0) {
+		doa->data = mem_maybedup(mctx, region.base, doa->data_len);
+		if (doa->data == NULL) {
+			goto cleanup;
+		}
+		isc_region_consume(&region, doa->data_len);
+	}
+
+	doa->mctx = mctx;
+
+	return (ISC_R_SUCCESS);
+
+cleanup:
+	if (mctx != NULL && doa->mediatype != NULL) {
+		isc_mem_free(mctx, doa->mediatype);
+	}
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_doa(ARGS_FREESTRUCT) {
+	dns_rdata_doa_t *doa = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(doa->common.rdtype == dns_rdatatype_doa);
+
+	if (doa->mctx == NULL) {
+		return;
+	}
+
+	if (doa->mediatype != NULL) {
+		isc_mem_free(doa->mctx, doa->mediatype);
+	}
+	if (doa->data != NULL) {
+		isc_mem_free(doa->mctx, doa->data);
+	}
+
+	doa->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_doa(ARGS_ADDLDATA) {
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	REQUIRE(rdata->type == dns_rdatatype_doa);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_doa(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == dns_rdatatype_doa);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_doa(ARGS_CHECKOWNER) {
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	REQUIRE(type == dns_rdatatype_doa);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_doa(ARGS_CHECKNAMES) {
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	REQUIRE(rdata->type == dns_rdatatype_doa);
+
+	return (ISC_TRUE);
+}
+
+static inline int
+casecompare_doa(ARGS_COMPARE) {
+	return (compare_doa(rdata1, rdata2));
+}
+
+#endif	/* RDATA_GENERIC_DOA_259_C */
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/doa_259.h b/usr.sbin/bind/lib/dns/rdata/generic/doa_259.h
new file mode 100644
index 00000000000..c5dc69de7fe
--- /dev/null
+++ b/usr.sbin/bind/lib/dns/rdata/generic/doa_259.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef GENERIC_DOA_259_H
+#define GENERIC_DOA_259_H 1
+
+typedef struct dns_rdata_doa {
+	dns_rdatacommon_t	common;
+	isc_mem_t *		mctx;
+	unsigned char *		mediatype;
+	unsigned char *		data;
+	isc_uint32_t		enterprise;
+	isc_uint32_t		type;
+	isc_uint16_t		data_len;
+	isc_uint8_t		location;
+	isc_uint8_t		mediatype_len;
+} dns_rdata_doa_t;
+
+#endif /* GENERIC_DOA_259_H */
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/ds_43.c b/usr.sbin/bind/lib/dns/rdata/generic/ds_43.c
index f1ce7fe2a4e..d861dcb2be5 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/ds_43.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/ds_43.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009-2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ds_43.c,v 1.5 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: ds_43.c,v 1.6 2019/12/17 01:46:33 sthen Exp $ */
 
 /* RFC3658 */
 
@@ -120,7 +119,7 @@ generic_totext_ds(ARGS_TOTEXT) {
 	 */
 	n = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
-	sprintf(buf, "%u ", n);
+	snprintf(buf, sizeof(buf), "%u ", n);
 	RETERR(str_totext(buf, target));
 
 	/*
@@ -128,7 +127,7 @@ generic_totext_ds(ARGS_TOTEXT) {
 	 */
 	n = uint8_fromregion(&sr);
 	isc_region_consume(&sr, 1);
-	sprintf(buf, "%u ", n);
+	snprintf(buf, sizeof(buf), "%u ", n);
 	RETERR(str_totext(buf, target));
 
 	/*
@@ -136,7 +135,7 @@ generic_totext_ds(ARGS_TOTEXT) {
 	 */
 	n = uint8_fromregion(&sr);
 	isc_region_consume(&sr, 1);
-	sprintf(buf, "%u", n);
+	snprintf(buf, sizeof(buf), "%u", n);
 	RETERR(str_totext(buf, target));
 
 	/*
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/ds_43.h b/usr.sbin/bind/lib/dns/rdata/generic/ds_43.h
index 07c5647a555..17f5736f532 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/ds_43.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/ds_43.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ds_43.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: ds_43.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 #ifndef GENERIC_DS_43_H
 #define GENERIC_DS_43_H 1
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/eui48_108.c b/usr.sbin/bind/lib/dns/rdata/generic/eui48_108.c
index 9910e48c3dc..0f3ec00e448 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/eui48_108.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/eui48_108.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013-2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/eui48_108.h b/usr.sbin/bind/lib/dns/rdata/generic/eui48_108.h
index 508c61fd680..14a65dc6969 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/eui48_108.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/eui48_108.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/eui64_109.c b/usr.sbin/bind/lib/dns/rdata/generic/eui64_109.c
index 6ac7f0d619f..d444b824b24 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/eui64_109.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/eui64_109.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013-2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/eui64_109.h b/usr.sbin/bind/lib/dns/rdata/generic/eui64_109.h
index 56996f8ff31..60fc0b39512 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/eui64_109.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/eui64_109.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/gpos_27.c b/usr.sbin/bind/lib/dns/rdata/generic/gpos_27.c
index 32ea3762709..b6331fa4f75 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/gpos_27.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/gpos_27.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gpos_27.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: gpos_27.c,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /* reviewed: Wed Mar 15 16:48:45 PST 2000 by brister */
 
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/gpos_27.h b/usr.sbin/bind/lib/dns/rdata/generic/gpos_27.h
index efef63a4fc1..2327c2d5c6b 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/gpos_27.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/gpos_27.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +17,7 @@
 #ifndef GENERIC_GPOS_27_H
 #define GENERIC_GPOS_27_H 1
 
-/* $Id: gpos_27.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: gpos_27.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /*!
  *  \brief per RFC1712 */
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/hinfo_13.c b/usr.sbin/bind/lib/dns/rdata/generic/hinfo_13.c
index f9abc73f0f2..4c06cf46366 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/hinfo_13.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/hinfo_13.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2009, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hinfo_13.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: hinfo_13.c,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /*
  * Reviewed: Wed Mar 15 16:47:10 PST 2000 by halley.
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/hinfo_13.h b/usr.sbin/bind/lib/dns/rdata/generic/hinfo_13.h
index a19a00af463..f985fd1828a 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/hinfo_13.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/hinfo_13.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +17,7 @@
 #ifndef GENERIC_HINFO_13_H
 #define GENERIC_HINFO_13_H 1
 
-/* $Id: hinfo_13.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: hinfo_13.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 typedef struct dns_rdata_hinfo {
 	dns_rdatacommon_t	common;
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/hip_55.c b/usr.sbin/bind/lib/dns/rdata/generic/hip_55.c
index 0999b5f2208..a68a180d5f8 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/hip_55.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/hip_55.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2011, 2013-2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hip_55.c,v 1.1 2019/12/16 16:31:34 deraadt Exp $ */
+/* $Id: hip_55.c,v 1.2 2019/12/17 01:46:33 sthen Exp $ */
 
 /* reviewed: TBC */
 
@@ -148,7 +148,7 @@ totext_hip(ARGS_TOTEXT) {
 	/*
 	 * Algorithm
 	 */
-	sprintf(buf, "%u ", algorithm);
+	snprintf(buf, sizeof(buf), "%u ", algorithm);
 	RETERR(str_totext(buf, target));
 
 	/*
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/hip_55.h b/usr.sbin/bind/lib/dns/rdata/generic/hip_55.h
index 6b896445b4b..a29e9f01da8 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/hip_55.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/hip_55.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hip_55.h,v 1.1 2019/12/16 16:31:34 deraadt Exp $ */
+/* $Id: hip_55.h,v 1.2 2019/12/17 01:46:33 sthen Exp $ */
 
 #ifndef GENERIC_HIP_5_H
 #define GENERIC_HIP_5_H 1
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/ipseckey_45.c b/usr.sbin/bind/lib/dns/rdata/generic/ipseckey_45.c
index eb489776e90..01f2519d60f 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/ipseckey_45.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/ipseckey_45.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005, 2007, 2009, 2011, 2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ipseckey_45.c,v 1.3 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: ipseckey_45.c,v 1.4 2019/12/17 01:46:33 sthen Exp $ */
 
 #ifndef RDATA_GENERIC_IPSECKEY_45_C
 #define RDATA_GENERIC_IPSECKEY_45_C
@@ -142,7 +142,7 @@ totext_ipseckey(ARGS_TOTEXT) {
 	dns_rdata_toregion(rdata, &region);
 	num = uint8_fromregion(&region);
 	isc_region_consume(&region, 1);
-	sprintf(buf, "%u ", num);
+	snprintf(buf, sizeof(buf), "%u ", num);
 	RETERR(str_totext(buf, target));
 
 	/*
@@ -150,7 +150,7 @@ totext_ipseckey(ARGS_TOTEXT) {
 	 */
 	gateway = uint8_fromregion(&region);
 	isc_region_consume(&region, 1);
-	sprintf(buf, "%u ", gateway);
+	snprintf(buf, sizeof(buf), "%u ", gateway);
 	RETERR(str_totext(buf, target));
 
 	/*
@@ -158,7 +158,7 @@ totext_ipseckey(ARGS_TOTEXT) {
 	 */
 	num = uint8_fromregion(&region);
 	isc_region_consume(&region, 1);
-	sprintf(buf, "%u ", num);
+	snprintf(buf, sizeof(buf), "%u ", num);
 	RETERR(str_totext(buf, target));
 
 	/*
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/ipseckey_45.h b/usr.sbin/bind/lib/dns/rdata/generic/ipseckey_45.h
index 4a68bed5071..028d132a52a 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/ipseckey_45.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/ipseckey_45.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ipseckey_45.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: ipseckey_45.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 #ifndef GENERIC_IPSECKEY_45_H
 #define GENERIC_IPSECKEY_45_H 1
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/isdn_20.c b/usr.sbin/bind/lib/dns/rdata/generic/isdn_20.c
index 3fabd217e24..5c57e0ff452 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/isdn_20.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/isdn_20.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2013-2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: isdn_20.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: isdn_20.c,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /* Reviewed: Wed Mar 15 16:53:11 PST 2000 by bwelling */
 
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/isdn_20.h b/usr.sbin/bind/lib/dns/rdata/generic/isdn_20.h
index 37a73975e23..cb4b0320f1a 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/isdn_20.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/isdn_20.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +17,7 @@
 #ifndef GENERIC_ISDN_20_H
 #define GENERIC_ISDN_20_H 1
 
-/* $Id: isdn_20.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: isdn_20.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /*!
  * \brief Per RFC1183 */
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/key_25.c b/usr.sbin/bind/lib/dns/rdata/generic/key_25.c
index 30a05b0e9fd..339332f16ac 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/key_25.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/key_25.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2011-2013, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: key_25.c,v 1.5 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: key_25.c,v 1.6 2019/12/17 01:46:33 sthen Exp $ */
 
 /*
  * Reviewed: Wed Mar 15 16:47:10 PST 2000 by halley.
@@ -94,7 +93,7 @@ generic_totext_key(ARGS_TOTEXT) {
 	/* flags */
 	flags = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
-	sprintf(buf, "%u", flags);
+	snprintf(buf, sizeof(buf), "%u", flags);
 	RETERR(str_totext(buf, target));
 	RETERR(str_totext(" ", target));
 	if ((flags & DNS_KEYFLAG_KSK) != 0) {
@@ -107,14 +106,14 @@ generic_totext_key(ARGS_TOTEXT) {
 
 
 	/* protocol */
-	sprintf(buf, "%u", sr.base[0]);
+	snprintf(buf, sizeof(buf), "%u", sr.base[0]);
 	isc_region_consume(&sr, 1);
 	RETERR(str_totext(buf, target));
 	RETERR(str_totext(" ", target));
 
 	/* algorithm */
 	algorithm = sr.base[0];
-	sprintf(buf, "%u", algorithm);
+	snprintf(buf, sizeof(buf), "%u", algorithm);
 	isc_region_consume(&sr, 1);
 	RETERR(str_totext(buf, target));
 
@@ -170,7 +169,8 @@ generic_totext_key(ARGS_TOTEXT) {
 		RETERR(str_totext(algbuf, target));
 		RETERR(str_totext(" ; key id = ", target));
 		dns_rdata_toregion(rdata, &tmpr);
-		sprintf(buf, "%u", dst_region_computeid(&tmpr, algorithm));
+		snprintf(buf, sizeof(buf), "%u",
+			 dst_region_computeid(&tmpr, algorithm));
 		RETERR(str_totext(buf, target));
 	}
 	return (ISC_R_SUCCESS);
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/key_25.h b/usr.sbin/bind/lib/dns/rdata/generic/key_25.h
index 87d43c82db6..8bb77a7ae86 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/key_25.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/key_25.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +17,7 @@
 #ifndef GENERIC_KEY_25_H
 #define GENERIC_KEY_25_H 1
 
-/* $Id: key_25.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: key_25.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /*!
  * \brief Per RFC2535 */
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/keydata_65533.c b/usr.sbin/bind/lib/dns/rdata/generic/keydata_65533.c
index 3be76989f7b..494e4f81237 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/keydata_65533.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/keydata_65533.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2011-2013, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -98,7 +98,7 @@ totext_keydata(ARGS_TOTEXT) {
 	char buf[sizeof("64000")];
 	unsigned int flags;
 	unsigned char algorithm;
-	unsigned long refresh, add, delete;
+	unsigned long refresh, add, deltime;
 	char algbuf[DNS_NAME_FORMATSIZE];
 	const char *keyinfo;
 
@@ -122,15 +122,15 @@ totext_keydata(ARGS_TOTEXT) {
 	RETERR(str_totext(" ", target));
 
 	/* remove hold-down */
-	delete = uint32_fromregion(&sr);
+	deltime = uint32_fromregion(&sr);
 	isc_region_consume(&sr, 4);
-	RETERR(dns_time32_totext(delete, target));
+	RETERR(dns_time32_totext(deltime, target));
 	RETERR(str_totext(" ", target));
 
 	/* flags */
 	flags = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
-	sprintf(buf, "%u", flags);
+	snprintf(buf, sizeof(buf), "%u", flags);
 	RETERR(str_totext(buf, target));
 	RETERR(str_totext(" ", target));
 	if ((flags & DNS_KEYFLAG_KSK) != 0) {
@@ -142,14 +142,14 @@ totext_keydata(ARGS_TOTEXT) {
 		keyinfo = "ZSK";
 
 	/* protocol */
-	sprintf(buf, "%u", sr.base[0]);
+	snprintf(buf, sizeof(buf), "%u", sr.base[0]);
 	isc_region_consume(&sr, 1);
 	RETERR(str_totext(buf, target));
 	RETERR(str_totext(" ", target));
 
 	/* algorithm */
 	algorithm = sr.base[0];
-	sprintf(buf, "%u", algorithm);
+	snprintf(buf, sizeof(buf), "%u", algorithm);
 	isc_region_consume(&sr, 1);
 	RETERR(str_totext(buf, target));
 
@@ -192,7 +192,8 @@ totext_keydata(ARGS_TOTEXT) {
 		dns_rdata_toregion(rdata, &tmpr);
 		/* Skip over refresh, addhd, and removehd */
 		isc_region_consume(&tmpr, 12);
-		sprintf(buf, "%u", dst_region_computeid(&tmpr, algorithm));
+		snprintf(buf, sizeof(buf), "%u",
+			 dst_region_computeid(&tmpr, algorithm));
 		RETERR(str_totext(buf, target));
 
 		if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
@@ -224,11 +225,11 @@ totext_keydata(ARGS_TOTEXT) {
 				RETERR(str_totext(abuf, target));
 			}
 
-			if (delete != 0U) {
+			if (deltime != 0U) {
 				RETERR(str_totext(tctx->linebreak, target));
 				RETERR(str_totext("; removal pending: ",
 						  target));
-				isc_time_set(&t, delete, 0);
+				isc_time_set(&t, deltime, 0);
 				isc_time_formathttptimestamp(&t, dbuf,
 							     sizeof(dbuf));
 				RETERR(str_totext(dbuf, target));
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/keydata_65533.h b/usr.sbin/bind/lib/dns/rdata/generic/keydata_65533.h
index c231706efb8..4b301512080 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/keydata_65533.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/keydata_65533.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -17,7 +17,7 @@
 #ifndef GENERIC_KEYDATA_65533_H
 #define GENERIC_KEYDATA_65533_H 1
 
-/* $Id: keydata_65533.h,v 1.1 2019/12/16 16:31:34 deraadt Exp $ */
+/* $Id: keydata_65533.h,v 1.2 2019/12/17 01:46:33 sthen Exp $ */
 
 typedef struct dns_rdata_keydata {
 	dns_rdatacommon_t	common;
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/l32_105.c b/usr.sbin/bind/lib/dns/rdata/generic/l32_105.c
index d721d04f65d..74ddd0d0c53 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/l32_105.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/l32_105.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013-2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -70,7 +70,7 @@ totext_l32(ARGS_TOTEXT) {
 	dns_rdata_toregion(rdata, &region);
 	num = uint16_fromregion(&region);
 	isc_region_consume(&region, 2);
-	sprintf(buf, "%u", num);
+	snprintf(buf, sizeof(buf), "%u", num);
 	RETERR(str_totext(buf, target));
 
 	RETERR(str_totext(" ", target));
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/l32_105.h b/usr.sbin/bind/lib/dns/rdata/generic/l32_105.h
index f95db22e883..41d64d3b569 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/l32_105.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/l32_105.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/l64_106.c b/usr.sbin/bind/lib/dns/rdata/generic/l64_106.c
index 863e9646117..b75b663e4d7 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/l64_106.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/l64_106.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013-2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -64,16 +64,16 @@ totext_l64(ARGS_TOTEXT) {
 	dns_rdata_toregion(rdata, &region);
 	num = uint16_fromregion(&region);
 	isc_region_consume(&region, 2);
-	sprintf(buf, "%u", num);
+	snprintf(buf, sizeof(buf), "%u", num);
 	RETERR(str_totext(buf, target));
 
 	RETERR(str_totext(" ", target));
 
-	sprintf(buf, "%x:%x:%x:%x",
-		region.base[0]<<8 | region.base[1],
-		region.base[2]<<8 | region.base[3],
-		region.base[4]<<8 | region.base[5],
-		region.base[6]<<8 | region.base[7]);
+	snprintf(buf, sizeof(buf), "%x:%x:%x:%x",
+		 region.base[0]<<8 | region.base[1],
+		 region.base[2]<<8 | region.base[3],
+		 region.base[4]<<8 | region.base[5],
+		 region.base[6]<<8 | region.base[7]);
 	return (str_totext(buf, target));
 }
 
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/l64_106.h b/usr.sbin/bind/lib/dns/rdata/generic/l64_106.h
index 8f93fc513f6..8550f13ca31 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/l64_106.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/l64_106.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/loc_29.c b/usr.sbin/bind/lib/dns/rdata/generic/loc_29.c
index 8732346204d..860177e8a2f 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/loc_29.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/loc_29.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: loc_29.c,v 1.6 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: loc_29.c,v 1.7 2019/12/17 01:46:33 sthen Exp $ */
 
 /* Reviewed: Wed Mar 15 18:13:09 PST 2000 by explorer */
 
@@ -487,22 +486,31 @@ totext_loc(ARGS_TOTEXT) {
 
 	size = sr.base[1];
 	INSIST((size&0x0f) < 10 && (size>>4) < 10);
-	if ((size&0x0f)> 1)
-		sprintf(sbuf, "%lum", (size>>4) * poweroften[(size&0x0f)-2]);
-	else
-		sprintf(sbuf, "0.%02lum", (size>>4) * poweroften[(size&0x0f)]);
+	if ((size&0x0f)> 1) {
+		snprintf(sbuf, sizeof(sbuf),
+			 "%lum", (size>>4) * poweroften[(size&0x0f)-2]);
+	} else {
+		snprintf(sbuf, sizeof(sbuf),
+			 "0.%02lum", (size>>4) * poweroften[(size&0x0f)]);
+	}
 	hp = sr.base[2];
 	INSIST((hp&0x0f) < 10 && (hp>>4) < 10);
-	if ((hp&0x0f)> 1)
-		sprintf(hbuf, "%lum", (hp>>4) * poweroften[(hp&0x0f)-2]);
-	else
-		sprintf(hbuf, "0.%02lum", (hp>>4) * poweroften[(hp&0x0f)]);
+	if ((hp&0x0f)> 1) {
+		snprintf(hbuf, sizeof(hbuf),
+			"%lum", (hp>>4) * poweroften[(hp&0x0f)-2]);
+	} else {
+		snprintf(hbuf, sizeof(hbuf),
+			 "0.%02lum", (hp>>4) * poweroften[(hp&0x0f)]);
+	}
 	vp = sr.base[3];
 	INSIST((vp&0x0f) < 10 && (vp>>4) < 10);
-	if ((vp&0x0f)> 1)
-		sprintf(vbuf, "%lum", (vp>>4) * poweroften[(vp&0x0f)-2]);
-	else
-		sprintf(vbuf, "0.%02lum", (vp>>4) * poweroften[(vp&0x0f)]);
+	if ((vp&0x0f)> 1) {
+		snprintf(vbuf, sizeof(vbuf),
+			 "%lum", (vp>>4) * poweroften[(vp&0x0f)-2]);
+	} else {
+		snprintf(vbuf, sizeof(vbuf),
+			 "0.%02lum", (vp>>4) * poweroften[(vp&0x0f)]);
+	}
 	isc_region_consume(&sr, 4);
 
 	latitude = uint32_fromregion(&sr);
@@ -551,11 +559,12 @@ totext_loc(ARGS_TOTEXT) {
 		altitude -= 10000000;
 	}
 
-	sprintf(buf, "%d %d %d.%03d %s %d %d %d.%03d %s %s%ld.%02ldm %s %s %s",
-		d1, m1, s1, fs1, north ? "N" : "S",
-		d2, m2, s2, fs2, east ? "E" : "W",
-		below ? "-" : "", altitude/100, altitude % 100,
-		sbuf, hbuf, vbuf);
+	snprintf(buf, sizeof(buf),
+		 "%d %d %d.%03d %s %d %d %d.%03d %s %s%lu.%02lum %s %s %s",
+		 d1, m1, s1, fs1, north ? "N" : "S",
+		 d2, m2, s2, fs2, east ? "E" : "W",
+		 below ? "-" : "", altitude/100, altitude % 100,
+		 sbuf, hbuf, vbuf);
 
 	return (str_totext(buf, target));
 }
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/loc_29.h b/usr.sbin/bind/lib/dns/rdata/generic/loc_29.h
index b4fec8a400a..9edbfad48b8 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/loc_29.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/loc_29.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +17,7 @@
 #ifndef GENERIC_LOC_29_H
 #define GENERIC_LOC_29_H 1
 
-/* $Id: loc_29.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: loc_29.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /*!
  * \brief Per RFC1876 */
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/lp_107.c b/usr.sbin/bind/lib/dns/rdata/generic/lp_107.c
index b9e2f039f82..a0d5c2c1e84 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/lp_107.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/lp_107.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -69,7 +69,7 @@ totext_lp(ARGS_TOTEXT) {
 	dns_rdata_toregion(rdata, &region);
 	num = uint16_fromregion(&region);
 	isc_region_consume(&region, 2);
-	sprintf(buf, "%u", num);
+	snprintf(buf, sizeof(buf), "%u", num);
 	RETERR(str_totext(buf, target));
 
 	RETERR(str_totext(" ", target));
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/lp_107.h b/usr.sbin/bind/lib/dns/rdata/generic/lp_107.h
index cbfee8a49cb..eb06107bd71 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/lp_107.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/lp_107.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/mb_7.c b/usr.sbin/bind/lib/dns/rdata/generic/mb_7.c
index b17f3c51b13..2f07239a869 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/mb_7.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/mb_7.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2009, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mb_7.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: mb_7.c,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /* Reviewed: Wed Mar 15 17:31:26 PST 2000 by bwelling */
 
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/mb_7.h b/usr.sbin/bind/lib/dns/rdata/generic/mb_7.h
index 8dbeb07cb8b..e8bc0f8f25b 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/mb_7.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/mb_7.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -19,7 +18,7 @@
 #ifndef GENERIC_MB_7_H
 #define GENERIC_MB_7_H 1
 
-/* $Id: mb_7.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: mb_7.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 typedef struct dns_rdata_mb {
 	dns_rdatacommon_t	common;
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/md_3.c b/usr.sbin/bind/lib/dns/rdata/generic/md_3.c
index 1b62ca4476e..4ee29397486 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/md_3.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/md_3.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2009, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: md_3.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: md_3.c,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /* Reviewed: Wed Mar 15 17:48:20 PST 2000 by bwelling */
 
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/md_3.h b/usr.sbin/bind/lib/dns/rdata/generic/md_3.h
index 19093795100..c0a6eb222d7 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/md_3.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/md_3.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -19,7 +18,7 @@
 #ifndef GENERIC_MD_3_H
 #define GENERIC_MD_3_H 1
 
-/* $Id: md_3.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: md_3.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 typedef struct dns_rdata_md {
 	dns_rdatacommon_t	common;
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/mf_4.c b/usr.sbin/bind/lib/dns/rdata/generic/mf_4.c
index 9fb8803a16d..95569041031 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/mf_4.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/mf_4.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2009, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mf_4.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: mf_4.c,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /* reviewed: Wed Mar 15 17:47:33 PST 2000 by brister */
 
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/mf_4.h b/usr.sbin/bind/lib/dns/rdata/generic/mf_4.h
index 36f679384dd..b5d89c9d96c 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/mf_4.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/mf_4.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -19,7 +18,7 @@
 #ifndef GENERIC_MF_4_H
 #define GENERIC_MF_4_H 1
 
-/* $Id: mf_4.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: mf_4.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 typedef struct dns_rdata_mf {
 	dns_rdatacommon_t	common;
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/mg_8.c b/usr.sbin/bind/lib/dns/rdata/generic/mg_8.c
index 57e8c5f6e8c..77b2c1d7c23 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/mg_8.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/mg_8.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2009, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mg_8.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: mg_8.c,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /* reviewed: Wed Mar 15 17:49:21 PST 2000 by brister */
 
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/mg_8.h b/usr.sbin/bind/lib/dns/rdata/generic/mg_8.h
index e21e7bf4a99..fec43c2aa63 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/mg_8.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/mg_8.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -19,7 +18,7 @@
 #ifndef GENERIC_MG_8_H
 #define GENERIC_MG_8_H 1
 
-/* $Id: mg_8.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: mg_8.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 typedef struct dns_rdata_mg {
 	dns_rdatacommon_t	common;
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/minfo_14.c b/usr.sbin/bind/lib/dns/rdata/generic/minfo_14.c
index 6e48f1e5f22..dd332274fc1 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/minfo_14.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/minfo_14.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2009, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: minfo_14.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: minfo_14.c,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /* reviewed: Wed Mar 15 17:45:32 PST 2000 by brister */
 
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/minfo_14.h b/usr.sbin/bind/lib/dns/rdata/generic/minfo_14.h
index d9bdb3d2b6b..93d3ffb719a 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/minfo_14.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/minfo_14.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -19,7 +18,7 @@
 #ifndef GENERIC_MINFO_14_H
 #define GENERIC_MINFO_14_H 1
 
-/* $Id: minfo_14.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: minfo_14.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 typedef struct dns_rdata_minfo {
 	dns_rdatacommon_t	common;
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/mr_9.c b/usr.sbin/bind/lib/dns/rdata/generic/mr_9.c
index b5dc8d5985d..ab1002fa02e 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/mr_9.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/mr_9.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2009, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mr_9.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: mr_9.c,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /* Reviewed: Wed Mar 15 21:30:35 EST 2000 by tale */
 
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/mr_9.h b/usr.sbin/bind/lib/dns/rdata/generic/mr_9.h
index 76425b89877..ed512efb5c1 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/mr_9.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/mr_9.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -19,7 +18,7 @@
 #ifndef GENERIC_MR_9_H
 #define GENERIC_MR_9_H 1
 
-/* $Id: mr_9.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: mr_9.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 typedef struct dns_rdata_mr {
 	dns_rdatacommon_t	common;
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/mx_15.c b/usr.sbin/bind/lib/dns/rdata/generic/mx_15.c
index cf8621e0047..003501fec93 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/mx_15.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/mx_15.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2012, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mx_15.c,v 1.6 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: mx_15.c,v 1.7 2019/12/17 01:46:33 sthen Exp $ */
 
 /* reviewed: Wed Mar 15 18:05:46 PST 2000 by brister */
 
@@ -108,7 +107,7 @@ totext_mx(ARGS_TOTEXT) {
 	dns_rdata_toregion(rdata, &region);
 	num = uint16_fromregion(&region);
 	isc_region_consume(&region, 2);
-	sprintf(buf, "%u", num);
+	snprintf(buf, sizeof(buf), "%u", num);
 	RETERR(str_totext(buf, target));
 
 	RETERR(str_totext(" ", target));
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/mx_15.h b/usr.sbin/bind/lib/dns/rdata/generic/mx_15.h
index 69583f1a477..bd25649af18 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/mx_15.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/mx_15.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -19,7 +18,7 @@
 #ifndef GENERIC_MX_15_H
 #define GENERIC_MX_15_H 1
 
-/* $Id: mx_15.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: mx_15.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 typedef struct dns_rdata_mx {
 	dns_rdatacommon_t	common;
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/naptr_35.c b/usr.sbin/bind/lib/dns/rdata/generic/naptr_35.c
index 9c0beb3171a..9cd75525421 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/naptr_35.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/naptr_35.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007-2009, 2011-2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: naptr_35.c,v 1.1 2019/12/16 16:31:34 deraadt Exp $ */
+/* $Id: naptr_35.c,v 1.2 2019/12/17 01:46:33 sthen Exp $ */
 
 /* Reviewed: Thu Mar 16 16:52:50 PST 2000 by bwelling */
 
@@ -209,7 +208,7 @@ totext_naptr(ARGS_TOTEXT) {
 	 */
 	num = uint16_fromregion(&region);
 	isc_region_consume(&region, 2);
-	sprintf(buf, "%u", num);
+	snprintf(buf, sizeof(buf), "%u", num);
 	RETERR(str_totext(buf, target));
 	RETERR(str_totext(" ", target));
 
@@ -218,7 +217,7 @@ totext_naptr(ARGS_TOTEXT) {
 	 */
 	num = uint16_fromregion(&region);
 	isc_region_consume(&region, 2);
-	sprintf(buf, "%u", num);
+	snprintf(buf, sizeof(buf), "%u", num);
 	RETERR(str_totext(buf, target));
 	RETERR(str_totext(" ", target));
 
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/naptr_35.h b/usr.sbin/bind/lib/dns/rdata/generic/naptr_35.h
index f4ff63322a0..6c89996675c 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/naptr_35.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/naptr_35.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +17,7 @@
 #ifndef GENERIC_NAPTR_35_H
 #define GENERIC_NAPTR_35_H 1
 
-/* $Id: naptr_35.h,v 1.1 2019/12/16 16:31:34 deraadt Exp $ */
+/* $Id: naptr_35.h,v 1.2 2019/12/17 01:46:33 sthen Exp $ */
 
 /*!
  *  \brief Per RFC2915 */
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/nid_104.c b/usr.sbin/bind/lib/dns/rdata/generic/nid_104.c
index 6028676bcc1..a567a3242cd 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/nid_104.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/nid_104.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013-2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -64,16 +64,16 @@ totext_nid(ARGS_TOTEXT) {
 	dns_rdata_toregion(rdata, &region);
 	num = uint16_fromregion(&region);
 	isc_region_consume(&region, 2);
-	sprintf(buf, "%u", num);
+	snprintf(buf, sizeof(buf), "%u", num);
 	RETERR(str_totext(buf, target));
 
 	RETERR(str_totext(" ", target));
 
-	sprintf(buf, "%x:%x:%x:%x",
-		region.base[0]<<8 | region.base[1],
-		region.base[2]<<8 | region.base[3],
-		region.base[4]<<8 | region.base[5],
-		region.base[6]<<8 | region.base[7]);
+	snprintf(buf, sizeof(buf), "%x:%x:%x:%x",
+		 region.base[0]<<8 | region.base[1],
+		 region.base[2]<<8 | region.base[3],
+		 region.base[4]<<8 | region.base[5],
+		 region.base[6]<<8 | region.base[7]);
 	return (str_totext(buf, target));
 }
 
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/nid_104.h b/usr.sbin/bind/lib/dns/rdata/generic/nid_104.h
index 64a3ba477df..7c47c9b0b78 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/nid_104.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/nid_104.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/ninfo_56.c b/usr.sbin/bind/lib/dns/rdata/generic/ninfo_56.c
index f31f47ed65e..5d4bc62791e 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/ninfo_56.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/ninfo_56.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -160,7 +160,7 @@ checknames_ninfo(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
-static inline isc_result_t
+static inline int
 casecompare_ninfo(ARGS_COMPARE) {
 	return (compare_ninfo(rdata1, rdata2));
 }
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/ninfo_56.h b/usr.sbin/bind/lib/dns/rdata/generic/ninfo_56.h
index 343cae387b0..a7f2eb0477a 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/ninfo_56.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/ninfo_56.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/ns_2.c b/usr.sbin/bind/lib/dns/rdata/generic/ns_2.c
index 5d815bbc9d6..c6bd8804a9c 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/ns_2.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/ns_2.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2009, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ns_2.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: ns_2.c,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /* Reviewed: Wed Mar 15 18:15:00 PST 2000 by bwelling */
 
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/ns_2.h b/usr.sbin/bind/lib/dns/rdata/generic/ns_2.h
index d75c41650c0..e246a11a579 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/ns_2.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/ns_2.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -19,7 +18,7 @@
 #ifndef GENERIC_NS_2_H
 #define GENERIC_NS_2_H 1
 
-/* $Id: ns_2.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: ns_2.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 typedef struct dns_rdata_ns {
 	dns_rdatacommon_t	common;
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/nsec3_50.c b/usr.sbin/bind/lib/dns/rdata/generic/nsec3_50.c
index ab80e519b73..5c4700edcb1 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/nsec3_50.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/nsec3_50.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008, 2009, 2011, 2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec3_50.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: nsec3_50.c,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /*
  * Copyright (C) 2004  Nominet, Ltd.
@@ -123,19 +123,19 @@ totext_nsec3(ARGS_TOTEXT) {
 	/* Hash */
 	hash = uint8_fromregion(&sr);
 	isc_region_consume(&sr, 1);
-	sprintf(buf, "%u ", hash);
+	snprintf(buf, sizeof(buf), "%u ", hash);
 	RETERR(str_totext(buf, target));
 
 	/* Flags */
 	flags = uint8_fromregion(&sr);
 	isc_region_consume(&sr, 1);
-	sprintf(buf, "%u ", flags);
+	snprintf(buf, sizeof(buf), "%u ", flags);
 	RETERR(str_totext(buf, target));
 
 	/* Iterations */
 	iterations = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
-	sprintf(buf, "%u ", iterations);
+	snprintf(buf, sizeof(buf), "%u ", iterations);
 	RETERR(str_totext(buf, target));
 
 	/* Salt */
@@ -165,9 +165,12 @@ totext_nsec3(ARGS_TOTEXT) {
 	RETERR(isc_base32hexnp_totext(&sr, 1, "", target));
 	sr.length = i - j;
 
-	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) == 0)
+	/*
+	 * Don't leave a trailing space when there's no typemap present.
+	 */
+	if (((tctx->flags & DNS_STYLEFLAG_MULTILINE) == 0) && (sr.length > 0)) {
 		RETERR(str_totext(" ", target));
-
+	}
 	RETERR(typemap_totext(&sr, tctx, target));
 
 	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/nsec3_50.h b/usr.sbin/bind/lib/dns/rdata/generic/nsec3_50.h
index c9684c71421..8c1003e7817 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/nsec3_50.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/nsec3_50.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +18,7 @@
 #ifndef GENERIC_NSEC3_50_H
 #define GENERIC_NSEC3_50_H 1
 
-/* $Id: nsec3_50.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: nsec3_50.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /*!
  * \brief Per RFC 5155 */
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/nsec3param_51.c b/usr.sbin/bind/lib/dns/rdata/generic/nsec3param_51.c
index 2218a409884..9a8a0be6078 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/nsec3param_51.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/nsec3param_51.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008, 2009, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec3param_51.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: nsec3param_51.c,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /*
  * Copyright (C) 2004  Nominet, Ltd.
@@ -117,13 +117,13 @@ totext_nsec3param(ARGS_TOTEXT) {
 	iterations = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
 
-	sprintf(buf, "%u ", hash);
+	snprintf(buf, sizeof(buf), "%u ", hash);
 	RETERR(str_totext(buf, target));
 
-	sprintf(buf, "%u ", flags);
+	snprintf(buf, sizeof(buf), "%u ", flags);
 	RETERR(str_totext(buf, target));
 
-	sprintf(buf, "%u ", iterations);
+	snprintf(buf, sizeof(buf), "%u ", iterations);
 	RETERR(str_totext(buf, target));
 
 	j = uint8_fromregion(&sr);
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/nsec3param_51.h b/usr.sbin/bind/lib/dns/rdata/generic/nsec3param_51.h
index 7cdb100e0ed..4a04764814c 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/nsec3param_51.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/nsec3param_51.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +18,7 @@
 #ifndef GENERIC_NSEC3PARAM_51_H
 #define GENERIC_NSEC3PARAM_51_H 1
 
-/* $Id: nsec3param_51.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: nsec3param_51.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /*!
  * \brief Per RFC 5155 */
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/nsec_47.c b/usr.sbin/bind/lib/dns/rdata/generic/nsec_47.c
index c5e30938aa2..0eae74cc250 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/nsec_47.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/nsec_47.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007-2009, 2011, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec_47.c,v 1.4 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: nsec_47.c,v 1.5 2019/12/17 01:46:33 sthen Exp $ */
 
 /* reviewed: Wed Mar 15 18:21:15 PST 2000 by brister */
 
@@ -71,6 +70,12 @@ totext_nsec(ARGS_TOTEXT) {
 	dns_name_fromregion(&name, &sr);
 	isc_region_consume(&sr, name_length(&name));
 	RETERR(dns_name_totext(&name, ISC_FALSE, target));
+	/*
+	 * Don't leave a trailing space when there's no typemap present.
+	 */
+	if (sr.length > 0) {
+		RETERR(str_totext(" ", target));
+	}
 	return (typemap_totext(&sr, NULL, target));
 }
 
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/nsec_47.h b/usr.sbin/bind/lib/dns/rdata/generic/nsec_47.h
index 4e50a96cd75..a9fb43f93e6 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/nsec_47.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/nsec_47.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +17,7 @@
 #ifndef GENERIC_NSEC_47_H
 #define GENERIC_NSEC_47_H 1
 
-/* $Id: nsec_47.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: nsec_47.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /*!
  * \brief Per RFC 3845 */
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/null_10.c b/usr.sbin/bind/lib/dns/rdata/generic/null_10.c
index 3a562c90b7f..fbb5a0e0c15 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/null_10.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/null_10.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2009, 2011, 2012, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: null_10.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: null_10.c,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /* Reviewed: Thu Mar 16 13:57:50 PST 2000 by explorer */
 
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/null_10.h b/usr.sbin/bind/lib/dns/rdata/generic/null_10.h
index ded5d4a08c5..a659a85f6f9 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/null_10.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/null_10.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -19,7 +18,7 @@
 #ifndef GENERIC_NULL_10_H
 #define GENERIC_NULL_10_H 1
 
-/* $Id: null_10.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: null_10.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 typedef struct dns_rdata_null {
 	dns_rdatacommon_t	common;
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/nxt_30.c b/usr.sbin/bind/lib/dns/rdata/generic/nxt_30.c
index c6b6d80a7cd..6065a805c31 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/nxt_30.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/nxt_30.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nxt_30.c,v 1.6 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: nxt_30.c,v 1.7 2019/12/17 01:46:33 sthen Exp $ */
 
 /* reviewed: Wed Mar 15 18:21:15 PST 2000 by brister */
 
@@ -118,7 +117,8 @@ totext_nxt(ARGS_TOTEXT) {
 								      target));
 					} else {
 						char buf[sizeof("65535")];
-						sprintf(buf, "%u", t);
+						snprintf(buf, sizeof(buf),
+							 "%u", t);
 						RETERR(str_totext(buf,
 								  target));
 					}
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/nxt_30.h b/usr.sbin/bind/lib/dns/rdata/generic/nxt_30.h
index 2b148ba5fd8..c4008d5b42f 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/nxt_30.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/nxt_30.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +17,7 @@
 #ifndef GENERIC_NXT_30_H
 #define GENERIC_NXT_30_H 1
 
-/* $Id: nxt_30.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: nxt_30.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /*!
  *  \brief RFC2535 */
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/openpgpkey_61.c b/usr.sbin/bind/lib/dns/rdata/generic/openpgpkey_61.c
index 8589f68d708..3a7b534263d 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/openpgpkey_61.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/openpgpkey_61.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/openpgpkey_61.h b/usr.sbin/bind/lib/dns/rdata/generic/openpgpkey_61.h
index 2219422230c..c1673a41eb6 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/openpgpkey_61.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/openpgpkey_61.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/opt_41.c b/usr.sbin/bind/lib/dns/rdata/generic/opt_41.c
index 0ed2551b9dd..205a6d09728 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/opt_41.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/opt_41.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2011-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -65,7 +64,7 @@ totext_opt(ARGS_TOTEXT) {
 		isc_region_consume(&r, 2);
 		length = uint16_fromregion(&r);
 		isc_region_consume(&r, 2);
-		sprintf(buf, "%u %u", option, length);
+		snprintf(buf, sizeof(buf), "%u %u", option, length);
 		RETERR(str_totext(buf, target));
 		INSIST(r.length >= length);
 		if (length > 0) {
@@ -107,6 +106,8 @@ fromwire_opt(ARGS_FROMWIRE) {
 	UNUSED(options);
 
 	isc_buffer_activeregion(source, &sregion);
+	if (sregion.length == 0)
+		return (ISC_R_SUCCESS);
 	total = 0;
 	while (sregion.length != 0) {
 		if (sregion.length < 4)
@@ -185,6 +186,11 @@ fromwire_opt(ARGS_FROMWIRE) {
 				return (DNS_R_OPTERR);
 			isc_region_consume(&sregion, length);
 			break;
+		case DNS_OPT_KEY_TAG:
+			if (length == 0 || (length % 2) != 0)
+				return (DNS_R_OPTERR);
+			isc_region_consume(&sregion, length);
+			break;
 		default:
 			isc_region_consume(&sregion, length);
 			break;
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/opt_41.h b/usr.sbin/bind/lib/dns/rdata/generic/opt_41.h
index 2acf2b33a1e..408cf970cdf 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/opt_41.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/opt_41.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +17,7 @@
 #ifndef GENERIC_OPT_41_H
 #define GENERIC_OPT_41_H 1
 
-/* $Id: opt_41.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: opt_41.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /*!
  *  \brief Per RFC2671 */
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/proforma.c b/usr.sbin/bind/lib/dns/rdata/generic/proforma.c
index 0a63e8a6fcc..e929053268c 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/proforma.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/proforma.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2009, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: proforma.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: proforma.c,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 #ifndef RDATA_GENERIC_#_#_C
 #define RDATA_GENERIC_#_#_C
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/proforma.h b/usr.sbin/bind/lib/dns/rdata/generic/proforma.h
index 87ed50b67e8..e7199d375f7 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/proforma.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/proforma.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -19,7 +18,7 @@
 #ifndef GENERIC_PROFORMA_H
 #define GENERIC_PROFORMA_H 1
 
-/* $Id: proforma.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: proforma.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 typedef struct dns_rdata_# {
 	dns_rdatacommon_t	common;
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/ptr_12.c b/usr.sbin/bind/lib/dns/rdata/generic/ptr_12.c
index faf3b2943f6..ded62a1437c 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/ptr_12.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/ptr_12.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2009, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ptr_12.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: ptr_12.c,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /* Reviewed: Thu Mar 16 14:05:12 PST 2000 by explorer */
 
@@ -231,38 +230,17 @@ checkowner_ptr(ARGS_CHECKOWNER) {
 static unsigned char ip6_arpa_data[]  = "\003IP6\004ARPA";
 static unsigned char ip6_arpa_offsets[] = { 0, 4, 9 };
 static const dns_name_t ip6_arpa =
-{
-	DNS_NAME_MAGIC,
-	ip6_arpa_data, 10, 3,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	ip6_arpa_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
+	DNS_NAME_INITABSOLUTE(ip6_arpa_data, ip6_arpa_offsets);
 
 static unsigned char ip6_int_data[]  = "\003IP6\003INT";
 static unsigned char ip6_int_offsets[] = { 0, 4, 8 };
 static const dns_name_t ip6_int =
-{
-	DNS_NAME_MAGIC,
-	ip6_int_data, 9, 3,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	ip6_int_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
+	DNS_NAME_INITABSOLUTE(ip6_int_data, ip6_int_offsets);
 
 static unsigned char in_addr_arpa_data[]  = "\007IN-ADDR\004ARPA";
 static unsigned char in_addr_arpa_offsets[] = { 0, 8, 13 };
 static const dns_name_t in_addr_arpa =
-{
-	DNS_NAME_MAGIC,
-	in_addr_arpa_data, 14, 3,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	in_addr_arpa_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
+	DNS_NAME_INITABSOLUTE(in_addr_arpa_data, in_addr_arpa_offsets);
 
 static inline isc_boolean_t
 checknames_ptr(ARGS_CHECKNAMES) {
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/ptr_12.h b/usr.sbin/bind/lib/dns/rdata/generic/ptr_12.h
index 4bb70506ebc..58d28d446c6 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/ptr_12.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/ptr_12.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -19,12 +18,12 @@
 #ifndef GENERIC_PTR_12_H
 #define GENERIC_PTR_12_H 1
 
-/* $Id: ptr_12.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: ptr_12.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 typedef struct dns_rdata_ptr {
-        dns_rdatacommon_t       common;
-        isc_mem_t               *mctx;
-        dns_name_t              ptr;
+	dns_rdatacommon_t       common;
+	isc_mem_t               *mctx;
+	dns_name_t              ptr;
 } dns_rdata_ptr_t;
 
 #endif /* GENERIC_PTR_12_H */
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/rkey_57.c b/usr.sbin/bind/lib/dns/rdata/generic/rkey_57.c
index a57d1bc13f8..15748e76b55 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/rkey_57.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/rkey_57.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/rkey_57.h b/usr.sbin/bind/lib/dns/rdata/generic/rkey_57.h
index 330b3fbad8e..106b7c9aa76 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/rkey_57.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/rkey_57.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/rp_17.c b/usr.sbin/bind/lib/dns/rdata/generic/rp_17.c
index 0f541f5b1e7..00f99c5331b 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/rp_17.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/rp_17.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rp_17.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: rp_17.c,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /* RFC1183 */
 
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/rp_17.h b/usr.sbin/bind/lib/dns/rdata/generic/rp_17.h
index 7d23ad32a3a..88f6fb23e99 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/rp_17.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/rp_17.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,16 +17,16 @@
 #ifndef GENERIC_RP_17_H
 #define GENERIC_RP_17_H 1
 
-/* $Id: rp_17.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: rp_17.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /*!
  *  \brief Per RFC1183 */
 
 typedef struct dns_rdata_rp {
-        dns_rdatacommon_t       common;
-        isc_mem_t               *mctx;
-        dns_name_t              mail;
-        dns_name_t              text;
+	dns_rdatacommon_t       common;
+	isc_mem_t               *mctx;
+	dns_name_t              mail;
+	dns_name_t              text;
 } dns_rdata_rp_t;
 
 
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/rrsig_46.c b/usr.sbin/bind/lib/dns/rdata/generic/rrsig_46.c
index 0dbf958a958..4d63ea36b05 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/rrsig_46.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/rrsig_46.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2011-2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rrsig_46.c,v 1.4 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: rrsig_46.c,v 1.5 2019/12/17 01:46:33 sthen Exp $ */
 
 /* Reviewed: Fri Mar 17 09:05:02 PST 2000 by gson */
 
@@ -154,7 +153,7 @@ fromtext_rrsig(ARGS_FROMTEXT) {
 static inline isc_result_t
 totext_rrsig(ARGS_TOTEXT) {
 	isc_region_t sr;
-	char buf[sizeof("4294967295")];
+	char buf[sizeof("4294967295")];	/* Also TYPE65000. */
 	dns_rdatatype_t covered;
 	unsigned long ttl;
 	unsigned long when;
@@ -179,7 +178,7 @@ totext_rrsig(ARGS_TOTEXT) {
 	if (dns_rdatatype_isknown(covered) && covered != 0) {
 		RETERR(dns_rdatatype_totext(covered, target));
 	} else {
-		sprintf(buf, "TYPE%u", covered);
+		snprintf(buf, sizeof(buf), "TYPE%u", covered);
 		RETERR(str_totext(buf, target));
 	}
 	RETERR(str_totext(" ", target));
@@ -187,7 +186,7 @@ totext_rrsig(ARGS_TOTEXT) {
 	/*
 	 * Algorithm.
 	 */
-	sprintf(buf, "%u", sr.base[0]);
+	snprintf(buf, sizeof(buf), "%u", sr.base[0]);
 	isc_region_consume(&sr, 1);
 	RETERR(str_totext(buf, target));
 	RETERR(str_totext(" ", target));
@@ -195,7 +194,7 @@ totext_rrsig(ARGS_TOTEXT) {
 	/*
 	 * Labels.
 	 */
-	sprintf(buf, "%u", sr.base[0]);
+	snprintf(buf, sizeof(buf), "%u", sr.base[0]);
 	isc_region_consume(&sr, 1);
 	RETERR(str_totext(buf, target));
 	RETERR(str_totext(" ", target));
@@ -205,7 +204,7 @@ totext_rrsig(ARGS_TOTEXT) {
 	 */
 	ttl = uint32_fromregion(&sr);
 	isc_region_consume(&sr, 4);
-	sprintf(buf, "%lu", ttl);
+	snprintf(buf, sizeof(buf), "%lu", ttl);
 	RETERR(str_totext(buf, target));
 
 	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
@@ -233,7 +232,7 @@ totext_rrsig(ARGS_TOTEXT) {
 	 */
 	foot = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
-	sprintf(buf, "%lu", foot);
+	snprintf(buf, sizeof(buf), "%lu", foot);
 	RETERR(str_totext(buf, target));
 	RETERR(str_totext(" ", target));
 
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/rrsig_46.h b/usr.sbin/bind/lib/dns/rdata/generic/rrsig_46.h
index dd3f2c2a4df..6b025b49230 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/rrsig_46.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/rrsig_46.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +17,7 @@
 #ifndef GENERIC_DNSSIG_46_H
 #define GENERIC_DNSSIG_46_H 1
 
-/* $Id: rrsig_46.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: rrsig_46.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /*!
  *  \brief Per RFC2535 */
@@ -32,7 +31,7 @@ typedef struct dns_rdata_rrsig {
 	isc_uint32_t		timeexpire;
 	isc_uint32_t		timesigned;
 	isc_uint16_t		keyid;
-        dns_name_t		signer;
+	dns_name_t		signer;
 	isc_uint16_t		siglen;
 	unsigned char *		signature;
 } dns_rdata_rrsig_t;
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/rt_21.c b/usr.sbin/bind/lib/dns/rdata/generic/rt_21.c
index d20dad274b3..e960b8dd7a1 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/rt_21.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/rt_21.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rt_21.c,v 1.7 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: rt_21.c,v 1.8 2019/12/17 01:46:33 sthen Exp $ */
 
 /* reviewed: Thu Mar 16 15:02:31 PST 2000 by brister */
 
@@ -81,7 +80,7 @@ totext_rt(ARGS_TOTEXT) {
 	dns_rdata_toregion(rdata, &region);
 	num = uint16_fromregion(&region);
 	isc_region_consume(&region, 2);
-	sprintf(buf, "%u", num);
+	snprintf(buf, sizeof(buf), "%u", num);
 	RETERR(str_totext(buf, target));
 	RETERR(str_totext(" ", target));
 	dns_name_fromregion(&name, &region);
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/rt_21.h b/usr.sbin/bind/lib/dns/rdata/generic/rt_21.h
index 15662bf72c2..c181b2c385e 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/rt_21.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/rt_21.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +17,7 @@
 #ifndef GENERIC_RT_21_H
 #define GENERIC_RT_21_H 1
 
-/* $Id: rt_21.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: rt_21.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /*!
  *  \brief Per RFC1183 */
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/sig_24.c b/usr.sbin/bind/lib/dns/rdata/generic/sig_24.c
index 4fc3aa734a2..f9add4f002c 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/sig_24.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/sig_24.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2011, 2012, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sig_24.c,v 1.6 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: sig_24.c,v 1.7 2019/12/17 01:46:33 sthen Exp $ */
 
 /* Reviewed: Fri Mar 17 09:05:02 PST 2000 by gson */
 
@@ -155,7 +154,7 @@ totext_sig(ARGS_TOTEXT) {
 	if (dns_rdatatype_isknown(covered) && covered != 0) {
 		RETERR(dns_rdatatype_totext(covered, target));
 	} else {
-		sprintf(buf, "%u", covered);
+		snprintf(buf, sizeof(buf), "%u", covered);
 		RETERR(str_totext(buf, target));
 	}
 	RETERR(str_totext(" ", target));
@@ -163,7 +162,7 @@ totext_sig(ARGS_TOTEXT) {
 	/*
 	 * Algorithm.
 	 */
-	sprintf(buf, "%u", sr.base[0]);
+	snprintf(buf, sizeof(buf), "%u", sr.base[0]);
 	isc_region_consume(&sr, 1);
 	RETERR(str_totext(buf, target));
 	RETERR(str_totext(" ", target));
@@ -171,7 +170,7 @@ totext_sig(ARGS_TOTEXT) {
 	/*
 	 * Labels.
 	 */
-	sprintf(buf, "%u", sr.base[0]);
+	snprintf(buf, sizeof(buf), "%u", sr.base[0]);
 	isc_region_consume(&sr, 1);
 	RETERR(str_totext(buf, target));
 	RETERR(str_totext(" ", target));
@@ -181,7 +180,7 @@ totext_sig(ARGS_TOTEXT) {
 	 */
 	ttl = uint32_fromregion(&sr);
 	isc_region_consume(&sr, 4);
-	sprintf(buf, "%lu", ttl);
+	snprintf(buf, sizeof(buf), "%lu", ttl);
 	RETERR(str_totext(buf, target));
 	RETERR(str_totext(" ", target));
 
@@ -209,7 +208,7 @@ totext_sig(ARGS_TOTEXT) {
 	 */
 	foot = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
-	sprintf(buf, "%lu", foot);
+	snprintf(buf, sizeof(buf), "%lu", foot);
 	RETERR(str_totext(buf, target));
 	RETERR(str_totext(" ", target));
 
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/sig_24.h b/usr.sbin/bind/lib/dns/rdata/generic/sig_24.h
index 9f43fe74384..d07b58c166f 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/sig_24.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/sig_24.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +17,7 @@
 #ifndef GENERIC_SIG_24_H
 #define GENERIC_SIG_24_H 1
 
-/* $Id: sig_24.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: sig_24.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /*!
  *  \brief Per RFC2535 */
@@ -33,7 +32,7 @@ typedef struct dns_rdata_sig_t {
 	isc_uint32_t		timeexpire;
 	isc_uint32_t		timesigned;
 	isc_uint16_t		keyid;
-        dns_name_t		signer;
+	dns_name_t		signer;
 	isc_uint16_t		siglen;
 	unsigned char *		signature;
 } dns_rdata_sig_t;
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/sink_40.c b/usr.sbin/bind/lib/dns/rdata/generic/sink_40.c
index dafa94bebf2..b12261a37e0 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/sink_40.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/sink_40.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -75,7 +75,7 @@ totext_sink(ARGS_TOTEXT) {
 	isc_region_consume(&sr, 1);
 	subcoding = uint8_fromregion(&sr);
 	isc_region_consume(&sr, 1);
-	sprintf(buf, "%u %u %u", meaning, coding, subcoding);
+	snprintf(buf, sizeof(buf), "%u %u %u", meaning, coding, subcoding);
 	RETERR(str_totext(buf, target));
 
 	if (sr.length == 0U)
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/sink_40.h b/usr.sbin/bind/lib/dns/rdata/generic/sink_40.h
index e6a2400c466..7b4f4a631ce 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/sink_40.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/sink_40.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/smimea_53.c b/usr.sbin/bind/lib/dns/rdata/generic/smimea_53.c
index e46655b6c6b..16f8a357508 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/smimea_53.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/smimea_53.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/smimea_53.h b/usr.sbin/bind/lib/dns/rdata/generic/smimea_53.h
index 9adc988a18b..96b5d3dd92f 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/smimea_53.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/smimea_53.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/soa_6.c b/usr.sbin/bind/lib/dns/rdata/generic/soa_6.c
index 613808ec4fa..722de8ed08d 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/soa_6.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/soa_6.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2009, 2011, 2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: soa_6.c,v 1.6 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: soa_6.c,v 1.7 2019/12/17 01:46:33 sthen Exp $ */
 
 /* Reviewed: Thu Mar 16 15:18:32 PST 2000 by explorer */
 
@@ -137,7 +136,7 @@ totext_soa(ARGS_TOTEXT) {
 		unsigned long num;
 		num = uint32_fromregion(&dregion);
 		isc_region_consume(&dregion, 4);
-		sprintf(buf, comm ? "%-10lu ; " : "%lu", num);
+		snprintf(buf, sizeof(buf), comm ? "%-10lu ; " : "%lu", num);
 		RETERR(str_totext(buf, target));
 		if (comm) {
 			RETERR(str_totext(soa_fieldnames[i], target));
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/soa_6.h b/usr.sbin/bind/lib/dns/rdata/generic/soa_6.h
index c3685b857ee..336a4bda6c3 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/soa_6.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/soa_6.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -19,7 +18,7 @@
 #ifndef GENERIC_SOA_6_H
 #define GENERIC_SOA_6_H 1
 
-/* $Id: soa_6.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: soa_6.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 typedef struct dns_rdata_soa {
 	dns_rdatacommon_t	common;
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/spf_99.c b/usr.sbin/bind/lib/dns/rdata/generic/spf_99.c
index b6fb0ab32fa..f75e4a4c374 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/spf_99.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/spf_99.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: spf_99.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: spf_99.c,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /* Reviewed: Thu Mar 16 15:40:00 PST 2000 by bwelling */
 
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/spf_99.h b/usr.sbin/bind/lib/dns/rdata/generic/spf_99.h
index 2ffd1e30f0c..311aa6ed682 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/spf_99.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/spf_99.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +17,7 @@
 #ifndef GENERIC_SPF_99_H
 #define GENERIC_SPF_99_H 1
 
-/* $Id: spf_99.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: spf_99.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 typedef struct dns_rdata_spf_string {
 		isc_uint8_t    length;
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/sshfp_44.c b/usr.sbin/bind/lib/dns/rdata/generic/sshfp_44.c
index 7d94d7fb62d..4853068e903 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/sshfp_44.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/sshfp_44.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2006, 2007, 2009, 2011-2013, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sshfp_44.c,v 1.5 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: sshfp_44.c,v 1.6 2019/12/17 01:46:33 sthen Exp $ */
 
 /* RFC 4255 */
 
@@ -78,7 +77,7 @@ totext_sshfp(ARGS_TOTEXT) {
 	 */
 	n = uint8_fromregion(&sr);
 	isc_region_consume(&sr, 1);
-	sprintf(buf, "%u ", n);
+	snprintf(buf, sizeof(buf), "%u ", n);
 	RETERR(str_totext(buf, target));
 
 	/*
@@ -86,7 +85,7 @@ totext_sshfp(ARGS_TOTEXT) {
 	 */
 	n = uint8_fromregion(&sr);
 	isc_region_consume(&sr, 1);
-	sprintf(buf, "%u", n);
+	snprintf(buf, sizeof(buf), "%u", n);
 	RETERR(str_totext(buf, target));
 
 	/*
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/sshfp_44.h b/usr.sbin/bind/lib/dns/rdata/generic/sshfp_44.h
index 939b5b3b226..7698ed9a2bf 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/sshfp_44.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/sshfp_44.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sshfp_44.h,v 1.4 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: sshfp_44.h,v 1.5 2019/12/17 01:46:33 sthen Exp $ */
 
 /*!
  *  \brief Per RFC 4255 */
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/ta_32768.c b/usr.sbin/bind/lib/dns/rdata/generic/ta_32768.c
index d802211f37f..c1dd74fadea 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/ta_32768.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/ta_32768.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/ta_32768.h b/usr.sbin/bind/lib/dns/rdata/generic/ta_32768.h
index 3e50ed05c0e..5a6bceb663b 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/ta_32768.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/ta_32768.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/talink_58.c b/usr.sbin/bind/lib/dns/rdata/generic/talink_58.c
index db466246904..acf89ca2893 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/talink_58.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/talink_58.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/talink_58.h b/usr.sbin/bind/lib/dns/rdata/generic/talink_58.h
index 6e52d381818..b01492e1518 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/talink_58.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/talink_58.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/tkey_249.c b/usr.sbin/bind/lib/dns/rdata/generic/tkey_249.c
index 63c91fb371c..1f5612e6570 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/tkey_249.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/tkey_249.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2009, 2011, 2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tkey_249.c,v 1.6 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: tkey_249.c,v 1.7 2019/12/17 01:46:33 sthen Exp $ */
 
 /*
  * Reviewed: Thu Mar 16 17:35:30 PST 2000 by halley.
@@ -154,7 +153,7 @@ totext_tkey(ARGS_TOTEXT) {
 	 */
 	n = uint32_fromregion(&sr);
 	isc_region_consume(&sr, 4);
-	sprintf(buf, "%lu ", n);
+	snprintf(buf, sizeof(buf), "%lu ", n);
 	RETERR(str_totext(buf, target));
 
 	/*
@@ -162,7 +161,7 @@ totext_tkey(ARGS_TOTEXT) {
 	 */
 	n = uint32_fromregion(&sr);
 	isc_region_consume(&sr, 4);
-	sprintf(buf, "%lu ", n);
+	snprintf(buf, sizeof(buf), "%lu ", n);
 	RETERR(str_totext(buf, target));
 
 	/*
@@ -170,7 +169,7 @@ totext_tkey(ARGS_TOTEXT) {
 	 */
 	n = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
-	sprintf(buf, "%lu ", n);
+	snprintf(buf, sizeof(buf), "%lu ", n);
 	RETERR(str_totext(buf, target));
 
 	/*
@@ -181,7 +180,7 @@ totext_tkey(ARGS_TOTEXT) {
 	if (dns_tsigrcode_totext((dns_rcode_t)n, target) == ISC_R_SUCCESS)
 		RETERR(str_totext(" ", target));
 	else {
-		sprintf(buf, "%lu ", n);
+		snprintf(buf, sizeof(buf), "%lu ", n);
 		RETERR(str_totext(buf, target));
 	}
 
@@ -190,7 +189,7 @@ totext_tkey(ARGS_TOTEXT) {
 	 */
 	n = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
-	sprintf(buf, "%lu", n);
+	snprintf(buf, sizeof(buf), "%lu", n);
 	RETERR(str_totext(buf, target));
 
 	/*
@@ -218,7 +217,7 @@ totext_tkey(ARGS_TOTEXT) {
 	 */
 	n = uint16_fromregion(&sr);
 	isc_region_consume(&sr, 2);
-	sprintf(buf, "%lu", n);
+	snprintf(buf, sizeof(buf), "%lu", n);
 	RETERR(str_totext(buf, target));
 
 	/*
@@ -561,7 +560,7 @@ checknames_tkey(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
-static inline isc_result_t
+static inline int
 casecompare_tkey(ARGS_COMPARE) {
 	return (compare_tkey(rdata1, rdata2));
 }
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/tkey_249.h b/usr.sbin/bind/lib/dns/rdata/generic/tkey_249.h
index 5e049758240..014bd0a4c00 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/tkey_249.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/tkey_249.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,23 +17,23 @@
 #ifndef GENERIC_TKEY_249_H
 #define GENERIC_TKEY_249_H 1
 
-/* $Id: tkey_249.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: tkey_249.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /*!
  *  \brief Per draft-ietf-dnsind-tkey-00.txt */
 
 typedef struct dns_rdata_tkey {
-        dns_rdatacommon_t	common;
-        isc_mem_t *		mctx;
-        dns_name_t		algorithm;
-        isc_uint32_t		inception;
-        isc_uint32_t		expire;
-        isc_uint16_t		mode;
-        isc_uint16_t		error;
-        isc_uint16_t		keylen;
-        unsigned char *		key;
-        isc_uint16_t		otherlen;
-        unsigned char *		other;
+	dns_rdatacommon_t	common;
+	isc_mem_t *		mctx;
+	dns_name_t		algorithm;
+	isc_uint32_t		inception;
+	isc_uint32_t		expire;
+	isc_uint16_t		mode;
+	isc_uint16_t		error;
+	isc_uint16_t		keylen;
+	unsigned char *		key;
+	isc_uint16_t		otherlen;
+	unsigned char *		other;
 } dns_rdata_tkey_t;
 
 
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/tlsa_52.c b/usr.sbin/bind/lib/dns/rdata/generic/tlsa_52.c
index cbb73775ebe..7a02c80670f 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/tlsa_52.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/tlsa_52.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -81,7 +81,7 @@ generic_totext_tlsa(ARGS_TOTEXT) {
 	 */
 	n = uint8_fromregion(&sr);
 	isc_region_consume(&sr, 1);
-	sprintf(buf, "%u ", n);
+	snprintf(buf, sizeof(buf), "%u ", n);
 	RETERR(str_totext(buf, target));
 
 	/*
@@ -89,7 +89,7 @@ generic_totext_tlsa(ARGS_TOTEXT) {
 	 */
 	n = uint8_fromregion(&sr);
 	isc_region_consume(&sr, 1);
-	sprintf(buf, "%u ", n);
+	snprintf(buf, sizeof(buf), "%u ", n);
 	RETERR(str_totext(buf, target));
 
 	/*
@@ -97,7 +97,7 @@ generic_totext_tlsa(ARGS_TOTEXT) {
 	 */
 	n = uint8_fromregion(&sr);
 	isc_region_consume(&sr, 1);
-	sprintf(buf, "%u", n);
+	snprintf(buf, sizeof(buf), "%u", n);
 	RETERR(str_totext(buf, target));
 
 	/*
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/tlsa_52.h b/usr.sbin/bind/lib/dns/rdata/generic/tlsa_52.h
index f0743f28d9c..ee0391b13c7 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/tlsa_52.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/tlsa_52.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012, 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tlsa_52.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: tlsa_52.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 #ifndef GENERIC_TLSA_52_H
 #define GENERIC_TLSA_52_H 1
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/txt_16.c b/usr.sbin/bind/lib/dns/rdata/generic/txt_16.c
index 2ebd46c3169..626c01eb8e1 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/txt_16.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/txt_16.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007-2009, 2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -281,7 +280,7 @@ checknames_txt(ARGS_CHECKNAMES) {
 	return (ISC_TRUE);
 }
 
-static inline isc_result_t
+static inline int
 casecompare_txt(ARGS_COMPARE) {
 	return (compare_txt(rdata1, rdata2));
 }
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/txt_16.h b/usr.sbin/bind/lib/dns/rdata/generic/txt_16.h
index 650da5c66b8..67e7194e047 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/txt_16.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/txt_16.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -19,20 +18,20 @@
 #ifndef GENERIC_TXT_16_H
 #define GENERIC_TXT_16_H 1
 
-/* $Id: txt_16.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: txt_16.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 typedef struct dns_rdata_txt_string {
-                isc_uint8_t    length;
-                unsigned char   *data;
+		isc_uint8_t    length;
+		unsigned char   *data;
 } dns_rdata_txt_string_t;
 
 typedef struct dns_rdata_txt {
-        dns_rdatacommon_t       common;
-        isc_mem_t               *mctx;
-        unsigned char           *txt;
-        isc_uint16_t            txt_len;
-        /* private */
-        isc_uint16_t            offset;
+	dns_rdatacommon_t       common;
+	isc_mem_t               *mctx;
+	unsigned char           *txt;
+	isc_uint16_t            txt_len;
+	/* private */
+	isc_uint16_t            offset;
 } dns_rdata_txt_t;
 
 /*
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/unspec_103.c b/usr.sbin/bind/lib/dns/rdata/generic/unspec_103.c
index 15763950502..fb91320dc16 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/unspec_103.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/unspec_103.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2009, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: unspec_103.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: unspec_103.c,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 #ifndef RDATA_GENERIC_UNSPEC_103_C
 #define RDATA_GENERIC_UNSPEC_103_C
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/unspec_103.h b/usr.sbin/bind/lib/dns/rdata/generic/unspec_103.h
index b7cb96790c4..e5ff17a01b5 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/unspec_103.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/unspec_103.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -19,7 +18,7 @@
 #ifndef GENERIC_UNSPEC_103_H
 #define GENERIC_UNSPEC_103_H 1
 
-/* $Id: unspec_103.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: unspec_103.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 typedef struct dns_rdata_unspec_t {
 	dns_rdatacommon_t	common;
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/uri_256.c b/usr.sbin/bind/lib/dns/rdata/generic/uri_256.c
index 45c884dfa54..07a7033e4fd 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/uri_256.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/uri_256.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011, 2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: uri_256.c,v 1.1 2019/12/16 16:31:34 deraadt Exp $ */
+/* $Id: uri_256.c,v 1.2 2019/12/17 01:46:33 sthen Exp $ */
 
 #ifndef GENERIC_URI_256_C
 #define GENERIC_URI_256_C 1
@@ -80,7 +80,7 @@ totext_uri(ARGS_TOTEXT) {
 	 */
 	priority = uint16_fromregion(&region);
 	isc_region_consume(&region, 2);
-	sprintf(buf, "%u ", priority);
+	snprintf(buf, sizeof(buf), "%u ", priority);
 	RETERR(str_totext(buf, target));
 
 	/*
@@ -88,7 +88,7 @@ totext_uri(ARGS_TOTEXT) {
 	 */
 	weight = uint16_fromregion(&region);
 	isc_region_consume(&region, 2);
-	sprintf(buf, "%u ", weight);
+	snprintf(buf, sizeof(buf), "%u ", weight);
 	RETERR(str_totext(buf, target));
 
 	/*
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/uri_256.h b/usr.sbin/bind/lib/dns/rdata/generic/uri_256.h
index 18a43ec5cbe..29e719d498c 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/uri_256.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/uri_256.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -17,7 +17,7 @@
 #ifndef GENERIC_URI_256_H
 #define GENERIC_URI_256_H 1
 
-/* $Id: uri_256.h,v 1.1 2019/12/16 16:31:34 deraadt Exp $ */
+/* $Id: uri_256.h,v 1.2 2019/12/17 01:46:33 sthen Exp $ */
 
 typedef struct dns_rdata_uri {
 	dns_rdatacommon_t	common;
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/x25_19.c b/usr.sbin/bind/lib/dns/rdata/generic/x25_19.c
index 342e525a1bd..5550e0adb26 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/x25_19.c
+++ b/usr.sbin/bind/lib/dns/rdata/generic/x25_19.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: x25_19.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: x25_19.c,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /* Reviewed: Thu Mar 16 16:15:57 PST 2000 by bwelling */
 
diff --git a/usr.sbin/bind/lib/dns/rdata/generic/x25_19.h b/usr.sbin/bind/lib/dns/rdata/generic/x25_19.h
index e11536709ac..a6d8eac61a6 100644
--- a/usr.sbin/bind/lib/dns/rdata/generic/x25_19.h
+++ b/usr.sbin/bind/lib/dns/rdata/generic/x25_19.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +17,7 @@
 #ifndef GENERIC_X25_19_H
 #define GENERIC_X25_19_H 1
 
-/* $Id: x25_19.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: x25_19.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /*!
  *  \brief Per RFC1183 */
diff --git a/usr.sbin/bind/lib/dns/rdata/hs_4/a_1.c b/usr.sbin/bind/lib/dns/rdata/hs_4/a_1.c
index 8bec72605ae..8a89cf029ba 100644
--- a/usr.sbin/bind/lib/dns/rdata/hs_4/a_1.c
+++ b/usr.sbin/bind/lib/dns/rdata/hs_4/a_1.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2009, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: a_1.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: a_1.c,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 /* reviewed: Thu Mar 16 15:58:36 PST 2000 by brister */
 
diff --git a/usr.sbin/bind/lib/dns/rdata/hs_4/a_1.h b/usr.sbin/bind/lib/dns/rdata/hs_4/a_1.h
index 0b79d0d326f..9e6329c7630 100644
--- a/usr.sbin/bind/lib/dns/rdata/hs_4/a_1.h
+++ b/usr.sbin/bind/lib/dns/rdata/hs_4/a_1.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -19,7 +18,7 @@
 #ifndef HS_4_A_1_H
 #define HS_4_A_1_H 1
 
-/* $Id: a_1.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: a_1.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 typedef struct dns_rdata_hs_a {
 	dns_rdatacommon_t	common;
diff --git a/usr.sbin/bind/lib/dns/rdata/in_1/a6_38.c b/usr.sbin/bind/lib/dns/rdata/in_1/a6_38.c
index 11d72146b88..316d8a02ded 100644
--- a/usr.sbin/bind/lib/dns/rdata/in_1/a6_38.c
+++ b/usr.sbin/bind/lib/dns/rdata/in_1/a6_38.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2009, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: a6_38.c,v 1.6 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: a6_38.c,v 1.7 2019/12/17 01:46:33 sthen Exp $ */
 
 /* RFC2874 */
 
@@ -116,7 +115,7 @@ totext_in_a6(ARGS_TOTEXT) {
 	prefixlen = sr.base[0];
 	INSIST(prefixlen <= 128);
 	isc_region_consume(&sr, 1);
-	sprintf(buf, "%u", prefixlen);
+	snprintf(buf, sizeof(buf), "%u", prefixlen);
 	RETERR(str_totext(buf, target));
 	RETERR(str_totext(" ", target));
 
diff --git a/usr.sbin/bind/lib/dns/rdata/in_1/a6_38.h b/usr.sbin/bind/lib/dns/rdata/in_1/a6_38.h
index 41a89fc4e3b..40eaa6be487 100644
--- a/usr.sbin/bind/lib/dns/rdata/in_1/a6_38.h
+++ b/usr.sbin/bind/lib/dns/rdata/in_1/a6_38.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,13 +17,13 @@
 #ifndef IN_1_A6_38_H
 #define IN_1_A6_38_H 1
 
-/* $Id: a6_38.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: a6_38.h,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
-/*! 
+/*!
  *  \brief Per RFC2874 */
 
 typedef struct dns_rdata_in_a6 {
-        dns_rdatacommon_t	common;
+	dns_rdatacommon_t	common;
 	isc_mem_t		*mctx;
 	dns_name_t		prefix;
 	isc_uint8_t		prefixlen;
diff --git a/usr.sbin/bind/lib/dns/rdata/in_1/a_1.c b/usr.sbin/bind/lib/dns/rdata/in_1/a_1.c
index 7677a5ef7d2..fff6171c474 100644
--- a/usr.sbin/bind/lib/dns/rdata/in_1/a_1.c
+++ b/usr.sbin/bind/lib/dns/rdata/in_1/a_1.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2009, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: a_1.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: a_1.c,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 /* Reviewed: Thu Mar 16 16:52:50 PST 2000 by bwelling */
 
diff --git a/usr.sbin/bind/lib/dns/rdata/in_1/a_1.h b/usr.sbin/bind/lib/dns/rdata/in_1/a_1.h
index 595a9c59e32..6334f188378 100644
--- a/usr.sbin/bind/lib/dns/rdata/in_1/a_1.h
+++ b/usr.sbin/bind/lib/dns/rdata/in_1/a_1.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -19,7 +18,7 @@
 #ifndef IN_1_A_1_H
 #define IN_1_A_1_H 1
 
-/* $Id: a_1.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: a_1.h,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 typedef struct dns_rdata_in_a {
 	dns_rdatacommon_t	common;
diff --git a/usr.sbin/bind/lib/dns/rdata/in_1/aaaa_28.c b/usr.sbin/bind/lib/dns/rdata/in_1/aaaa_28.c
index d3f8eb1f2c5..e994de5ae24 100644
--- a/usr.sbin/bind/lib/dns/rdata/in_1/aaaa_28.c
+++ b/usr.sbin/bind/lib/dns/rdata/in_1/aaaa_28.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: aaaa_28.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: aaaa_28.c,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 /* Reviewed: Thu Mar 16 16:52:50 PST 2000 by bwelling */
 
diff --git a/usr.sbin/bind/lib/dns/rdata/in_1/aaaa_28.h b/usr.sbin/bind/lib/dns/rdata/in_1/aaaa_28.h
index 4d2d96faced..d89b6d7e87c 100644
--- a/usr.sbin/bind/lib/dns/rdata/in_1/aaaa_28.h
+++ b/usr.sbin/bind/lib/dns/rdata/in_1/aaaa_28.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,9 +17,9 @@
 #ifndef IN_1_AAAA_28_H
 #define IN_1_AAAA_28_H 1
 
-/* $Id: aaaa_28.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: aaaa_28.h,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
-/*! 
+/*!
  *  \brief Per RFC1886 */
 
 typedef struct dns_rdata_in_aaaa {
diff --git a/usr.sbin/bind/lib/dns/rdata/in_1/apl_42.c b/usr.sbin/bind/lib/dns/rdata/in_1/apl_42.c
index 18a7965c7ef..494c0a0e083 100644
--- a/usr.sbin/bind/lib/dns/rdata/in_1/apl_42.c
+++ b/usr.sbin/bind/lib/dns/rdata/in_1/apl_42.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007-2009, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: apl_42.c,v 1.4 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: apl_42.c,v 1.5 2019/12/17 01:46:34 sthen Exp $ */
 
 /* RFC3123 */
 
diff --git a/usr.sbin/bind/lib/dns/rdata/in_1/apl_42.h b/usr.sbin/bind/lib/dns/rdata/in_1/apl_42.h
index 7b3e7776556..17606366fbd 100644
--- a/usr.sbin/bind/lib/dns/rdata/in_1/apl_42.h
+++ b/usr.sbin/bind/lib/dns/rdata/in_1/apl_42.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -19,7 +18,7 @@
 #ifndef IN_1_APL_42_H
 #define IN_1_APL_42_H 1
 
-/* $Id: apl_42.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: apl_42.h,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 typedef struct dns_rdata_apl_ent {
 	isc_boolean_t	negative;
@@ -34,9 +33,9 @@ typedef struct dns_rdata_in_apl {
 	isc_mem_t		*mctx;
 	/* type & class specific elements */
 	unsigned char           *apl;
-        isc_uint16_t            apl_len;
-        /* private */
-        isc_uint16_t            offset;
+	isc_uint16_t            apl_len;
+	/* private */
+	isc_uint16_t            offset;
 } dns_rdata_in_apl_t;
 
 /*
diff --git a/usr.sbin/bind/lib/dns/rdata/in_1/dhcid_49.c b/usr.sbin/bind/lib/dns/rdata/in_1/dhcid_49.c
index 4402e64c3ae..f24ea04d61c 100644
--- a/usr.sbin/bind/lib/dns/rdata/in_1/dhcid_49.c
+++ b/usr.sbin/bind/lib/dns/rdata/in_1/dhcid_49.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006, 2007, 2009, 2011, 2012, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dhcid_49.c,v 1.1 2019/12/16 16:31:34 deraadt Exp $ */
+/* $Id: dhcid_49.c,v 1.2 2019/12/17 01:46:34 sthen Exp $ */
 
 /* RFC 4701 */
 
@@ -40,7 +40,7 @@ fromtext_in_dhcid(ARGS_FROMTEXT) {
 
 static inline isc_result_t
 totext_in_dhcid(ARGS_TOTEXT) {
-	isc_region_t sr;
+	isc_region_t sr, sr2;
 	char buf[sizeof(" ; 64000 255 64000")];
 	size_t n;
 
@@ -49,6 +49,7 @@ totext_in_dhcid(ARGS_TOTEXT) {
 	REQUIRE(rdata->length != 0);
 
 	dns_rdata_toregion(rdata, &sr);
+	sr2 = sr;
 
 	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
 		RETERR(str_totext("( " /*)*/, target));
@@ -61,8 +62,8 @@ totext_in_dhcid(ARGS_TOTEXT) {
 		RETERR(str_totext(/* ( */ " )", target));
 		if (rdata->length > 2) {
 			n = snprintf(buf, sizeof(buf), " ; %u %u %u",
-				     sr.base[0] * 256 + sr.base[1],
-				     sr.base[2], rdata->length - 3);
+				     sr2.base[0] * 256U + sr2.base[1],
+				     sr2.base[2], rdata->length - 3U);
 			INSIST(n < sizeof(buf));
 			RETERR(str_totext(buf, target));
 		}
diff --git a/usr.sbin/bind/lib/dns/rdata/in_1/dhcid_49.h b/usr.sbin/bind/lib/dns/rdata/in_1/dhcid_49.h
index fde6da0e34e..e36a498cda4 100644
--- a/usr.sbin/bind/lib/dns/rdata/in_1/dhcid_49.h
+++ b/usr.sbin/bind/lib/dns/rdata/in_1/dhcid_49.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +18,7 @@
 #ifndef IN_1_DHCID_49_H
 #define IN_1_DHCID_49_H 1
 
-/* $Id: dhcid_49.h,v 1.1 2019/12/16 16:31:34 deraadt Exp $ */
+/* $Id: dhcid_49.h,v 1.2 2019/12/17 01:46:34 sthen Exp $ */
 
 typedef struct dns_rdata_in_dhcid {
 	dns_rdatacommon_t	common;
diff --git a/usr.sbin/bind/lib/dns/rdata/in_1/kx_36.c b/usr.sbin/bind/lib/dns/rdata/in_1/kx_36.c
index 46b0f6668d9..21108985388 100644
--- a/usr.sbin/bind/lib/dns/rdata/in_1/kx_36.c
+++ b/usr.sbin/bind/lib/dns/rdata/in_1/kx_36.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: kx_36.c,v 1.6 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: kx_36.c,v 1.7 2019/12/17 01:46:34 sthen Exp $ */
 
 /* Reviewed: Thu Mar 16 17:24:54 PST 2000 by explorer */
 
@@ -74,7 +73,7 @@ totext_in_kx(ARGS_TOTEXT) {
 	dns_rdata_toregion(rdata, &region);
 	num = uint16_fromregion(&region);
 	isc_region_consume(&region, 2);
-	sprintf(buf, "%u", num);
+	snprintf(buf, sizeof(buf), "%u", num);
 	RETERR(str_totext(buf, target));
 
 	RETERR(str_totext(" ", target));
diff --git a/usr.sbin/bind/lib/dns/rdata/in_1/kx_36.h b/usr.sbin/bind/lib/dns/rdata/in_1/kx_36.h
index aef1a0b4e64..a4bb1a3f2e6 100644
--- a/usr.sbin/bind/lib/dns/rdata/in_1/kx_36.h
+++ b/usr.sbin/bind/lib/dns/rdata/in_1/kx_36.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,9 +17,9 @@
 #ifndef IN_1_KX_36_H
 #define IN_1_KX_36_H 1
 
-/* $Id: kx_36.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: kx_36.h,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
-/*! 
+/*!
  *  \brief Per RFC2230 */
 
 typedef struct dns_rdata_in_kx {
diff --git a/usr.sbin/bind/lib/dns/rdata/in_1/nsap-ptr_23.c b/usr.sbin/bind/lib/dns/rdata/in_1/nsap-ptr_23.c
index 4596ef0208c..1ee3d9db226 100644
--- a/usr.sbin/bind/lib/dns/rdata/in_1/nsap-ptr_23.c
+++ b/usr.sbin/bind/lib/dns/rdata/in_1/nsap-ptr_23.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsap-ptr_23.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: nsap-ptr_23.c,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 /* Reviewed: Fri Mar 17 10:16:02 PST 2000 by gson */
 
diff --git a/usr.sbin/bind/lib/dns/rdata/in_1/nsap-ptr_23.h b/usr.sbin/bind/lib/dns/rdata/in_1/nsap-ptr_23.h
index fd969464ec9..6cd2f1f4e3c 100644
--- a/usr.sbin/bind/lib/dns/rdata/in_1/nsap-ptr_23.h
+++ b/usr.sbin/bind/lib/dns/rdata/in_1/nsap-ptr_23.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,9 +17,9 @@
 #ifndef IN_1_NSAP_PTR_23_H
 #define IN_1_NSAP_PTR_23_H 1
 
-/* $Id: nsap-ptr_23.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: nsap-ptr_23.h,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
-/*! 
+/*!
  *  \brief Per RFC1348.  Obsoleted in RFC 1706 - use PTR instead. */
 
 typedef struct dns_rdata_in_nsap_ptr {
diff --git a/usr.sbin/bind/lib/dns/rdata/in_1/nsap_22.c b/usr.sbin/bind/lib/dns/rdata/in_1/nsap_22.c
index 42bc82aeb64..6029947c8a4 100644
--- a/usr.sbin/bind/lib/dns/rdata/in_1/nsap_22.c
+++ b/usr.sbin/bind/lib/dns/rdata/in_1/nsap_22.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2013, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsap_22.c,v 1.5 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: nsap_22.c,v 1.6 2019/12/17 01:46:34 sthen Exp $ */
 
 /* Reviewed: Fri Mar 17 10:41:07 PST 2000 by gson */
 
@@ -89,7 +88,7 @@ totext_in_nsap(ARGS_TOTEXT) {
 	dns_rdata_toregion(rdata, &region);
 	RETERR(str_totext("0x", target));
 	while (region.length != 0) {
-		sprintf(buf, "%02x", region.base[0]);
+		snprintf(buf, sizeof(buf), "%02x", region.base[0]);
 		isc_region_consume(&region, 1);
 		RETERR(str_totext(buf, target));
 	}
diff --git a/usr.sbin/bind/lib/dns/rdata/in_1/nsap_22.h b/usr.sbin/bind/lib/dns/rdata/in_1/nsap_22.h
index e87042e484f..6b57b562e69 100644
--- a/usr.sbin/bind/lib/dns/rdata/in_1/nsap_22.h
+++ b/usr.sbin/bind/lib/dns/rdata/in_1/nsap_22.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,9 +17,9 @@
 #ifndef IN_1_NSAP_22_H
 #define IN_1_NSAP_22_H 1
 
-/* $Id: nsap_22.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: nsap_22.h,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
-/*! 
+/*!
  *  \brief Per RFC1706 */
 
 typedef struct dns_rdata_in_nsap {
diff --git a/usr.sbin/bind/lib/dns/rdata/in_1/px_26.c b/usr.sbin/bind/lib/dns/rdata/in_1/px_26.c
index 835630628c0..fd39781b777 100644
--- a/usr.sbin/bind/lib/dns/rdata/in_1/px_26.c
+++ b/usr.sbin/bind/lib/dns/rdata/in_1/px_26.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: px_26.c,v 1.6 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: px_26.c,v 1.7 2019/12/17 01:46:34 sthen Exp $ */
 
 /* Reviewed: Mon Mar 20 10:44:27 PST 2000 */
 
@@ -93,7 +92,7 @@ totext_in_px(ARGS_TOTEXT) {
 	dns_rdata_toregion(rdata, &region);
 	num = uint16_fromregion(&region);
 	isc_region_consume(&region, 2);
-	sprintf(buf, "%u", num);
+	snprintf(buf, sizeof(buf), "%u", num);
 	RETERR(str_totext(buf, target));
 	RETERR(str_totext(" ", target));
 
diff --git a/usr.sbin/bind/lib/dns/rdata/in_1/px_26.h b/usr.sbin/bind/lib/dns/rdata/in_1/px_26.h
index 349c0f5db7a..18da6a071e8 100644
--- a/usr.sbin/bind/lib/dns/rdata/in_1/px_26.h
+++ b/usr.sbin/bind/lib/dns/rdata/in_1/px_26.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,9 +17,9 @@
 #ifndef IN_1_PX_26_H
 #define IN_1_PX_26_H 1
 
-/* $Id: px_26.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: px_26.h,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
-/*! 
+/*!
  *  \brief Per RFC2163 */
 
 typedef struct dns_rdata_in_px {
diff --git a/usr.sbin/bind/lib/dns/rdata/in_1/srv_33.c b/usr.sbin/bind/lib/dns/rdata/in_1/srv_33.c
index be86c2cd98a..54d531702de 100644
--- a/usr.sbin/bind/lib/dns/rdata/in_1/srv_33.c
+++ b/usr.sbin/bind/lib/dns/rdata/in_1/srv_33.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: srv_33.c,v 1.6 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: srv_33.c,v 1.7 2019/12/17 01:46:34 sthen Exp $ */
 
 /* Reviewed: Fri Mar 17 13:01:00 PST 2000 by bwelling */
 
diff --git a/usr.sbin/bind/lib/dns/rdata/in_1/srv_33.h b/usr.sbin/bind/lib/dns/rdata/in_1/srv_33.h
index 29c6d07835e..b98bdda8efe 100644
--- a/usr.sbin/bind/lib/dns/rdata/in_1/srv_33.h
+++ b/usr.sbin/bind/lib/dns/rdata/in_1/srv_33.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,11 +17,11 @@
 #ifndef IN_1_SRV_33_H
 #define IN_1_SRV_33_H 1
 
-/* $Id: srv_33.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: srv_33.h,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 /* Reviewed: Fri Mar 17 13:01:00 PST 2000 by bwelling */
 
-/*! 
+/*!
  *  \brief Per RFC2782 */
 
 typedef struct dns_rdata_in_srv {
diff --git a/usr.sbin/bind/lib/dns/rdata/in_1/wks_11.c b/usr.sbin/bind/lib/dns/rdata/in_1/wks_11.c
index 31b39010260..cd28f18ac31 100644
--- a/usr.sbin/bind/lib/dns/rdata/in_1/wks_11.c
+++ b/usr.sbin/bind/lib/dns/rdata/in_1/wks_11.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2009, 2011-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: wks_11.c,v 1.6 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: wks_11.c,v 1.7 2019/12/17 01:46:34 sthen Exp $ */
 
 /* Reviewed: Fri Mar 17 15:01:49 PST 2000 by explorer */
 
@@ -29,6 +28,16 @@
 #include <isc/netdb.h>
 #include <isc/once.h>
 
+/*
+ * Redefine CHECK here so cppcheck "sees" the define.
+ */
+#ifndef CHECK
+#define CHECK(op)						\
+	do { result = (op);					\
+		if (result != ISC_R_SUCCESS) goto cleanup;	\
+	} while (0)
+#endif
+
 #define RRTYPE_WKS_ATTRIBUTES (0)
 
 static isc_mutex_t wks_lock;
@@ -208,7 +217,7 @@ totext_in_wks(ARGS_TOTEXT) {
 	isc_region_consume(&sr, 4);
 
 	proto = uint8_fromregion(&sr);
-	sprintf(buf, "%u", proto);
+	snprintf(buf, sizeof(buf), "%u", proto);
 	RETERR(str_totext(" ", target));
 	RETERR(str_totext(buf, target));
 	isc_region_consume(&sr, 1);
@@ -218,7 +227,8 @@ totext_in_wks(ARGS_TOTEXT) {
 		if (sr.base[i] != 0)
 			for (j = 0; j < 8; j++)
 				if ((sr.base[i] & (0x80 >> j)) != 0) {
-					sprintf(buf, "%u", i * 8 + j);
+					snprintf(buf, sizeof(buf),
+						 "%u", i * 8 + j);
 					RETERR(str_totext(" ", target));
 					RETERR(str_totext(buf, target));
 				}
diff --git a/usr.sbin/bind/lib/dns/rdata/in_1/wks_11.h b/usr.sbin/bind/lib/dns/rdata/in_1/wks_11.h
index 2f637628a1c..8a9649efa69 100644
--- a/usr.sbin/bind/lib/dns/rdata/in_1/wks_11.h
+++ b/usr.sbin/bind/lib/dns/rdata/in_1/wks_11.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +17,7 @@
 #ifndef IN_1_WKS_11_H
 #define IN_1_WKS_11_H 1
 
-/* $Id: wks_11.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: wks_11.h,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 typedef	struct dns_rdata_in_wks {
 	dns_rdatacommon_t	common;
diff --git a/usr.sbin/bind/lib/dns/rdata/rdatastructpre.h b/usr.sbin/bind/lib/dns/rdata/rdatastructpre.h
index 446431bcdc9..1f0eade32b5 100644
--- a/usr.sbin/bind/lib/dns/rdata/rdatastructpre.h
+++ b/usr.sbin/bind/lib/dns/rdata/rdatastructpre.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatastructpre.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: rdatastructpre.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 #ifndef DNS_RDATASTRUCT_H
 #define DNS_RDATASTRUCT_H 1
diff --git a/usr.sbin/bind/lib/dns/rdata/rdatastructsuf.h b/usr.sbin/bind/lib/dns/rdata/rdatastructsuf.h
index 1ab96f67fd0..8a079b31e29 100644
--- a/usr.sbin/bind/lib/dns/rdata/rdatastructsuf.h
+++ b/usr.sbin/bind/lib/dns/rdata/rdatastructsuf.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatastructsuf.h,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: rdatastructsuf.h,v 1.3 2019/12/17 01:46:33 sthen Exp $ */
 
 ISC_LANG_ENDDECLS
 
diff --git a/usr.sbin/bind/lib/dns/rdatalist.c b/usr.sbin/bind/lib/dns/rdatalist.c
index 1138b021187..081c7455dd6 100644
--- a/usr.sbin/bind/lib/dns/rdatalist.c
+++ b/usr.sbin/bind/lib/dns/rdatalist.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008, 2010-2012, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatalist.c,v 1.5 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: rdatalist.c,v 1.6 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/dns/rdatalist_p.h b/usr.sbin/bind/lib/dns/rdatalist_p.h
index cc6f9d9884d..13fa1cbb203 100644
--- a/usr.sbin/bind/lib/dns/rdatalist_p.h
+++ b/usr.sbin/bind/lib/dns/rdatalist_p.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatalist_p.h,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: rdatalist_p.h,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 #ifndef DNS_RDATALIST_P_H
 #define DNS_RDATALIST_P_H
diff --git a/usr.sbin/bind/lib/dns/rdataset.c b/usr.sbin/bind/lib/dns/rdataset.c
index ad2410dcbd3..d319587bc03 100644
--- a/usr.sbin/bind/lib/dns/rdataset.c
+++ b/usr.sbin/bind/lib/dns/rdataset.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2012, 2014, 2015, 2017  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -325,8 +324,8 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 	unsigned int headlen;
 	isc_boolean_t question = ISC_FALSE;
 	isc_boolean_t shuffle = ISC_FALSE;
-	dns_rdata_t *shuffled = NULL, shuffled_fixed[MAX_SHUFFLE];
-	struct towire_sort *sorted = NULL, sorted_fixed[MAX_SHUFFLE];
+	dns_rdata_t *in = NULL, in_fixed[MAX_SHUFFLE];
+	struct towire_sort *out = NULL, out_fixed[MAX_SHUFFLE];
 
 	UNUSED(state);
 
@@ -373,13 +372,13 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 		shuffle = ISC_TRUE;
 
 	if (shuffle && count > MAX_SHUFFLE) {
-		shuffled = isc_mem_get(cctx->mctx, count * sizeof(*shuffled));
-		sorted = isc_mem_get(cctx->mctx, count * sizeof(*sorted));
-		if (shuffled == NULL || sorted == NULL)
+		in = isc_mem_get(cctx->mctx, count * sizeof(*in));
+		out = isc_mem_get(cctx->mctx, count * sizeof(*out));
+		if (in == NULL || out == NULL)
 			shuffle = ISC_FALSE;
 	} else {
-		shuffled = shuffled_fixed;
-		sorted = sorted_fixed;
+		in = in_fixed;
+		out = out_fixed;
 	}
 
 	if (shuffle) {
@@ -389,8 +388,8 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 		i = 0;
 		do {
 			INSIST(i < count);
-			dns_rdata_init(&shuffled[i]);
-			dns_rdataset_current(rdataset, &shuffled[i]);
+			dns_rdata_init(&in[i]);
+			dns_rdataset_current(rdataset, &in[i]);
 			i++;
 			result = dns_rdataset_next(rdataset);
 		} while (result == ISC_R_SUCCESS);
@@ -407,9 +406,8 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 			 */
 			INSIST(order != NULL);
 			for (i = 0; i < count; i++) {
-				sorted[i].key = (*order)(&shuffled[i],
-							 order_arg);
-				sorted[i].rdata = &shuffled[i];
+				out[i].key = (*order)(&in[i], order_arg);
+				out[i].rdata = &in[i];
 			}
 		} else if (WANT_RANDOM(rdataset)) {
 			/*
@@ -420,15 +418,15 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 
 				isc_random_get(&val);
 				choice = i + (val % (count - i));
-				rdata = shuffled[i];
-				shuffled[i] = shuffled[choice];
-				shuffled[choice] = rdata;
+				rdata = in[i];
+				in[i] = in[choice];
+				in[choice] = rdata;
 				if (order != NULL)
-					sorted[i].key = (*order)(&shuffled[i],
-								 order_arg);
+					out[i].key = (*order)(&in[i],
+							      order_arg);
 				else
-					sorted[i].key = 0; /* Unused */
-				sorted[i].rdata = &shuffled[i];
+					out[i].key = 0; /* Unused */
+				out[i].rdata = &in[i];
 			}
 		} else {
 			/*
@@ -443,11 +441,11 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 			j = val % count;
 			for (i = 0; i < count; i++) {
 				if (order != NULL)
-					sorted[i].key = (*order)(&shuffled[j],
-								 order_arg);
+					out[i].key = (*order)(&in[j],
+							      order_arg);
 				else
-					sorted[i].key = 0; /* Unused */
-				sorted[i].rdata = &shuffled[j];
+					out[i].key = 0; /* Unused */
+				out[i].rdata = &in[j];
 				j++;
 				if (j == count)
 					j = 0; /* Wrap around. */
@@ -458,8 +456,7 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 		 * Sorted order.
 		 */
 		if (order != NULL)
-			qsort(sorted, count, sizeof(sorted[0]),
-			      towire_compare);
+			qsort(out, count, sizeof(out[0]), towire_compare);
 	}
 
 	savedbuffer = *target;
@@ -500,7 +497,7 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 			 * Copy out the rdata
 			 */
 			if (shuffle)
-				rdata = *(sorted[i].rdata);
+				rdata = *(out[i].rdata);
 			else {
 				dns_rdata_reset(&rdata);
 				dns_rdataset_current(rdataset, &rdata);
@@ -549,10 +546,10 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 	*target = savedbuffer;
 
  cleanup:
-	if (sorted != NULL && sorted != sorted_fixed)
-		isc_mem_put(cctx->mctx, sorted, count * sizeof(*sorted));
-	if (shuffled != NULL && shuffled != shuffled_fixed)
-		isc_mem_put(cctx->mctx, shuffled, count * sizeof(*shuffled));
+	if (out != NULL && out != out_fixed)
+		isc_mem_put(cctx->mctx, out, count * sizeof(*out));
+	if (in != NULL && in != in_fixed)
+		isc_mem_put(cctx->mctx, in, count * sizeof(*in));
 	return (result);
 }
 
diff --git a/usr.sbin/bind/lib/dns/rdatasetiter.c b/usr.sbin/bind/lib/dns/rdatasetiter.c
index 8edbe881473..563ce546d82 100644
--- a/usr.sbin/bind/lib/dns/rdatasetiter.c
+++ b/usr.sbin/bind/lib/dns/rdatasetiter.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatasetiter.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: rdatasetiter.c,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/dns/rdataslab.c b/usr.sbin/bind/lib/dns/rdataslab.c
index d29716b03d1..b4a87a981a2 100644
--- a/usr.sbin/bind/lib/dns/rdataslab.c
+++ b/usr.sbin/bind/lib/dns/rdataslab.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2014, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataslab.c,v 1.6 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: rdataslab.c,v 1.7 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file */
 
@@ -297,7 +296,9 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 	region->base = rawbuf;
 	region->length = buflen;
 
+	memset(rawbuf, 0, buflen);
 	rawbuf += reservelen;
+
 #if DNS_RDATASET_FIXED
 	offsetbase = rawbuf;
 #endif
@@ -329,7 +330,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 		 * Store the per RR meta data.
 		 */
 		if (rdataset->type == dns_rdatatype_rrsig) {
-			*rawbuf++ |= (x[i].rdata.flags & DNS_RDATA_OFFLINE) ?
+			*rawbuf++ = (x[i].rdata.flags & DNS_RDATA_OFFLINE) ?
 					    DNS_RDATASLAB_OFFLINE : 0;
 		}
 		memmove(rawbuf, x[i].rdata.data, x[i].rdata.length);
diff --git a/usr.sbin/bind/lib/dns/request.c b/usr.sbin/bind/lib/dns/request.c
index e614250aee6..b0462db813d 100644
--- a/usr.sbin/bind/lib/dns/request.c
+++ b/usr.sbin/bind/lib/dns/request.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: request.c,v 1.3 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: request.c,v 1.4 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/dns/resolver.c b/usr.sbin/bind/lib/dns/resolver.c
index 6963a47572b..884e2a66cda 100644
--- a/usr.sbin/bind/lib/dns/resolver.c
+++ b/usr.sbin/bind/lib/dns/resolver.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2017  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -846,7 +845,7 @@ fctx_stoptimer(fetchctx_t *fctx) {
 	 * cannot fail in that case.
 	 */
 	result = isc_timer_reset(fctx->timer, isc_timertype_inactive,
-				  NULL, NULL, ISC_TRUE);
+				 NULL, NULL, ISC_TRUE);
 	if (result != ISC_R_SUCCESS) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
 				 "isc_timer_reset(): %s",
@@ -854,7 +853,6 @@ fctx_stoptimer(fetchctx_t *fctx) {
 	}
 }
 
-
 static inline isc_result_t
 fctx_startidletimer(fetchctx_t *fctx, isc_interval_t *interval) {
 	/*
@@ -1134,7 +1132,8 @@ fctx_cleanupfinds(fetchctx_t *fctx) {
 
 	for (find = ISC_LIST_HEAD(fctx->finds);
 	     find != NULL;
-	     find = next_find) {
+	     find = next_find)
+	{
 		next_find = ISC_LIST_NEXT(find, publink);
 		ISC_LIST_UNLINK(fctx->finds, find, publink);
 		dns_adb_destroyfind(&find);
@@ -1150,7 +1149,8 @@ fctx_cleanupaltfinds(fetchctx_t *fctx) {
 
 	for (find = ISC_LIST_HEAD(fctx->altfinds);
 	     find != NULL;
-	     find = next_find) {
+	     find = next_find)
+	{
 		next_find = ISC_LIST_NEXT(find, publink);
 		ISC_LIST_UNLINK(fctx->altfinds, find, publink);
 		dns_adb_destroyfind(&find);
@@ -1166,7 +1166,8 @@ fctx_cleanupforwaddrs(fetchctx_t *fctx) {
 
 	for (addr = ISC_LIST_HEAD(fctx->forwaddrs);
 	     addr != NULL;
-	     addr = next_addr) {
+	     addr = next_addr)
+	{
 		next_addr = ISC_LIST_NEXT(addr, publink);
 		ISC_LIST_UNLINK(fctx->forwaddrs, addr, publink);
 		dns_adb_freeaddrinfo(fctx->adb, &addr);
@@ -1181,7 +1182,8 @@ fctx_cleanupaltaddrs(fetchctx_t *fctx) {
 
 	for (addr = ISC_LIST_HEAD(fctx->altaddrs);
 	     addr != NULL;
-	     addr = next_addr) {
+	     addr = next_addr)
+	{
 		next_addr = ISC_LIST_NEXT(addr, publink);
 		ISC_LIST_UNLINK(fctx->altaddrs, addr, publink);
 		dns_adb_freeaddrinfo(fctx->adb, &addr);
@@ -1189,16 +1191,20 @@ fctx_cleanupaltaddrs(fetchctx_t *fctx) {
 }
 
 static inline void
-fctx_stopeverything(fetchctx_t *fctx, isc_boolean_t no_response,
-		    isc_boolean_t age_untried)
+fctx_stopqueries(fetchctx_t *fctx, isc_boolean_t no_response,
+		 isc_boolean_t age_untried)
 {
-	FCTXTRACE("stopeverything");
+	FCTXTRACE("stopqueries");
 	fctx_cancelqueries(fctx, no_response, age_untried);
+	fctx_stoptimer(fctx);
+}
+
+static inline void
+fctx_cleanupall(fetchctx_t *fctx) {
 	fctx_cleanupfinds(fctx);
 	fctx_cleanupaltfinds(fctx);
 	fctx_cleanupforwaddrs(fctx);
 	fctx_cleanupaltaddrs(fctx);
-	fctx_stoptimer(fctx);
 }
 
 #ifdef ENABLE_FETCHLIMIT
@@ -1361,7 +1367,7 @@ fctx_sendevents(fetchctx_t *fctx, isc_result_t result, int line) {
 		if (!HAVE_ANSWER(fctx))
 			event->result = result;
 
-		INSIST(result != ISC_R_SUCCESS ||
+		INSIST(event->result != ISC_R_SUCCESS ||
 		       dns_rdataset_isassociated(event->rdataset) ||
 		       fctx->type == dns_rdatatype_any ||
 		       fctx->type == dns_rdatatype_rrsig ||
@@ -1451,7 +1457,8 @@ fctx_done(fetchctx_t *fctx, isc_result_t result, int line) {
 		age_untried = ISC_TRUE;
 
 	fctx->reason = NULL;
-	fctx_stopeverything(fctx, no_response, age_untried);
+
+	fctx_stopqueries(fctx, no_response, age_untried);
 
 	LOCK(&res->buckets[fctx->bucketnum].lock);
 
@@ -1682,6 +1689,7 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 	query->sends = 0;
 	query->connects = 0;
 	query->dscp = addrinfo->dscp;
+	query->udpsize = 0;
 	/*
 	 * Note that the caller MUST guarantee that 'addrinfo' will remain
 	 * valid until this query is canceled.
@@ -2105,6 +2113,7 @@ resquery_send(resquery_t *query) {
 	isc_boolean_t cleanup_cctx = ISC_FALSE;
 	isc_boolean_t secure_domain;
 	isc_boolean_t connecting = ISC_FALSE;
+	isc_boolean_t tcp = ISC_TF((query->options & DNS_FETCHOPT_TCP) != 0);
 	dns_ednsopt_t ednsopts[DNS_EDNSOPTIONS];
 	unsigned ednsopt = 0;
 	isc_uint16_t hint = 0, udpsize = 0;	/* No EDNS */
@@ -2116,7 +2125,7 @@ resquery_send(resquery_t *query) {
 	task = res->buckets[fctx->bucketnum].task;
 	address = NULL;
 
-	if ((query->options & DNS_FETCHOPT_TCP) != 0) {
+	if (tcp) {
 		/*
 		 * Reserve space for the TCP message length.
 		 */
@@ -2456,7 +2465,7 @@ resquery_send(resquery_t *query) {
 	 * If using TCP, write the length of the message at the beginning
 	 * of the buffer.
 	 */
-	if ((query->options & DNS_FETCHOPT_TCP) != 0) {
+	if (tcp) {
 		isc_buffer_usedregion(&query->buffer, &r);
 		isc_buffer_putuint16(&tcpbuffer, (isc_uint16_t)r.length);
 		isc_buffer_add(&tcpbuffer, r.length);
@@ -2474,7 +2483,7 @@ resquery_send(resquery_t *query) {
 	/*
 	 * Send the query!
 	 */
-	if ((query->options & DNS_FETCHOPT_TCP) == 0) {
+	if (!tcp) {
 		address = &query->addrinfo->sockaddr;
 		if (query->exclusivesocket) {
 			result = isc_socket_connect(sock, address, task,
@@ -2503,7 +2512,7 @@ resquery_send(resquery_t *query) {
 	} else {
 		query->sendevent.attributes |= ISC_SOCKEVENTATTR_DSCP;
 		query->sendevent.dscp = query->dscp;
-		if ((query->options & DNS_FETCHOPT_TCP) != 0)
+		if (tcp)
 			isc_socket_dscp(sock, query->dscp);
 	}
 
@@ -2721,8 +2730,8 @@ fctx_finddone(isc_task_t *task, isc_event_t *event) {
 		 * The fetch is waiting for a name to be found.
 		 */
 		INSIST(!SHUTTINGDOWN(fctx));
-		fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
 		if (event->ev_type == DNS_EVENT_ADBMOREADDRESSES) {
+			fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
 			want_try = ISC_TRUE;
 		} else {
 			fctx->findfail++;
@@ -2732,6 +2741,7 @@ fctx_finddone(isc_task_t *task, isc_event_t *event) {
 				 * know the answer.  There's nothing to do but
 				 * fail the fctx.
 				 */
+				fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
 				want_done = ISC_TRUE;
 			}
 		}
@@ -3383,6 +3393,8 @@ fctx_getaddresses(fetchctx_t *fctx, isc_boolean_t badcache) {
 				dns_resolver_addbadcache(res, &fctx->name,
 							 fctx->type, &expire);
 
+			result = ISC_R_FAILURE;
+
 #ifdef ENABLE_FETCHLIMIT
 			/*
 			 * If all of the addresses found were over the
@@ -3392,8 +3404,7 @@ fctx_getaddresses(fetchctx_t *fctx, isc_boolean_t badcache) {
 			if (all_spilled) {
 				result = res->quotaresp[dns_quotatype_server];
 				inc_stats(res, dns_resstatscounter_serverquota);
-			} else
-				result = ISC_R_FAILURE;
+			}
 #endif /* ENABLE_FETCHLIMIT */
 		}
 	} else {
@@ -3642,20 +3653,18 @@ fctx_try(fetchctx_t *fctx, isc_boolean_t retrying, isc_boolean_t badcache) {
 		return;
 	}
 
+	addrinfo = fctx_nextaddress(fctx);
+
 #ifdef ENABLE_FETCHLIMIT
 	/* Try to find an address that isn't over quota */
-	while ((addrinfo = fctx_nextaddress(fctx)) != NULL)
-		if (! dns_adbentry_overquota(addrinfo->entry))
-			break;
+	while (addrinfo != NULL && dns_adbentry_overquota(addrinfo->entry))
+		addrinfo = fctx_nextaddress(fctx);
 #endif /* ENABLE_FETCHLIMIT */
 
 	if (addrinfo == NULL) {
 		/* We have no more addresses.  Start over. */
 		fctx_cancelqueries(fctx, ISC_TRUE, ISC_FALSE);
-		fctx_cleanupfinds(fctx);
-		fctx_cleanupaltfinds(fctx);
-		fctx_cleanupforwaddrs(fctx);
-		fctx_cleanupaltaddrs(fctx);
+		fctx_cleanupall(fctx);
 		result = fctx_getaddresses(fctx, badcache);
 		if (result == DNS_R_WAIT) {
 			/*
@@ -3672,14 +3681,14 @@ fctx_try(fetchctx_t *fctx, isc_boolean_t retrying, isc_boolean_t badcache) {
 			return;
 		}
 
-#ifdef ENABLE_FETCHLIMIT
-		while ((addrinfo = fctx_nextaddress(fctx)) != NULL) {
-			if (! dns_adbentry_overquota(addrinfo->entry))
-				break;
-		}
-#else
 		addrinfo = fctx_nextaddress(fctx);
-#endif /* !ENABLE_FETCHLIMIT */
+
+#ifdef ENABLE_FETCHLIMIT
+		/* Try to find an address that isn't over quota */
+		while (addrinfo != NULL &&
+		       dns_adbentry_overquota(addrinfo->entry))
+			addrinfo = fctx_nextaddress(fctx);
+#endif /* ENABLE_FETCHLIMIT */
 
 		/*
 		 * While we may have addresses from the ADB, they
@@ -3959,11 +3968,12 @@ fctx_doshutdown(isc_task_t *task, isc_event_t *event) {
 		dns_resolver_cancelfetch(fctx->nsfetch);
 
 	/*
-	 * Shut down anything that is still running on behalf of this
-	 * fetch.  To avoid deadlock with the ADB, we must do this
-	 * before we lock the bucket lock.
+	 * Shut down anything still running on behalf of this
+	 * fetch, and clean up finds and addresses.  To avoid deadlock
+	 * with the ADB, we must do this before we lock the bucket lock.
 	 */
-	fctx_stopeverything(fctx, ISC_FALSE, ISC_FALSE);
+	fctx_stopqueries(fctx, ISC_FALSE, ISC_FALSE);
+	fctx_cleanupall(fctx);
 
 	LOCK(&res->buckets[bucketnum].lock);
 
@@ -4185,8 +4195,8 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
 	 */
 	dns_name_format(name, buf, sizeof(buf));
 	dns_rdatatype_format(type, typebuf, sizeof(typebuf));
-	strcat(buf, "/");       /* checked */
-	strcat(buf, typebuf);   /* checked */
+	strlcat(buf, "/", sizeof(buf));
+	strlcat(buf, typebuf, sizeof(buf));
 	fctx->info = isc_mem_strdup(mctx, buf);
 	if (fctx->info == NULL) {
 		result = ISC_R_NOMEMORY;
@@ -4550,7 +4560,7 @@ log_formerr(fetchctx_t *fctx, const char *format, ...) {
 		      nsbuf, fctx->info, clmsg, clbuf, msgbuf);
 }
 
-static inline isc_result_t
+static isc_result_t
 same_question(fetchctx_t *fctx) {
 	isc_result_t result;
 	dns_message_t *message = fctx->rmessage;
@@ -4564,7 +4574,32 @@ same_question(fetchctx_t *fctx) {
 	/*
 	 * XXXRTH  Currently we support only one question.
 	 */
-	if (message->counts[DNS_SECTION_QUESTION] != 1) {
+	if (ISC_UNLIKELY(message->counts[DNS_SECTION_QUESTION] == 0)) {
+		if ((message->flags & DNS_MESSAGEFLAG_TC) != 0) {
+			/*
+			 * If TC=1 and the question section is empty, we
+			 * accept the reply message as a truncated
+			 * answer, to be retried over TCP.
+			 *
+			 * It is really a FORMERR condition, but this is
+			 * a workaround to accept replies from some
+			 * implementations.
+			 *
+			 * Because the question section matching is not
+			 * performed, the worst that could happen is
+			 * that an attacker who gets past the ID and
+			 * source port checks can force the use of
+			 * TCP. This is considered an acceptable risk.
+			 */
+			log_formerr(fctx,
+				    "empty question section, "
+				    "accepting it anyway as TC=1");
+			return (ISC_R_SUCCESS);
+		} else {
+			log_formerr(fctx, "empty question section");
+			return (DNS_R_FORMERR);
+		}
+	} else if (ISC_UNLIKELY(message->counts[DNS_SECTION_QUESTION] > 1)) {
 		log_formerr(fctx, "too many questions");
 		return (DNS_R_FORMERR);
 	}
@@ -4582,14 +4617,15 @@ same_question(fetchctx_t *fctx) {
 	    fctx->res->rdclass != rdataset->rdclass ||
 	    !dns_name_equal(&fctx->name, name)) {
 		char namebuf[DNS_NAME_FORMATSIZE];
-		char class[DNS_RDATACLASS_FORMATSIZE];
-		char type[DNS_RDATATYPE_FORMATSIZE];
+		char classbuf[DNS_RDATACLASS_FORMATSIZE];
+		char typebuf[DNS_RDATATYPE_FORMATSIZE];
 
 		dns_name_format(name, namebuf, sizeof(namebuf));
-		dns_rdataclass_format(rdataset->rdclass, class, sizeof(class));
-		dns_rdatatype_format(rdataset->type, type, sizeof(type));
+		dns_rdataclass_format(rdataset->rdclass, classbuf,
+				      sizeof(classbuf));
+		dns_rdatatype_format(rdataset->type, typebuf, sizeof(typebuf));
 		log_formerr(fctx, "question section mismatch: got %s/%s/%s",
-			    namebuf, class, type);
+			    namebuf, classbuf, typebuf);
 		return (DNS_R_FORMERR);
 	}
 
@@ -4649,7 +4685,6 @@ clone_results(fetchctx_t *fctx) {
 #define CHASE(r)        (((r)->attributes & DNS_RDATASETATTR_CHASE) != 0)
 #define CHECKNAMES(r)   (((r)->attributes & DNS_RDATASETATTR_CHECKNAMES) != 0)
 
-
 /*
  * Destroy '*fctx' if it is ready to be destroyed (i.e., if it has
  * no references and is no longer waiting for any events).
@@ -5252,16 +5287,19 @@ static inline isc_result_t
 cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 	   isc_stdtime_t now)
 {
-	dns_rdataset_t *rdataset, *sigrdataset;
-	dns_rdataset_t *addedrdataset, *ardataset, *asigrdataset;
+	dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
+	dns_rdataset_t *addedrdataset = NULL;
+	dns_rdataset_t *ardataset = NULL, *asigrdataset = NULL;
 	dns_rdataset_t *valrdataset = NULL, *valsigrdataset = NULL;
-	dns_dbnode_t *node, **anodep;
-	dns_db_t **adbp;
-	dns_name_t *aname;
-	dns_resolver_t *res;
-	isc_boolean_t need_validation, secure_domain, have_answer;
-	isc_result_t result, eresult;
-	dns_fetchevent_t *event;
+	dns_dbnode_t *node = NULL, **anodep = NULL;
+	dns_db_t **adbp = NULL;
+	dns_name_t *aname = NULL;
+	dns_resolver_t *res = fctx->res;
+	isc_boolean_t need_validation = ISC_FALSE;
+	isc_boolean_t secure_domain = ISC_FALSE;
+	isc_boolean_t have_answer = ISC_FALSE;
+	isc_result_t result, eresult = ISC_R_SUCCESS;
+	dns_fetchevent_t *event = NULL;
 	unsigned int options;
 	isc_task_t *task;
 	isc_boolean_t fail;
@@ -5270,13 +5308,6 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 	/*
 	 * The appropriate bucket lock must be held.
 	 */
-
-	res = fctx->res;
-	need_validation = ISC_FALSE;
-	POST(need_validation);
-	secure_domain = ISC_FALSE;
-	have_answer = ISC_FALSE;
-	eresult = ISC_R_SUCCESS;
 	task = res->buckets[fctx->bucketnum].task;
 
 	/*
@@ -5285,8 +5316,9 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 	if (res->view->enablevalidation) {
 		result = dns_view_issecuredomain(res->view, name,
 						 &secure_domain);
-		if (result != ISC_R_SUCCESS)
+		if (result != ISC_R_SUCCESS) {
 			return (result);
+		}
 
 		if (!secure_domain && res->view->dlv != NULL) {
 			valoptions = DNS_VALIDATOR_DLV;
@@ -5294,30 +5326,28 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 		}
 	}
 
-	if ((fctx->options & DNS_FETCHOPT_NOCDFLAG) != 0)
+	if ((fctx->options & DNS_FETCHOPT_NOCDFLAG) != 0) {
 		valoptions |= DNS_VALIDATOR_NOCDFLAG;
+	}
 
-	if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0)
+	if ((fctx->options & DNS_FETCHOPT_NOVALIDATE) != 0) {
 		need_validation = ISC_FALSE;
-	else
+	} else {
 		need_validation = secure_domain;
+	}
 
-	adbp = NULL;
-	aname = NULL;
-	anodep = NULL;
-	ardataset = NULL;
-	asigrdataset = NULL;
-	event = NULL;
-	if ((name->attributes & DNS_NAMEATTR_ANSWER) != 0 &&
-	    !need_validation) {
+	if (((name->attributes & DNS_NAMEATTR_ANSWER) != 0) &&
+	    (!need_validation))
+	{
 		have_answer = ISC_TRUE;
 		event = ISC_LIST_HEAD(fctx->events);
 		if (event != NULL) {
 			adbp = &event->db;
 			aname = dns_fixedname_name(&event->foundname);
 			result = dns_name_copy(name, aname, NULL);
-			if (result != ISC_R_SUCCESS)
+			if (result != ISC_R_SUCCESS) {
 				return (result);
+			}
 			anodep = &event->node;
 			/*
 			 * If this is an ANY, SIG or RRSIG query, we're not
@@ -5329,7 +5359,8 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 			if ((fctx->type != dns_rdatatype_any &&
 			     fctx->type != dns_rdatatype_rrsig &&
 			     fctx->type != dns_rdatatype_sig) ||
-			    (name->attributes & DNS_NAMEATTR_CHAINING) != 0) {
+			    (name->attributes & DNS_NAMEATTR_CHAINING) != 0)
+			{
 				ardataset = event->rdataset;
 				asigrdataset = event->sigrdataset;
 			}
@@ -5341,8 +5372,9 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 	 */
 	node = NULL;
 	result = dns_db_findnode(fctx->cache, name, ISC_TRUE, &node);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		return (result);
+	}
 
 	/*
 	 * Cache or validate each cacheable rdataset.
@@ -5350,9 +5382,11 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 	fail = ISC_TF((fctx->res->options & DNS_RESOLVER_CHECKNAMESFAIL) != 0);
 	for (rdataset = ISC_LIST_HEAD(name->list);
 	     rdataset != NULL;
-	     rdataset = ISC_LIST_NEXT(rdataset, link)) {
-		if (!CACHE(rdataset))
+	     rdataset = ISC_LIST_NEXT(rdataset, link))
+	{
+		if (!CACHE(rdataset)) {
 			continue;
+		}
 		if (CHECKNAMES(rdataset)) {
 			char namebuf[DNS_NAME_FORMATSIZE];
 			char typebuf[DNS_RDATATYPE_FORMATSIZE];
@@ -5380,24 +5414,29 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 		/*
 		 * Enforce the configure maximum cache TTL.
 		 */
-		if (rdataset->ttl > res->view->maxcachettl)
+		if (rdataset->ttl > res->view->maxcachettl) {
 			rdataset->ttl = res->view->maxcachettl;
+		}
 
 		/*
 		 * Mark the rdataset as being prefetch eligible.
 		 */
-		if (rdataset->ttl > fctx->res->view->prefetch_eligible)
+		if (rdataset->ttl > fctx->res->view->prefetch_eligible) {
 			rdataset->attributes |= DNS_RDATASETATTR_PREFETCH;
+		}
 
 		/*
 		 * Find the SIG for this rdataset, if we have it.
 		 */
 		for (sigrdataset = ISC_LIST_HEAD(name->list);
 		     sigrdataset != NULL;
-		     sigrdataset = ISC_LIST_NEXT(sigrdataset, link)) {
+		     sigrdataset = ISC_LIST_NEXT(sigrdataset, link))
+		{
 			if (sigrdataset->type == dns_rdatatype_rrsig &&
 			    sigrdataset->covers == rdataset->type)
+			{
 				break;
+			}
 		}
 
 		/*
@@ -5411,24 +5450,26 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 		 * them.)
 		 */
 		if (secure_domain && rdataset->trust != dns_trust_glue &&
-		    !EXTERNAL(rdataset)) {
+		    !EXTERNAL(rdataset))
+		{
 			dns_trust_t trust;
 
 			/*
 			 * RRSIGs are validated as part of validating the
 			 * type they cover.
 			 */
-			if (rdataset->type == dns_rdatatype_rrsig)
+			if (rdataset->type == dns_rdatatype_rrsig) {
 				continue;
+			}
 
-			if (sigrdataset == NULL) {
-				if (!ANSWER(rdataset) && need_validation) {
-					/*
-					 * Ignore non-answer rdatasets that
-					 * are missing signatures.
-					 */
-					continue;
-				}
+			if (sigrdataset == NULL && need_validation &&
+			    !ANSWER(rdataset))
+			{
+				/*
+				 * Ignore unrelated non-answer
+				 * rdatasets that are missing signatures.
+				 */
+				continue;
 			}
 
 			/*
@@ -5444,26 +5485,32 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 			 * Mark the rdataset as being prefetch eligible.
 			 */
 			if (rdataset->ttl > fctx->res->view->prefetch_eligible)
+			{
 				rdataset->attributes |=
 					DNS_RDATASETATTR_PREFETCH;
+			}
 
 			/*
 			 * Cache this rdataset/sigrdataset pair as
 			 * pending data.  Track whether it was additional
-			 * or not.
+			 * or not. If this was a priming query, additional
+			 * should be cached as glue.
 			 */
-			if (rdataset->trust == dns_trust_additional)
+			if (rdataset->trust == dns_trust_additional) {
 				trust = dns_trust_pending_additional;
-			else
+			} else {
 				trust = dns_trust_pending_answer;
+			}
 
 			rdataset->trust = trust;
-			if (sigrdataset != NULL)
+			if (sigrdataset != NULL) {
 				sigrdataset->trust = trust;
+			}
 			if (!need_validation || !ANSWER(rdataset)) {
 				options = 0;
 				if (ANSWER(rdataset) &&
-				   rdataset->type != dns_rdatatype_rrsig) {
+				   rdataset->type != dns_rdatatype_rrsig)
+				{
 					isc_result_t tresult;
 					dns_name_t *noqname = NULL;
 					tresult = findnoqname(fctx, name,
@@ -5471,12 +5518,21 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 							      &noqname);
 					if (tresult == ISC_R_SUCCESS &&
 					    noqname != NULL)
+					{
 						(void) dns_rdataset_addnoqname(
 							    rdataset, noqname);
+					}
 				}
 				if ((fctx->options &
 				     DNS_FETCHOPT_PREFETCH) != 0)
+				{
 					options = DNS_DBADD_PREFETCH;
+				}
+				if ((fctx->options &
+				     DNS_FETCHOPT_NOCACHED) != 0)
+				{
+					options |= DNS_DBADD_FORCE;
+				}
 				addedrdataset = ardataset;
 				result = dns_db_addrdataset(fctx->cache, node,
 							    NULL, now, rdataset,
@@ -5486,7 +5542,8 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 					result = ISC_R_SUCCESS;
 					if (!need_validation &&
 					    ardataset != NULL &&
-					    NEGATIVE(ardataset)) {
+					    NEGATIVE(ardataset))
+					{
 						/*
 						 * The answer in the cache is
 						 * better than the answer we
@@ -5494,12 +5551,13 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 						 * cache entry, so we must set
 						 * eresult appropriately.
 						 */
-						if (NXDOMAIN(ardataset))
+						if (NXDOMAIN(ardataset)) {
 							eresult =
 							   DNS_R_NCACHENXDOMAIN;
-						else
+						} else {
 							eresult =
 							   DNS_R_NCACHENXRRSET;
+						}
 						/*
 						 * We have a negative response
 						 * from the cache so don't
@@ -5509,8 +5567,9 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 						continue;
 					}
 				}
-				if (result != ISC_R_SUCCESS)
+				if (result != ISC_R_SUCCESS) {
 					break;
+				}
 				if (sigrdataset != NULL) {
 					addedrdataset = asigrdataset;
 					result = dns_db_addrdataset(fctx->cache,
@@ -5518,18 +5577,22 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 								sigrdataset,
 								options,
 								addedrdataset);
-					if (result == DNS_R_UNCHANGED)
+					if (result == DNS_R_UNCHANGED) {
 						result = ISC_R_SUCCESS;
-					if (result != ISC_R_SUCCESS)
+					}
+					if (result != ISC_R_SUCCESS) {
 						break;
-				} else if (!ANSWER(rdataset))
+					}
+				} else if (!ANSWER(rdataset)) {
 					continue;
+				}
 			}
 
 			if (ANSWER(rdataset) && need_validation) {
 				if (fctx->type != dns_rdatatype_any &&
 				    fctx->type != dns_rdatatype_rrsig &&
-				    fctx->type != dns_rdatatype_sig) {
+				    fctx->type != dns_rdatatype_sig)
+				{
 					/*
 					 * This is The Answer.  We will
 					 * validate it, but first we cache
@@ -5558,9 +5621,9 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 							   valoptions, task);
 				}
 			} else if (CHAINING(rdataset)) {
-				if (rdataset->type == dns_rdatatype_cname)
+				if (rdataset->type == dns_rdatatype_cname) {
 					eresult = DNS_R_CNAME;
-				else {
+				} else {
 					INSIST(rdataset->type ==
 					       dns_rdatatype_dname);
 					eresult = DNS_R_DNAME;
@@ -5570,16 +5633,17 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 			/*
 			 * It's OK to cache this rdataset now.
 			 */
-			if (ANSWER(rdataset))
+			if (ANSWER(rdataset)) {
 				addedrdataset = ardataset;
-			else if (ANSWERSIG(rdataset))
+			} else if (ANSWERSIG(rdataset)) {
 				addedrdataset = asigrdataset;
-			else
+			} else {
 				addedrdataset = NULL;
+			}
 			if (CHAINING(rdataset)) {
-				if (rdataset->type == dns_rdatatype_cname)
+				if (rdataset->type == dns_rdatatype_cname) {
 					eresult = DNS_R_CNAME;
-				else {
+				} else {
 					INSIST(rdataset->type ==
 					       dns_rdatatype_dname);
 					eresult = DNS_R_DNAME;
@@ -5588,7 +5652,8 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 			if (rdataset->trust == dns_trust_glue &&
 			    (rdataset->type == dns_rdatatype_ns ||
 			     (rdataset->type == dns_rdatatype_rrsig &&
-			      rdataset->covers == dns_rdatatype_ns))) {
+			      rdataset->covers == dns_rdatatype_ns)))
+			{
 				/*
 				 * If the trust level is 'dns_trust_glue'
 				 * then we are adding data from a referral
@@ -5598,20 +5663,25 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 				 */
 				options = DNS_DBADD_FORCE;
 			} else if ((fctx->options & DNS_FETCHOPT_PREFETCH) != 0)
+			{
 				options = DNS_DBADD_PREFETCH;
-			else
+			} else {
 				options = 0;
+			}
 
 			if (ANSWER(rdataset) &&
-			   rdataset->type != dns_rdatatype_rrsig) {
+			   rdataset->type != dns_rdatatype_rrsig)
+			{
 				isc_result_t tresult;
 				dns_name_t *noqname = NULL;
 				tresult = findnoqname(fctx, name,
 						      rdataset->type, &noqname);
 				if (tresult == ISC_R_SUCCESS &&
 				    noqname != NULL)
+				{
 					(void) dns_rdataset_addnoqname(
 						       rdataset, noqname);
+				}
 			}
 
 			/*
@@ -5626,31 +5696,35 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 			if (result == DNS_R_UNCHANGED) {
 				if (ANSWER(rdataset) &&
 				    ardataset != NULL &&
-				    NEGATIVE(ardataset)) {
+				    NEGATIVE(ardataset))
+				{
 					/*
 					 * The answer in the cache is better
 					 * than the answer we found, and is
 					 * a negative cache entry, so we
 					 * must set eresult appropriately.
 					 */
-					if (NXDOMAIN(ardataset))
+					if (NXDOMAIN(ardataset)) {
 						eresult = DNS_R_NCACHENXDOMAIN;
-					else
+					} else {
 						eresult = DNS_R_NCACHENXRRSET;
+					}
 				}
 				result = ISC_R_SUCCESS;
-			} else if (result != ISC_R_SUCCESS)
+			} else if (result != ISC_R_SUCCESS) {
 				break;
+			}
 		}
 	}
 
 	if (valrdataset != NULL) {
 		dns_rdatatype_t vtype = fctx->type;
 		if (CHAINING(valrdataset)) {
-			if (valrdataset->type == dns_rdatatype_cname)
+			if (valrdataset->type == dns_rdatatype_cname) {
 				vtype = dns_rdatatype_cname;
-			else
+			} else {
 				vtype = dns_rdatatype_dname;
+			}
 		}
 		result = valcreate(fctx, addrinfo, name, vtype, valrdataset,
 				   valsigrdataset, valoptions, task);
@@ -5663,14 +5737,16 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 			 * Negative results must be indicated in event->result.
 			 */
 			if (dns_rdataset_isassociated(event->rdataset) &&
-			    NEGATIVE(event->rdataset)) {
+			    NEGATIVE(event->rdataset))
+			{
 				INSIST(eresult == DNS_R_NCACHENXDOMAIN ||
 				       eresult == DNS_R_NCACHENXRRSET);
 			}
 			event->result = eresult;
 			if (adbp != NULL && *adbp != NULL) {
-				if (anodep != NULL && *anodep != NULL)
+				if (anodep != NULL && *anodep != NULL) {
 					dns_db_detachnode(*adbp, anodep);
+				}
 				dns_db_detach(adbp);
 			}
 			dns_db_attach(fctx->cache, adbp);
@@ -5679,8 +5755,9 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 		}
 	}
 
-	if (node != NULL)
+	if (node != NULL) {
 		dns_db_detachnode(fctx->cache, &node);
+	}
 
 	return (result);
 }
@@ -5976,8 +6053,8 @@ check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type,
 {
 	fetchctx_t *fctx = arg;
 	isc_result_t result;
-	dns_name_t *name;
-	dns_rdataset_t *rdataset;
+	dns_name_t *name = NULL;
+	dns_rdataset_t *rdataset = NULL;
 	isc_boolean_t external;
 	dns_rdatatype_t rtype;
 	isc_boolean_t gluing;
@@ -5989,12 +6066,10 @@ check_section(void *arg, dns_name_t *addname, dns_rdatatype_t type,
 		return (ISC_R_SUCCESS);
 #endif
 
-	if (GLUING(fctx))
-		gluing = ISC_TRUE;
-	else
-		gluing = ISC_FALSE;
-	name = NULL;
-	rdataset = NULL;
+	gluing = ISC_TF(GLUING(fctx) ||
+			(fctx->type == dns_rdatatype_ns &&
+			 dns_name_equal(&fctx->name, dns_rootname)));
+
 	result = dns_message_findname(fctx->rmessage, section, addname,
 				      dns_rdatatype_any, 0, &name, NULL);
 	if (result == ISC_R_SUCCESS) {
@@ -6176,6 +6251,7 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
 	unsigned int nlabels;
 	dns_fixedname_t fixed;
 	dns_name_t prefix;
+	int order;
 
 	REQUIRE(rdataset != NULL);
 	REQUIRE(rdataset->type == dns_rdatatype_cname ||
@@ -6198,18 +6274,26 @@ is_answertarget_allowed(fetchctx_t *fctx, dns_name_t *qname, dns_name_t *rname,
 		tname = &cname.cname;
 		break;
 	case dns_rdatatype_dname:
+		if (dns_name_fullcompare(qname, rname, &order, &nlabels) !=
+		    dns_namereln_subdomain)
+		{
+			return (ISC_TRUE);
+		}
 		result = dns_rdata_tostruct(&rdata, &dname, NULL);
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		dns_name_init(&prefix, NULL);
 		dns_fixedname_init(&fixed);
 		tname = dns_fixedname_name(&fixed);
-		nlabels = dns_name_countlabels(qname) -
-			  dns_name_countlabels(rname);
+		nlabels = dns_name_countlabels(rname);
 		dns_name_split(qname, nlabels, &prefix, NULL);
 		result = dns_name_concatenate(&prefix, &dname.dname, tname,
 					      NULL);
-		if (result == DNS_R_NAMETOOLONG)
+		if (result == DNS_R_NAMETOOLONG) {
+			if (chainingp != NULL) {
+				*chainingp = ISC_TRUE;
+			}
 			return (ISC_TRUE);
+		}
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		break;
 	default:
@@ -6938,7 +7022,9 @@ answer_response(fetchctx_t *fctx) {
 		}
 		if ((ardataset->type == dns_rdatatype_cname ||
 		     ardataset->type == dns_rdatatype_dname) &&
-		     !is_answertarget_allowed(fctx, qname, aname, ardataset,
+		    type != ardataset->type &&
+		    type != dns_rdatatype_any &&
+		    !is_answertarget_allowed(fctx, qname, aname, ardataset,
 					      NULL))
 		{
 			return (DNS_R_SERVFAIL);
@@ -7199,21 +7285,41 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) {
 	dns_rdataset_init(&nameservers);
 
 	bucketnum = fctx->bucketnum;
+
+	/*
+	 * Note: fevent->rdataset must be disassociated and
+	 * isc_event_free(&event) be called before resuming
+	 * processing of the 'fctx' to prevent use-after-free.
+	 * 'fevent' is set to NULL so as to not have a dangling
+	 * pointer.
+	 */
 	if (fevent->result == ISC_R_CANCELED) {
+		if (dns_rdataset_isassociated(fevent->rdataset)) {
+			dns_rdataset_disassociate(fevent->rdataset);
+		}
+		fevent = NULL;
+		isc_event_free(&event);
+
 		dns_resolver_destroyfetch(&fctx->nsfetch);
 		fctx_done(fctx, ISC_R_CANCELED, __LINE__);
 	} else if (fevent->result == ISC_R_SUCCESS) {
-
 		FCTXTRACE("resuming DS lookup");
 
 		dns_resolver_destroyfetch(&fctx->nsfetch);
-		if (dns_rdataset_isassociated(&fctx->nameservers))
+		if (dns_rdataset_isassociated(&fctx->nameservers)) {
 			dns_rdataset_disassociate(&fctx->nameservers);
+		}
 		dns_rdataset_clone(fevent->rdataset, &fctx->nameservers);
 		fctx->ns_ttl = fctx->nameservers.ttl;
 		fctx->ns_ttl_ok = ISC_TRUE;
 		log_ns_ttl(fctx, "resume_dslookup");
 
+		if (dns_rdataset_isassociated(fevent->rdataset)) {
+			dns_rdataset_disassociate(fevent->rdataset);
+		}
+		fevent = NULL;
+		isc_event_free(&event);
+
 #ifdef ENABLE_FETCHLIMIT
 		fcount_decr(fctx);
 #endif /* ENABLE_FETCHLIMIT */
@@ -7249,6 +7355,12 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) {
 		domain = dns_fixedname_name(&fixed);
 		dns_name_copy(&fctx->nsfetch->private->domain, domain, NULL);
 		if (dns_name_equal(&fctx->nsname, domain)) {
+			if (dns_rdataset_isassociated(fevent->rdataset)) {
+				dns_rdataset_disassociate(fevent->rdataset);
+			}
+			fevent = NULL;
+			isc_event_free(&event);
+
 			fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
 			dns_resolver_destroyfetch(&fctx->nsfetch);
 			goto cleanup;
@@ -7268,7 +7380,11 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) {
 
 		if (dns_rdataset_isassociated(fevent->rdataset))
 			dns_rdataset_disassociate(fevent->rdataset);
+		fevent = NULL;
+		isc_event_free(&event);
+
 		FCTXTRACE("continuing to look for parent's NS records");
+
 		result = dns_resolver_createfetch(fctx->res, &fctx->nsname,
 						  dns_rdatatype_ns, domain,
 						  nsrdataset, NULL,
@@ -7276,9 +7392,14 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) {
 						  resume_dslookup, fctx,
 						  &fctx->nsrrset, NULL,
 						  &fctx->nsfetch);
-		if (result != ISC_R_SUCCESS)
+		/*
+		 * fevent->rdataset (a.k.a. fctx->nsrrset) must not be
+		 * accessed below this point to prevent races with
+		 * another thread concurrently processing the fetch.
+		 */
+		if (result != ISC_R_SUCCESS) {
 			fctx_done(fctx, result, __LINE__);
-		else {
+		} else {
 			LOCK(&res->buckets[bucketnum].lock);
 			locked = ISC_TRUE;
 			fctx->references++;
@@ -7286,12 +7407,10 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) {
 	}
 
  cleanup:
+	INSIST(event == NULL);
+	INSIST(fevent == NULL);
 	if (dns_rdataset_isassociated(&nameservers))
 		dns_rdataset_disassociate(&nameservers);
-	if (dns_rdataset_isassociated(fevent->rdataset))
-		dns_rdataset_disassociate(fevent->rdataset);
-	INSIST(fevent->sigrdataset == NULL);
-	isc_event_free(&event);
 	if (!locked)
 		LOCK(&res->buckets[bucketnum].lock);
 	bucket_empty = fctx_decreference(fctx);
@@ -8812,7 +8931,11 @@ dns_resolver_create(dns_view_t *view,
 #if USE_MBSLOCK
 	result = isc_rwlock_init(&res->mbslock, 0, 0);
 	if (result != ISC_R_SUCCESS)
+#if USE_ALGLOCK
 		goto cleanup_alglock;
+#else
+		goto cleanup_spillattimer;
+#endif
 #endif
 
 	res->magic = RES_MAGIC;
@@ -8821,12 +8944,11 @@ dns_resolver_create(dns_view_t *view,
 
 	return (ISC_R_SUCCESS);
 
-#if USE_MBSLOCK
+#if USE_ALGLOCK && USE_MBSLOCK
  cleanup_alglock:
-#if USE_ALGLOCK
 	isc_rwlock_destroy(&res->alglock);
 #endif
-#endif
+
 #if USE_ALGLOCK || USE_MBSLOCK
  cleanup_spillattimer:
 	isc_timer_detach(&res->spillattimer);
@@ -8885,6 +9007,10 @@ prime_done(isc_task_t *task, isc_event_t *event) {
 	res = event->ev_arg;
 	REQUIRE(VALID_RESOLVER(res));
 
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
+		      "resolver priming query complete");
+
 	UNUSED(task);
 
 	LOCK(&res->lock);
@@ -9924,7 +10050,7 @@ dns_resolver_disable_algorithm(dns_resolver_t *resolver, dns_name_t *name,
 			       unsigned int alg)
 {
 	unsigned int len, mask;
-	unsigned char *new;
+	unsigned char *tmp;
 	unsigned char *algorithms;
 	isc_result_t result;
 	dns_rbtnode_t *node = NULL;
@@ -9967,18 +10093,18 @@ dns_resolver_disable_algorithm(dns_resolver_t *resolver, dns_name_t *name,
 			 * bitfield and copy the old (smaller) bitfield
 			 * into it if one exists.
 			 */
-			new = isc_mem_get(resolver->mctx, len);
-			if (new == NULL) {
+			tmp = isc_mem_get(resolver->mctx, len);
+			if (tmp == NULL) {
 				result = ISC_R_NOMEMORY;
 				goto cleanup;
 			}
-			memset(new, 0, len);
+			memset(tmp, 0, len);
 			if (algorithms != NULL)
-				memmove(new, algorithms, *algorithms);
-			new[len-1] |= mask;
-			/* new[0] should contain the length of new. */
-			*new = len;
-			node->data = new;
+				memmove(tmp, algorithms, *algorithms);
+			tmp[len-1] |= mask;
+			/* 'tmp[0]' should contain the length of 'tmp'. */
+			*tmp = len;
+			node->data = tmp;
 			/* Free the older bitfield. */
 			if (algorithms != NULL)
 				isc_mem_put(resolver->mctx, algorithms,
@@ -10063,7 +10189,7 @@ dns_resolver_disable_ds_digest(dns_resolver_t *resolver, dns_name_t *name,
 			       unsigned int digest_type)
 {
 	unsigned int len, mask;
-	unsigned char *new;
+	unsigned char *tmp;
 	unsigned char *digests;
 	isc_result_t result;
 	dns_rbtnode_t *node = NULL;
@@ -10102,18 +10228,18 @@ dns_resolver_disable_ds_digest(dns_resolver_t *resolver, dns_name_t *name,
 			 * bitfield and copy the old (smaller) bitfield
 			 * into it if one exists.
 			 */
-			new = isc_mem_get(resolver->mctx, len);
-			if (new == NULL) {
+			tmp = isc_mem_get(resolver->mctx, len);
+			if (tmp == NULL) {
 				result = ISC_R_NOMEMORY;
 				goto cleanup;
 			}
-			memset(new, 0, len);
+			memset(tmp, 0, len);
 			if (digests != NULL)
-				memmove(new, digests, *digests);
-			new[len-1] |= mask;
-			/* new[0] should contain the length of new. */
-			*new = len;
-			node->data = new;
+				memmove(tmp, digests, *digests);
+			tmp[len-1] |= mask;
+			/* tmp[0] should contain the length of 'tmp'. */
+			*tmp = len;
+			node->data = tmp;
 			/* Free the older bitfield. */
 			if (digests != NULL)
 				isc_mem_put(resolver->mctx, digests,
@@ -10386,7 +10512,7 @@ dns_resolver_dumpfetches(dns_resolver_t *resolver,
 		     fc = ISC_LIST_NEXT(fc, link))
 		{
 			dns_name_print(fc->domain, fp);
-			fprintf(fp, ": %d active (%d spilled, %d allowed)\n",
+			fprintf(fp, ": %u active (%u spilled, %u allowed)\n",
 				fc->count, fc->dropped, fc->allowed);
 		}
 		UNLOCK(&resolver->dbuckets[i].lock);
diff --git a/usr.sbin/bind/lib/dns/result.c b/usr.sbin/bind/lib/dns/result.c
index 3a71207117f..2406668d490 100644
--- a/usr.sbin/bind/lib/dns/result.c
+++ b/usr.sbin/bind/lib/dns/result.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007-2013, 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.c,v 1.5 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: result.c,v 1.6 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file */
 
@@ -165,7 +164,7 @@ static const char *text[DNS_R_NRESULTS] = {
 	"bad EUI",			       /*%< 109 DNS_R_BADEUI */
 
 	"covered by negative trust anchor",    /*%< 110 DNS_R_NTACOVERED */
-	"bad CDS",			       /*%< 111 DNS_R_BADCSD */
+	"bad CDS",			       /*%< 111 DNS_R_BADCDS */
 	"bad CDNSKEY",			       /*%< 112 DNS_R_BADCDNSKEY */
 	"malformed OPT option",		       /*%< 113 DNS_R_OPTERR */
 	"malformed DNSTAP data",	       /*%< 114 DNS_R_BADDNSTAP */
diff --git a/usr.sbin/bind/lib/dns/rootns.c b/usr.sbin/bind/lib/dns/rootns.c
index 8cde8a50313..3f58a8176f7 100644
--- a/usr.sbin/bind/lib/dns/rootns.c
+++ b/usr.sbin/bind/lib/dns/rootns.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008, 2010, 2012-2017  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rootns.c,v 1.9 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: rootns.c,v 1.10 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file */
 
@@ -61,7 +60,7 @@ static char root_ns[] =
 ".                       518400  IN      NS      M.ROOT-SERVERS.NET.\n"
 "A.ROOT-SERVERS.NET.     3600000 IN      A       198.41.0.4\n"
 "A.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:503:BA3E::2:30\n"
-"B.ROOT-SERVERS.NET.     3600000 IN      A       192.228.79.201\n"
+"B.ROOT-SERVERS.NET.     3600000 IN      A       199.9.14.201\n"
 "B.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:200::b\n"
 "C.ROOT-SERVERS.NET.     3600000 IN      A       192.33.4.12\n"
 "C.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:2::c\n"
@@ -131,7 +130,7 @@ check_node(dns_rdataset_t *rootns, dns_name_t *name,
 		case dns_rdatatype_ns:
 			if (dns_name_compare(name, dns_rootname) == 0)
 				break;
-			/*FALLTHROUGH*/
+			/* FALLTHROUGH */
 		default:
 			result = ISC_R_FAILURE;
 			goto cleanup;
diff --git a/usr.sbin/bind/lib/dns/rpz.c b/usr.sbin/bind/lib/dns/rpz.c
index 56768756471..92f6678d1b7 100644
--- a/usr.sbin/bind/lib/dns/rpz.c
+++ b/usr.sbin/bind/lib/dns/rpz.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -385,12 +385,11 @@ fix_qname_skip_recurse(dns_rpz_zones_t *rpzs) {
 	 * qname_wait_recurse and qname_skip_recurse are used to
 	 * implement the "qname-wait-recurse" config option.
 	 *
-	 * By default, "qname-wait-recurse" is yes, so no
-	 * processing happens without recursion. In this case,
-	 * qname_wait_recurse is true, and qname_skip_recurse
-	 * (a bit field indicating which policy zones can be
-	 * processed without recursion) is set to all 0's by
-	 * fix_qname_skip_recurse().
+	 * When "qname-wait-recurse" is yes, no processing happens
+	 * without recursion. In this case, qname_wait_recurse is true,
+	 * and qname_skip_recurse (a bitfield indicating which policy
+	 * zones can be processed without recursion) is set to all 0's
+	 * by fix_qname_skip_recurse().
 	 *
 	 * When "qname-wait-recurse" is no, qname_skip_recurse may be
 	 * set to a non-zero value by fix_qname_skip_recurse(). The mask
@@ -619,33 +618,33 @@ new_node(dns_rpz_zones_t *rpzs,
 	 const dns_rpz_cidr_key_t *ip, dns_rpz_prefix_t prefix,
 	 const dns_rpz_cidr_node_t *child)
 {
-	dns_rpz_cidr_node_t *new;
+	dns_rpz_cidr_node_t *node;
 	int i, words, wlen;
 
-	new = isc_mem_get(rpzs->mctx, sizeof(*new));
-	if (new == NULL)
+	node = isc_mem_get(rpzs->mctx, sizeof(*node));
+	if (node == NULL)
 		return (NULL);
-	memset(new, 0, sizeof(*new));
+	memset(node, 0, sizeof(*node));
 
 	if (child != NULL)
-		new->sum = child->sum;
+		node->sum = child->sum;
 
-	new->prefix = prefix;
+	node->prefix = prefix;
 	words = prefix / DNS_RPZ_CIDR_WORD_BITS;
 	wlen = prefix % DNS_RPZ_CIDR_WORD_BITS;
 	i = 0;
 	while (i < words) {
-		new->ip.w[i] = ip->w[i];
+		node->ip.w[i] = ip->w[i];
 		++i;
 	}
 	if (wlen != 0) {
-		new->ip.w[i] = ip->w[i] & DNS_RPZ_WORD_MASK(wlen);
+		node->ip.w[i] = ip->w[i] & DNS_RPZ_WORD_MASK(wlen);
 		++i;
 	}
 	while (i < DNS_RPZ_CIDR_WORDS)
-		new->ip.w[i++] = 0;
+		node->ip.w[i++] = 0;
 
-	return (new);
+	return (node);
 }
 
 static void
@@ -669,6 +668,12 @@ badname(int level, dns_name_t *name, const char *str1, const char *str2) {
  * Convert an IP address from radix tree binary (host byte order) to
  * to its canonical response policy domain name without the origin of the
  * policy zone.
+ *
+ * Generate a name for an IPv6 address that fits RFC 5952, except that
+ * our reversed format requires that when the length of the consecutive
+ * 16-bit 0 fields are equal (e.g., 1.0.0.1.0.0.db8.2001 corresponding
+ * to 2001:db8:0:0:1:0:0:1), we shorted the last instead of the first
+ * (e.g., 1.0.0.1.zz.db8.2001 corresponding to 2001:db8::1:0:0:1).
  */
 static isc_result_t
 ip2name(const dns_rpz_cidr_key_t *tgt_ip, dns_rpz_prefix_t tgt_prefix,
@@ -681,53 +686,61 @@ ip2name(const dns_rpz_cidr_key_t *tgt_ip, dns_rpz_prefix_t tgt_prefix,
 	char str[1+8+1+INET6_ADDRSTRLEN+1];
 	isc_buffer_t buffer;
 	isc_result_t result;
-	isc_boolean_t zeros;
+	int best_first, best_len, cur_first, cur_len;
 	int i, n, len;
 
 	if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
-		len = snprintf(str, sizeof(str), "%d.%d.%d.%d.%d",
-			       tgt_prefix - 96,
-			       tgt_ip->w[3] & 0xff,
-			       (tgt_ip->w[3]>>8) & 0xff,
-			       (tgt_ip->w[3]>>16) & 0xff,
-			       (tgt_ip->w[3]>>24) & 0xff);
-		if (len < 0 || len > (int)sizeof(str))
+		len = snprintf(str, sizeof(str), "%u.%u.%u.%u.%u",
+			       tgt_prefix - 96U,
+			       tgt_ip->w[3] & 0xffU,
+			       (tgt_ip->w[3]>>8) & 0xffU,
+			       (tgt_ip->w[3]>>16) & 0xffU,
+			       (tgt_ip->w[3]>>24) & 0xffU);
+		if (len < 0 || len > (int)sizeof(str)) {
 			return (ISC_R_FAILURE);
+		}
 	} else {
+		len = snprintf(str, sizeof(str), "%d", tgt_prefix);
+		if (len == -1)
+			return (ISC_R_FAILURE);
 		for (i = 0; i < DNS_RPZ_CIDR_WORDS; i++) {
 			w[i*2+1] = ((tgt_ip->w[DNS_RPZ_CIDR_WORDS-1-i] >> 16)
 				    & 0xffff);
 			w[i*2] = tgt_ip->w[DNS_RPZ_CIDR_WORDS-1-i] & 0xffff;
 		}
-		zeros = ISC_FALSE;
-		len = snprintf(str, sizeof(str), "%d", tgt_prefix);
-		if (len == -1)
-			return (ISC_R_FAILURE);
-		i = 0;
-		while (i < DNS_RPZ_CIDR_WORDS * 2) {
-			if (w[i] != 0 || zeros ||
-			    i >= DNS_RPZ_CIDR_WORDS * 2 - 1 ||
-			    w[i+1] != 0) {
-				INSIST((size_t)len <= sizeof(str));
-				n = snprintf(&str[len], sizeof(str) - len,
-					     ".%x", w[i++]);
-				if (n < 0)
-					return (ISC_R_FAILURE);
-				len += n;
+		/*
+		 * Find the start and length of the first longest sequence
+		 * of zeros in the address.
+		 */
+		best_first = -1;
+		best_len = 0;
+		cur_first = -1;
+		cur_len = 0;
+		for (n = 0; n <=7; ++n) {
+			if (w[n] != 0) {
+				cur_len = 0;
+				cur_first = -1;
 			} else {
-				zeros = ISC_TRUE;
-				INSIST((size_t)len <= sizeof(str));
-				n = snprintf(&str[len], sizeof(str) - len,
-					     ".zz");
-				if (n < 0)
-					return (ISC_R_FAILURE);
-				len += n;
-				i += 2;
-				while (i < DNS_RPZ_CIDR_WORDS * 2 && w[i] == 0)
-					++i;
+				++cur_len;
+				if (cur_first < 0) {
+					cur_first = n;
+				} else if (cur_len >= best_len) {
+					best_first = cur_first;
+					best_len = cur_len;
+				}
+			}
+		}
+
+		for (n = 0; n <= 7; ++n) {
+			INSIST(len < (int)sizeof(str));
+			if (n == best_first) {
+				len += snprintf(str + len, sizeof(str) - len,
+						".zz");
+				n += best_len - 1;
+			} else {
+				len += snprintf(str + len, sizeof(str) - len,
+						".%x", w[n]);
 			}
-			if (len >= (int)sizeof(str))
-				return (ISC_R_FAILURE);
 		}
 	}
 
@@ -738,7 +751,7 @@ ip2name(const dns_rpz_cidr_key_t *tgt_ip, dns_rpz_prefix_t tgt_prefix,
 }
 
 /*
- * Determine the type a of a name in a response policy zone.
+ * Determine the type of a name in a response policy zone.
  */
 static dns_rpz_type_t
 type_from_name(dns_rpz_zone_t *rpz, dns_name_t *name) {
@@ -776,6 +789,7 @@ name2ipkey(int log_level,
 {
 	dns_rpz_zone_t *rpz;
 	char ip_str[DNS_NAME_FORMATSIZE];
+	char ip2_str[DNS_NAME_FORMATSIZE];
 	dns_offsets_t ip_name_offsets;
 	dns_fixedname_t ip_name2f;
 	dns_name_t ip_name, *ip_name2;
@@ -818,7 +832,7 @@ name2ipkey(int log_level,
 			"; invalid leading prefix length", "");
 		return (ISC_R_FAILURE);
 	}
-	*cp2 = '\0';
+
 	if (prefix_num < 1U || prefix_num > 128U) {
 		badname(log_level, src_name,
 			"; invalid prefix length of ", prefix_str);
@@ -914,21 +928,27 @@ name2ipkey(int log_level,
 	}
 
 	/*
-	 * XXXMUKS: Should the following check be enabled in a
-	 * production build?  It can be expensive for large IP zones
-	 * from 3rd parties.
+	 * Complain about bad names but be generous and accept them.
 	 */
-
-	/*
-	 * Convert the address back to a canonical domain name
-	 * to ensure that the original name is in canonical form.
-	 */
-	dns_fixedname_init(&ip_name2f);
-	ip_name2 = dns_fixedname_name(&ip_name2f);
-	result = ip2name(tgt_ip, (dns_rpz_prefix_t)prefix_num, NULL, ip_name2);
-	if (result != ISC_R_SUCCESS || !dns_name_equal(&ip_name, ip_name2)) {
-		badname(log_level, src_name, "; not canonical", "");
-		return (ISC_R_FAILURE);
+	if (log_level < DNS_RPZ_DEBUG_QUIET &&
+	    isc_log_wouldlog(dns_lctx, log_level)) {
+		/*
+		 * Convert the address back to a canonical domain name
+		 * to ensure that the original name is in canonical form.
+		 */
+		dns_fixedname_init(&ip_name2f);
+		ip_name2 = dns_fixedname_name(&ip_name2f);
+		result = ip2name(tgt_ip, (dns_rpz_prefix_t)prefix_num,
+				 NULL, ip_name2);
+		if (result != ISC_R_SUCCESS ||
+		    !dns_name_equal(&ip_name, ip_name2)) {
+			dns_name_format(ip_name2, ip2_str, sizeof(ip2_str));
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
+				      DNS_LOGMODULE_RBTDB, log_level,
+				      "rpz IP address \"%s\""
+				      " is not the canonical \"%s\"",
+				      ip_str, ip2_str);
+		}
 	}
 
 	return (ISC_R_SUCCESS);
@@ -1383,7 +1403,7 @@ rpz_node_deleter(void *nm_data, void *mctx) {
 }
 
 /*
- * Get ready for a new set of policy zones.
+ * Get ready for a new set of policy zones for a view.
  */
 isc_result_t
 dns_rpz_new_zones(dns_rpz_zones_t **rpzsp, isc_mem_t *mctx) {
@@ -1529,25 +1549,26 @@ dns_rpz_detach_rpzs(dns_rpz_zones_t **rpzsp) {
 
 	*rpzsp = NULL;
 	isc_refcount_decrement(&rpzs->refs, &refs);
+	if (refs > 0)
+		return;
 
 	/*
-	 * Forget the last of view's rpz machinery after the last reference.
+	 * Forget the last of view's rpz machinery after the last
+	 * reference.
 	 */
-	if (refs == 0) {
-		for (rpz_num = 0; rpz_num < DNS_RPZ_MAX_ZONES; ++rpz_num) {
-			rpz = rpzs->zones[rpz_num];
-			rpzs->zones[rpz_num] = NULL;
-			if (rpz != NULL)
-				rpz_detach(&rpz, rpzs);
-		}
-
-		cidr_free(rpzs);
-		dns_rbt_destroy(&rpzs->rbt);
-		DESTROYLOCK(&rpzs->maint_lock);
-		isc_rwlock_destroy(&rpzs->search_lock);
-		isc_refcount_destroy(&rpzs->refs);
-		isc_mem_putanddetach(&rpzs->mctx, rpzs, sizeof(*rpzs));
+	for (rpz_num = 0; rpz_num < DNS_RPZ_MAX_ZONES; ++rpz_num) {
+		rpz = rpzs->zones[rpz_num];
+		rpzs->zones[rpz_num] = NULL;
+		if (rpz != NULL)
+			rpz_detach(&rpz, rpzs);
 	}
+
+	cidr_free(rpzs);
+	dns_rbt_destroy(&rpzs->rbt);
+	DESTROYLOCK(&rpzs->maint_lock);
+	isc_rwlock_destroy(&rpzs->search_lock);
+	isc_refcount_destroy(&rpzs->refs);
+	isc_mem_putanddetach(&rpzs->mctx, rpzs, sizeof(*rpzs));
 }
 
 /*
@@ -2025,6 +2046,7 @@ del_name(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
 	dns_rbtnode_t *nmnode;
 	dns_rpz_nm_data_t *nm_data, del_data;
 	isc_result_t result;
+	isc_boolean_t exists;
 
 	/*
 	 * We need a summary database of names even with 1 policy zone,
@@ -2068,6 +2090,9 @@ del_name(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
 	del_data.wild.qname &= nm_data->wild.qname;
 	del_data.wild.ns &= nm_data->wild.ns;
 
+	exists = ISC_TF(del_data.set.qname != 0 || del_data.set.ns != 0 ||
+			del_data.wild.qname != 0 || del_data.wild.ns != 0);
+
 	nm_data->set.qname &= ~del_data.set.qname;
 	nm_data->set.ns &= ~del_data.set.ns;
 	nm_data->wild.qname &= ~del_data.wild.qname;
@@ -2088,7 +2113,8 @@ del_name(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
 		}
 	}
 
-	adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, ISC_FALSE);
+	if (exists)
+		adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, ISC_FALSE);
 }
 
 /*
diff --git a/usr.sbin/bind/lib/dns/rriterator.c b/usr.sbin/bind/lib/dns/rriterator.c
index 0af6489b6a0..0ba7847ee99 100644
--- a/usr.sbin/bind/lib/dns/rriterator.c
+++ b/usr.sbin/bind/lib/dns/rriterator.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rriterator.c,v 1.1 2019/12/16 16:31:33 deraadt Exp $ */
+/* $Id: rriterator.c,v 1.2 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/dns/rrl.c b/usr.sbin/bind/lib/dns/rrl.c
index d33a1607e74..cec8ae696e9 100644
--- a/usr.sbin/bind/lib/dns/rrl.c
+++ b/usr.sbin/bind/lib/dns/rrl.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012-2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -27,6 +27,7 @@
 #include <isc/net.h>
 #include <isc/netaddr.h>
 #include <isc/print.h>
+#include <isc/util.h>
 
 #include <dns/result.h>
 #include <dns/rcode.h>
@@ -196,18 +197,18 @@ set_age(dns_rrl_t *rrl, dns_rrl_entry_t *e, isc_stdtime_t now) {
 }
 
 static isc_result_t
-expand_entries(dns_rrl_t *rrl, int new) {
+expand_entries(dns_rrl_t *rrl, int newsize) {
 	unsigned int bsize;
 	dns_rrl_block_t *b;
 	dns_rrl_entry_t *e;
 	double rate;
 	int i;
 
-	if (rrl->num_entries + new >= rrl->max_entries &&
+	if (rrl->num_entries + newsize >= rrl->max_entries &&
 	    rrl->max_entries != 0)
 	{
-		new = rrl->max_entries - rrl->num_entries;
-		if (new <= 0)
+		newsize = rrl->max_entries - rrl->num_entries;
+		if (newsize <= 0)
 			return (ISC_R_SUCCESS);
 	}
 
@@ -224,11 +225,11 @@ expand_entries(dns_rrl_t *rrl, int new) {
 			      DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DROP,
 			      "increase from %d to %d RRL entries with"
 			      " %d bins; average search length %.1f",
-			      rrl->num_entries, rrl->num_entries+new,
+			      rrl->num_entries, rrl->num_entries+newsize,
 			      rrl->hash->length, rate);
 	}
 
-	bsize = sizeof(dns_rrl_block_t) + (new-1)*sizeof(dns_rrl_entry_t);
+	bsize = sizeof(dns_rrl_block_t) + (newsize-1)*sizeof(dns_rrl_entry_t);
 	b = isc_mem_get(rrl->mctx, bsize);
 	if (b == NULL) {
 		isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL,
@@ -241,11 +242,11 @@ expand_entries(dns_rrl_t *rrl, int new) {
 	b->size = bsize;
 
 	e = b->entries;
-	for (i = 0; i < new; ++i, ++e) {
+	for (i = 0; i < newsize; ++i, ++e) {
 		ISC_LINK_INIT(e, hlink);
 		ISC_LIST_INITANDAPPEND(rrl->lru, e, lru);
 	}
-	rrl->num_entries += new;
+	rrl->num_entries += newsize;
 	ISC_LIST_INITANDAPPEND(rrl->blocks, b, link);
 
 	return (ISC_R_SUCCESS);
@@ -425,11 +426,11 @@ make_key(const dns_rrl_t *rrl, dns_rrl_key_t *key,
 		{
 			dns_name_init(&base, base_offsets);
 			dns_name_getlabelsequence(qname, 1, labels-1, &base);
-			key->s.qname_hash = dns_name_hashbylabel(&base,
-							ISC_FALSE);
+			key->s.qname_hash =
+				dns_name_fullhash(&base, ISC_FALSE);
 		} else {
-			key->s.qname_hash = dns_name_hashbylabel(qname,
-							ISC_FALSE);
+			key->s.qname_hash =
+				dns_name_fullhash(qname, ISC_FALSE);
 		}
 	}
 
@@ -773,7 +774,7 @@ add_log_str(isc_buffer_t *lb, const char *str, unsigned int str_len) {
 
 	isc_buffer_availableregion(lb, &region);
 	if (str_len >= region.length) {
-		if (region.length <= 0)
+		if (region.length == 0U)
 			return;
 		str_len = region.length;
 	}
diff --git a/usr.sbin/bind/lib/dns/sdb.c b/usr.sbin/bind/lib/dns/sdb.c
index fd6935838d4..6bb6ce4c4a4 100644
--- a/usr.sbin/bind/lib/dns/sdb.c
+++ b/usr.sbin/bind/lib/dns/sdb.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sdb.c,v 1.5 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: sdb.c,v 1.6 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file */
 
@@ -113,10 +112,10 @@ typedef struct sdb_rdatasetiter {
 #define VALID_SDBNODE(sdbn)	VALID_SDBLOOKUP(sdbn)
 
 /* These values are taken from RFC1537 */
-#define SDB_DEFAULT_REFRESH	(60 * 60 * 8)
-#define SDB_DEFAULT_RETRY	(60 * 60 * 2)
-#define SDB_DEFAULT_EXPIRE	(60 * 60 * 24 * 7)
-#define SDB_DEFAULT_MINIMUM	(60 * 60 * 24)
+#define SDB_DEFAULT_REFRESH	28800U		/* 8 hours */
+#define SDB_DEFAULT_RETRY	7200U		/* 2 hours */
+#define SDB_DEFAULT_EXPIRE	604800U		/* 7 days */
+#define SDB_DEFAULT_MINIMUM	86400U		/* 1 day */
 
 /* This is a reasonable value */
 #define SDB_DEFAULT_TTL		(60 * 60 * 24)
@@ -1413,7 +1412,7 @@ rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
 	source->private5 = tempdb;
 }
 
-static dns_rdatasetmethods_t methods = {
+static dns_rdatasetmethods_t sdb_rdataset_methods = {
 	disassociate,
 	isc__rdatalist_first,
 	isc__rdatalist_next,
@@ -1448,7 +1447,7 @@ list_tordataset(dns_rdatalist_t *rdatalist,
 	RUNTIME_CHECK(dns_rdatalist_tordataset(rdatalist, rdataset) ==
 		      ISC_R_SUCCESS);
 
-	rdataset->methods = &methods;
+	rdataset->methods = &sdb_rdataset_methods;
 	dns_db_attachnode(db, node, &rdataset->private5);
 }
 
diff --git a/usr.sbin/bind/lib/dns/sdlz.c b/usr.sbin/bind/lib/dns/sdlz.c
index da5d37d75c5..0a4e3afaf87 100644
--- a/usr.sbin/bind/lib/dns/sdlz.c
+++ b/usr.sbin/bind/lib/dns/sdlz.c
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2005-2016  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2001  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -50,7 +49,7 @@
  * USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sdlz.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: sdlz.c,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file */
 
@@ -158,10 +157,10 @@ typedef struct sdlz_rdatasetiter {
 #define VALID_SDLZNODE(sdlzn)	VALID_SDLZLOOKUP(sdlzn)
 
 /* These values are taken from RFC 1537 */
-#define SDLZ_DEFAULT_REFRESH	(60 * 60 * 8)
-#define SDLZ_DEFAULT_RETRY	(60 * 60 * 2)
-#define SDLZ_DEFAULT_EXPIRE	(60 * 60 * 24 * 7)
-#define SDLZ_DEFAULT_MINIMUM	(60 * 60 * 24)
+#define SDLZ_DEFAULT_REFRESH	28800U		/* 8 hours */
+#define SDLZ_DEFAULT_RETRY	7200U		/* 2 hours */
+#define SDLZ_DEFAULT_EXPIRE	604800U		/* 7 days */
+#define SDLZ_DEFAULT_MINIMUM	86400U		/* 1 day */
 
 /* This is a reasonable value */
 #define SDLZ_DEFAULT_TTL	(60 * 60 * 24)
@@ -1717,7 +1716,7 @@ dns_sdlzssumatch(dns_name_t *signer, dns_name_t *name, isc_netaddr_t *tcpaddr,
 	char b_type[DNS_RDATATYPE_FORMATSIZE];
 	char b_key[DST_KEY_FORMATSIZE];
 	isc_buffer_t *tkey_token = NULL;
-	isc_region_t token_region;
+	isc_region_t token_region = { NULL, 0 };
 	isc_uint32_t token_len = 0;
 	isc_boolean_t ret;
 
diff --git a/usr.sbin/bind/lib/dns/soa.c b/usr.sbin/bind/lib/dns/soa.c
index 394b0e5fe0a..05a8b2236cd 100644
--- a/usr.sbin/bind/lib/dns/soa.c
+++ b/usr.sbin/bind/lib/dns/soa.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: soa.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: soa.c,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/dns/spnego.c b/usr.sbin/bind/lib/dns/spnego.c
index 9ab13ef3df8..d4740ee10fd 100644
--- a/usr.sbin/bind/lib/dns/spnego.c
+++ b/usr.sbin/bind/lib/dns/spnego.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -250,16 +250,16 @@ der_get_oid(const unsigned char *p, size_t len,
 	    oid * data, size_t * size);
 static int
 der_get_tag(const unsigned char *p, size_t len,
-	    Der_class * class, Der_type * type,
+	    Der_class * xclass, Der_type * type,
 	    int *tag, size_t * size);
 
 static int
 der_match_tag(const unsigned char *p, size_t len,
-	      Der_class class, Der_type type,
+	      Der_class xclass, Der_type type,
 	      int tag, size_t * size);
 static int
 der_match_tag_and_length(const unsigned char *p, size_t len,
-			 Der_class class, Der_type type, int tag,
+			 Der_class xclass, Der_type type, int tag,
 			 size_t * length_ret, size_t * size);
 
 static int
@@ -285,7 +285,7 @@ static int
 der_put_oid(unsigned char *p, size_t len,
 	    const oid * data, size_t * size);
 static int
-der_put_tag(unsigned char *p, size_t len, Der_class class, Der_type type,
+der_put_tag(unsigned char *p, size_t len, Der_class xclass, Der_type type,
 	    int tag, size_t *);
 static int
 der_put_length_and_tag(unsigned char *, size_t, size_t,
@@ -319,35 +319,39 @@ fix_dce(size_t reallen, size_t * len);
 
 #include "spnego_asn1.c"
 
-static unsigned char gss_krb5_mech_oid_bytes[] = {
-	0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02
+/*
+ * Force the oid arrays to be isc_uint64_t aligned to silence warnings
+ * about the arrays not being properly aligned for (void *).
+ */
+typedef union { unsigned char b[8]; isc_uint64_t _align; } aligned8;
+typedef union { unsigned char b[16]; isc_uint64_t _align[2]; } aligned16;
+
+static aligned16 gss_krb5_mech_oid_bytes = {
+	{ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02 }
 };
 
 static gss_OID_desc gss_krb5_mech_oid_desc = {
-	sizeof(gss_krb5_mech_oid_bytes),
-	gss_krb5_mech_oid_bytes
+	9, gss_krb5_mech_oid_bytes.b
 };
 
 static gss_OID GSS_KRB5_MECH = &gss_krb5_mech_oid_desc;
 
-static unsigned char gss_mskrb5_mech_oid_bytes[] = {
-	0x2a, 0x86, 0x48, 0x82, 0xf7, 0x12, 0x01, 0x02, 0x02
+static aligned16 gss_mskrb5_mech_oid_bytes = {
+	{ 0x2a, 0x86, 0x48, 0x82, 0xf7, 0x12, 0x01, 0x02, 0x02 }
 };
 
 static gss_OID_desc gss_mskrb5_mech_oid_desc = {
-	sizeof(gss_mskrb5_mech_oid_bytes),
-	gss_mskrb5_mech_oid_bytes
+	9, gss_mskrb5_mech_oid_bytes.b
 };
 
 static gss_OID GSS_MSKRB5_MECH = &gss_mskrb5_mech_oid_desc;
 
-static unsigned char gss_spnego_mech_oid_bytes[] = {
-	0x2b, 0x06, 0x01, 0x05, 0x05, 0x02
+static aligned8 gss_spnego_mech_oid_bytes = {
+	{ 0x2b, 0x06, 0x01, 0x05, 0x05, 0x02 }
 };
 
 static gss_OID_desc gss_spnego_mech_oid_desc = {
-	sizeof(gss_spnego_mech_oid_bytes),
-	gss_spnego_mech_oid_bytes
+	6, gss_spnego_mech_oid_bytes.b
 };
 
 static gss_OID GSS_SPNEGO_MECH = &gss_spnego_mech_oid_desc;
@@ -866,20 +870,20 @@ der_get_octet_string(const unsigned char *p, size_t len,
 }
 
 static int
-der_get_oid(const unsigned char *p, size_t len,
-	    oid *data, size_t *size)
-{
+der_get_oid(const unsigned char *p, size_t len, oid *data, size_t *size) {
 	int n;
 	size_t oldlen = len;
 
 	data->components = NULL;
 	data->length = 0;
-	if (len < 1U)
+	if (len < 1U) {
 		return (ASN1_OVERRUN);
+	}
 
 	data->components = malloc(len * sizeof(*data->components));
-	if (data->components == NULL && len != 0U)
+	if (data->components == NULL) {
 		return (ENOMEM);
+	}
 	data->components[0] = (*p) / 40;
 	data->components[1] = (*p) % 40;
 	--len;
@@ -898,19 +902,20 @@ der_get_oid(const unsigned char *p, size_t len,
 		return (ASN1_OVERRUN);
 	}
 	data->length = n;
-	if (size)
+	if (size) {
 		*size = oldlen;
+	}
 	return (0);
 }
 
 static int
 der_get_tag(const unsigned char *p, size_t len,
-	    Der_class *class, Der_type *type,
+	    Der_class *xclass, Der_type *type,
 	    int *tag, size_t *size)
 {
 	if (len < 1U)
 		return (ASN1_OVERRUN);
-	*class = (Der_class) (((*p) >> 6) & 0x03);
+	*xclass = (Der_class) (((*p) >> 6) & 0x03);
 	*type = (Der_type) (((*p) >> 5) & 0x01);
 	*tag = (*p) & 0x1F;
 	if (size)
@@ -920,7 +925,7 @@ der_get_tag(const unsigned char *p, size_t len,
 
 static int
 der_match_tag(const unsigned char *p, size_t len,
-	      Der_class class, Der_type type,
+	      Der_class xclass, Der_type type,
 	      int tag, size_t *size)
 {
 	size_t l;
@@ -932,7 +937,7 @@ der_match_tag(const unsigned char *p, size_t len,
 	e = der_get_tag(p, len, &thisclass, &thistype, &thistag, &l);
 	if (e)
 		return (e);
-	if (class != thisclass || type != thistype)
+	if (xclass != thisclass || type != thistype)
 		return (ASN1_BAD_ID);
 	if (tag > thistag)
 		return (ASN1_MISPLACED_FIELD);
@@ -945,13 +950,13 @@ der_match_tag(const unsigned char *p, size_t len,
 
 static int
 der_match_tag_and_length(const unsigned char *p, size_t len,
-			 Der_class class, Der_type type, int tag,
+			 Der_class xclass, Der_type type, int tag,
 			 size_t *length_ret, size_t *size)
 {
 	size_t l, ret = 0;
 	int e;
 
-	e = der_match_tag(p, len, class, type, tag, &l);
+	e = der_match_tag(p, len, xclass, type, tag, &l);
 	if (e)
 		return (e);
 	p += l;
@@ -1165,6 +1170,7 @@ der_put_int(unsigned char *p, size_t len, int val, size_t *size)
 				return (ASN1_OVERFLOW);
 			*p-- = 0;
 			len--;
+			POST(len);
 		}
 	} else {
 		val = ~val;
@@ -1180,6 +1186,7 @@ der_put_int(unsigned char *p, size_t len, int val, size_t *size)
 				return (ASN1_OVERFLOW);
 			*p-- = 0xff;
 			len--;
+			POST(len);
 		}
 	}
 	*size = base - p;
@@ -1254,19 +1261,19 @@ der_put_oid(unsigned char *p, size_t len,
 }
 
 static int
-der_put_tag(unsigned char *p, size_t len, Der_class class, Der_type type,
+der_put_tag(unsigned char *p, size_t len, Der_class xclass, Der_type type,
 	    int tag, size_t *size)
 {
 	if (len < 1U)
 		return (ASN1_OVERFLOW);
-	*p = (class << 6) | (type << 5) | tag;	/* XXX */
+	*p = (xclass << 6) | (type << 5) | tag;	/* XXX */
 	*size = 1;
 	return (0);
 }
 
 static int
 der_put_length_and_tag(unsigned char *p, size_t len, size_t len_val,
-		       Der_class class, Der_type type, int tag, size_t *size)
+		       Der_class xclass, Der_type type, int tag, size_t *size)
 {
 	size_t ret = 0;
 	size_t l;
@@ -1278,7 +1285,7 @@ der_put_length_and_tag(unsigned char *p, size_t len, size_t len_val,
 	p -= l;
 	len -= l;
 	ret += l;
-	e = der_put_tag(p, len, class, type, tag, &l);
+	e = der_put_tag(p, len, xclass, type, tag, &l);
 	if (e)
 		return (e);
 	p -= l;
diff --git a/usr.sbin/bind/lib/dns/spnego.h b/usr.sbin/bind/lib/dns/spnego.h
index c26896c559c..c517be740e4 100644
--- a/usr.sbin/bind/lib/dns/spnego.h
+++ b/usr.sbin/bind/lib/dns/spnego.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: spnego.h,v 1.1 2019/12/16 16:31:33 deraadt Exp $ */
+/* $Id: spnego.h,v 1.2 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file
  * \brief
diff --git a/usr.sbin/bind/lib/dns/spnego_asn1.c b/usr.sbin/bind/lib/dns/spnego_asn1.c
index cf2abd82b41..3e9b73cff23 100644
--- a/usr.sbin/bind/lib/dns/spnego_asn1.c
+++ b/usr.sbin/bind/lib/dns/spnego_asn1.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006, 2007, 2012, 2013, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: spnego_asn1.c,v 1.1 2019/12/16 16:31:33 deraadt Exp $ */
+/* $Id: spnego_asn1.c,v 1.2 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file
  * \brief Method routines generated from SPNEGO ASN.1 module.
@@ -366,6 +366,7 @@ decode_ContextFlags(const unsigned char *p, size_t len, ContextFlags * data, siz
 		return ASN1_OVERRUN;
 	p++;
 	len--;
+	POST(len);
 	reallen--;
 	ret++;
 	data->delegFlag = (*p >> 7) & 1;
diff --git a/usr.sbin/bind/lib/dns/spnego_asn1.pl b/usr.sbin/bind/lib/dns/spnego_asn1.pl
index 107996892c3..aba081abf8d 100644
--- a/usr.sbin/bind/lib/dns/spnego_asn1.pl
+++ b/usr.sbin/bind/lib/dns/spnego_asn1.pl
@@ -1,6 +1,6 @@
 #!/bin/bin/perl -w
 #
-# Copyright (C) 2006, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: spnego_asn1.pl,v 1.1 2019/12/16 16:31:33 deraadt Exp $
+# $Id: spnego_asn1.pl,v 1.2 2019/12/17 01:46:32 sthen Exp $
 
 # Our SPNEGO implementation uses some functions generated by the
 # Heimdal ASN.1 compiler, which this script then whacks a bit to make
@@ -99,7 +99,7 @@ print(q~/*
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: spnego_asn1.pl,v 1.1 2019/12/16 16:31:33 deraadt Exp $ */
+/* $Id: spnego_asn1.pl,v 1.2 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file
  * \brief Method routines generated from SPNEGO ASN.1 module.
diff --git a/usr.sbin/bind/lib/dns/ssu.c b/usr.sbin/bind/lib/dns/ssu.c
index 0728d567d0b..f540b77dafa 100644
--- a/usr.sbin/bind/lib/dns/ssu.c
+++ b/usr.sbin/bind/lib/dns/ssu.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2010, 2011, 2013, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -17,7 +16,7 @@
 
 /*! \file */
 /*
- * $Id: ssu.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $
+ * $Id: ssu.c,v 1.3 2019/12/17 01:46:32 sthen Exp $
  * Principal Author: Brian Wellington
  */
 
@@ -348,9 +347,20 @@ stf_from_address(dns_name_t *stfself, isc_netaddr_t *tcpaddr) {
 
 isc_boolean_t
 dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
-			dns_name_t *name, isc_netaddr_t *tcpaddr,
-			dns_rdatatype_t type,
-			const dst_key_t *key)
+			dns_name_t *name, isc_netaddr_t *addr,
+			dns_rdatatype_t type, const dst_key_t *key)
+{
+	return (dns_ssutable_checkrules2
+		(table, signer, name, addr,
+		 addr == NULL ? ISC_FALSE : ISC_TRUE,
+		 NULL, type, key));
+}
+
+isc_boolean_t
+dns_ssutable_checkrules2(dns_ssutable_t *table, dns_name_t *signer,
+			 dns_name_t *name, isc_netaddr_t *addr,
+			 isc_boolean_t tcp, const dns_aclenv_t *env,
+			 dns_rdatatype_t type, const dst_key_t *key)
 {
 	dns_ssurule_t *rule;
 	unsigned int i;
@@ -359,12 +369,14 @@ dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
 	dns_name_t *tcpself;
 	dns_name_t *stfself;
 	isc_result_t result;
+	int match;
 
 	REQUIRE(VALID_SSUTABLE(table));
 	REQUIRE(signer == NULL || dns_name_isabsolute(signer));
 	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(addr == NULL || env != NULL);
 
-	if (signer == NULL && tcpaddr == NULL)
+	if (signer == NULL && addr == NULL)
 		return (ISC_FALSE);
 
 	for (rule = ISC_LIST_HEAD(table->rules);
@@ -373,6 +385,7 @@ dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
 	{
 		switch (rule->matchtype) {
 		case DNS_SSUMATCHTYPE_NAME:
+		case DNS_SSUMATCHTYPE_LOCAL:
 		case DNS_SSUMATCHTYPE_SUBDOMAIN:
 		case DNS_SSUMATCHTYPE_WILDCARD:
 		case DNS_SSUMATCHTYPE_SELF:
@@ -398,7 +411,7 @@ dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
 			break;
 		case DNS_SSUMATCHTYPE_TCPSELF:
 		case DNS_SSUMATCHTYPE_6TO4SELF:
-			if (tcpaddr == NULL)
+			if (!tcp || addr == NULL)
 				continue;
 			break;
 		}
@@ -412,6 +425,29 @@ dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
 			if (!dns_name_issubdomain(name, rule->name))
 				continue;
 			break;
+		case DNS_SSUMATCHTYPE_LOCAL:
+			if (addr == NULL) {
+				continue;
+			}
+			if (!dns_name_issubdomain(name, rule->name)) {
+				continue;
+			}
+			dns_acl_match(addr, NULL, env->localhost,
+				      NULL, &match, NULL);
+			if (match == 0) {
+				if (signer != NULL) {
+					isc_log_write(dns_lctx,
+						      DNS_LOGCATEGORY_GENERAL,
+						      DNS_LOGMODULE_SSU,
+						      ISC_LOG_WARNING,
+						      "update-policy local: "
+						      "match on session "
+						      "key not from "
+						      "localhost");
+				}
+				continue;
+			}
+			break;
 		case DNS_SSUMATCHTYPE_WILDCARD:
 			if (!dns_name_matcheswildcard(name, rule->name))
 				continue;
@@ -461,7 +497,7 @@ dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
 		case DNS_SSUMATCHTYPE_TCPSELF:
 			dns_fixedname_init(&fixed);
 			tcpself = dns_fixedname_name(&fixed);
-			reverse_from_address(tcpself, tcpaddr);
+			reverse_from_address(tcpself, addr);
 			if (dns_name_iswildcard(rule->identity)) {
 				if (!dns_name_matcheswildcard(tcpself,
 							      rule->identity))
@@ -476,7 +512,7 @@ dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
 		case DNS_SSUMATCHTYPE_6TO4SELF:
 			dns_fixedname_init(&fixed);
 			stfself = dns_fixedname_name(&fixed);
-			stf_from_address(stfself, tcpaddr);
+			stf_from_address(stfself, addr);
 			if (dns_name_iswildcard(rule->identity)) {
 				if (!dns_name_matcheswildcard(stfself,
 							      rule->identity))
@@ -490,13 +526,13 @@ dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
 			break;
 		case DNS_SSUMATCHTYPE_EXTERNAL:
 			if (!dns_ssu_external_match(rule->identity, signer,
-						    name, tcpaddr, type, key,
+						    name, addr, type, key,
 						    table->mctx))
 				continue;
 			break;
 		case DNS_SSUMATCHTYPE_DLZ:
 			if (!dns_dlz_ssumatch(table->dlzdatabase, signer,
-					      name, tcpaddr, type, key))
+					      name, addr, type, key))
 				continue;
 			break;
 		}
@@ -611,3 +647,43 @@ dns_ssutable_createdlz(isc_mem_t *mctx, dns_ssutable_t **tablep,
 	*tablep = table;
 	return (ISC_R_SUCCESS);
 }
+
+isc_result_t
+dns_ssu_mtypefromstring(const char *str, dns_ssumatchtype_t *mtype) {
+
+	REQUIRE(str != NULL);
+	REQUIRE(mtype != NULL);
+
+	if (strcasecmp(str, "name") == 0) {
+		*mtype = dns_ssumatchtype_name;
+	} else if (strcasecmp(str, "subdomain") == 0) {
+		*mtype = dns_ssumatchtype_subdomain;
+	} else if (strcasecmp(str, "wildcard") == 0) {
+		*mtype = dns_ssumatchtype_wildcard;
+	} else if (strcasecmp(str, "self") == 0) {
+		*mtype = dns_ssumatchtype_self;
+	} else if (strcasecmp(str, "selfsub") == 0) {
+		*mtype = dns_ssumatchtype_selfsub;
+	} else if (strcasecmp(str, "selfwild") == 0) {
+		*mtype = dns_ssumatchtype_selfwild;
+	} else if (strcasecmp(str, "ms-self") == 0) {
+		*mtype = dns_ssumatchtype_selfms;
+	} else if (strcasecmp(str, "krb5-self") == 0) {
+		*mtype = dns_ssumatchtype_selfkrb5;
+	} else if (strcasecmp(str, "ms-subdomain") == 0) {
+		*mtype = dns_ssumatchtype_subdomainms;
+	} else if (strcasecmp(str, "krb5-subdomain") == 0) {
+		*mtype = dns_ssumatchtype_subdomainkrb5;
+	} else if (strcasecmp(str, "tcp-self") == 0) {
+		*mtype = dns_ssumatchtype_tcpself;
+	} else if (strcasecmp(str, "6to4-self") == 0) {
+		*mtype = dns_ssumatchtype_6to4self;
+	} else if (strcasecmp(str, "zonesub") == 0) {
+		*mtype = dns_ssumatchtype_subdomain;
+	} else if (strcasecmp(str, "external") == 0) {
+		*mtype = dns_ssumatchtype_external;
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
+	return (ISC_R_SUCCESS);
+}
diff --git a/usr.sbin/bind/lib/dns/ssu_external.c b/usr.sbin/bind/lib/dns/ssu_external.c
index 9dcbcae62d0..1ae7e4fd342 100644
--- a/usr.sbin/bind/lib/dns/ssu_external.c
+++ b/usr.sbin/bind/lib/dns/ssu_external.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ssu_external.c,v 1.1 2019/12/16 16:31:33 deraadt Exp $ */
+/* $Id: ssu_external.c,v 1.2 2019/12/17 01:46:32 sthen Exp $ */
 
 /*
  * This implements external update-policy rules.  This allows permission
@@ -34,6 +34,7 @@
 #include <isc/magic.h>
 #include <isc/mem.h>
 #include <isc/netaddr.h>
+#include <isc/print.h>
 #include <isc/result.h>
 #include <isc/string.h>
 #include <isc/util.h>
diff --git a/usr.sbin/bind/lib/dns/stats.c b/usr.sbin/bind/lib/dns/stats.c
index 40635916bec..a1e7153201b 100644
--- a/usr.sbin/bind/lib/dns/stats.c
+++ b/usr.sbin/bind/lib/dns/stats.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007-2009, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stats.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: stats.c,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/dns/tcpmsg.c b/usr.sbin/bind/lib/dns/tcpmsg.c
index 4778b355bc0..a0ffc57721f 100644
--- a/usr.sbin/bind/lib/dns/tcpmsg.c
+++ b/usr.sbin/bind/lib/dns/tcpmsg.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tcpmsg.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: tcpmsg.c,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file */
 
@@ -122,7 +121,7 @@ recv_message(isc_task_t *task, isc_event_t *ev_in) {
 	tcpmsg->result = ISC_R_SUCCESS;
 	isc_buffer_add(&tcpmsg->buffer, ev->n);
 
-	XDEBUG(("Received %d bytes (of %d)\n", ev->n, tcpmsg->size));
+	XDEBUG(("Received %u bytes (of %d)\n", ev->n, tcpmsg->size));
 
  send_and_free:
 	isc_task_send(tcpmsg->task, &dev);
diff --git a/usr.sbin/bind/lib/dns/time.c b/usr.sbin/bind/lib/dns/time.c
index 6fccd1f58f3..b45c9fe4fc7 100644
--- a/usr.sbin/bind/lib/dns/time.c
+++ b/usr.sbin/bind/lib/dns/time.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009-2012, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: time.c,v 1.6 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: time.c,v 1.7 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file */
 
@@ -40,7 +39,7 @@ static const int days[12] = { 31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31 };
 isc_result_t
 dns_time64_totext(isc_int64_t t, isc_buffer_t *target) {
 	struct tm tm;
-	char buf[sizeof("YYYYMMDDHHMMSS")];
+	char buf[sizeof("!!!!!!YYYY!!!!!!!!MM!!!!!!!!DD!!!!!!!!HH!!!!!!!!MM!!!!!!!!SS")];
 	int secs;
 	unsigned int l;
 	isc_region_t region;
diff --git a/usr.sbin/bind/lib/dns/timer.c b/usr.sbin/bind/lib/dns/timer.c
index 9be8c0ed215..575db3f6093 100644
--- a/usr.sbin/bind/lib/dns/timer.c
+++ b/usr.sbin/bind/lib/dns/timer.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: timer.c,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/dns/tkey.c b/usr.sbin/bind/lib/dns/tkey.c
index 41b653f4bce..2144aa28301 100644
--- a/usr.sbin/bind/lib/dns/tkey.c
+++ b/usr.sbin/bind/lib/dns/tkey.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/dns/tsec.c b/usr.sbin/bind/lib/dns/tsec.c
index 295e186b252..2af32cb26dd 100644
--- a/usr.sbin/bind/lib/dns/tsec.c
+++ b/usr.sbin/bind/lib/dns/tsec.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2010, 2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,11 +14,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsec.c,v 1.1 2019/12/16 16:31:33 deraadt Exp $ */
+/* $Id: tsec.c,v 1.2 2019/12/17 01:46:32 sthen Exp $ */
 
 #include <config.h>
 
 #include <isc/mem.h>
+#include <isc/util.h>
 
 #include <pk11/site.h>
 
diff --git a/usr.sbin/bind/lib/dns/tsig.c b/usr.sbin/bind/lib/dns/tsig.c
index d1662b985dd..abbc46cca6e 100644
--- a/usr.sbin/bind/lib/dns/tsig.c
+++ b/usr.sbin/bind/lib/dns/tsig.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2017  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -16,7 +15,7 @@
  */
 
 /*
- * $Id: tsig.c,v 1.7 2019/12/16 16:16:24 deraadt Exp $
+ * $Id: tsig.c,v 1.8 2019/12/17 01:46:32 sthen Exp $
  */
 /*! \file */
 #include <config.h>
@@ -76,34 +75,31 @@
 	 (algname) != dns_tsig_gssapims_name)
 #endif
 
+#ifndef DNS_NAME_INITABSOLUTE
+#define DNS_NAME_INITABSOLUTE(A,B) { \
+	DNS_NAME_MAGIC, \
+	A, sizeof(A), sizeof(B), \
+	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE, \
+	B, NULL, { (void *)-1, (void *)-1}, \
+	{NULL, NULL} \
+}
+#endif
+
 #define BADTIMELEN 6
 
 #ifndef PK11_MD5_DISABLE
 static unsigned char hmacmd5_ndata[] = "\010hmac-md5\007sig-alg\003reg\003int";
 static unsigned char hmacmd5_offsets[] = { 0, 9, 17, 21, 25 };
 
-static dns_name_t hmacmd5 = {
-	DNS_NAME_MAGIC,
-	hmacmd5_ndata, 26, 5,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	hmacmd5_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-
+static dns_name_t hmacmd5 =
+	DNS_NAME_INITABSOLUTE(hmacmd5_ndata, hmacmd5_offsets);
 LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_hmacmd5_name = &hmacmd5;
 #endif
 
 static unsigned char gsstsig_ndata[] = "\010gss-tsig";
 static unsigned char gsstsig_offsets[] = { 0, 9 };
-static dns_name_t gsstsig = {
-	DNS_NAME_MAGIC,
-	gsstsig_ndata, 10, 2,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	gsstsig_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
+static dns_name_t gsstsig =
+	DNS_NAME_INITABSOLUTE(gsstsig_ndata, gsstsig_offsets);
 LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_gssapi_name = &gsstsig;
 
 /*
@@ -112,84 +108,38 @@ LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_gssapi_name = &gsstsig;
  */
 static unsigned char gsstsigms_ndata[] = "\003gss\011microsoft\003com";
 static unsigned char gsstsigms_offsets[] = { 0, 4, 14, 18 };
-static dns_name_t gsstsigms = {
-	DNS_NAME_MAGIC,
-	gsstsigms_ndata, 19, 4,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	gsstsigms_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
+static dns_name_t gsstsigms =
+	DNS_NAME_INITABSOLUTE(gsstsigms_ndata, gsstsigms_offsets);
 LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_gssapims_name = &gsstsigms;
 
 static unsigned char hmacsha1_ndata[] = "\011hmac-sha1";
 static unsigned char hmacsha1_offsets[] = { 0, 10 };
-
-static dns_name_t  hmacsha1 = {
-	DNS_NAME_MAGIC,
-	hmacsha1_ndata, 11, 2,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	hmacsha1_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-
+static dns_name_t hmacsha1 =
+	DNS_NAME_INITABSOLUTE(hmacsha1_ndata, hmacsha1_offsets);
 LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_hmacsha1_name = &hmacsha1;
 
 static unsigned char hmacsha224_ndata[] = "\013hmac-sha224";
 static unsigned char hmacsha224_offsets[] = { 0, 12 };
-
-static dns_name_t hmacsha224 = {
-	DNS_NAME_MAGIC,
-	hmacsha224_ndata, 13, 2,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	hmacsha224_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-
+static dns_name_t hmacsha224 =
+	DNS_NAME_INITABSOLUTE(hmacsha224_ndata, hmacsha224_offsets);
 LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_hmacsha224_name = &hmacsha224;
 
 static unsigned char hmacsha256_ndata[] = "\013hmac-sha256";
 static unsigned char hmacsha256_offsets[] = { 0, 12 };
-
-static dns_name_t hmacsha256 = {
-	DNS_NAME_MAGIC,
-	hmacsha256_ndata, 13, 2,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	hmacsha256_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-
+static dns_name_t hmacsha256 =
+	DNS_NAME_INITABSOLUTE(hmacsha256_ndata, hmacsha256_offsets);
 LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_hmacsha256_name = &hmacsha256;
 
 static unsigned char hmacsha384_ndata[] = "\013hmac-sha384";
 static unsigned char hmacsha384_offsets[] = { 0, 12 };
-
-static dns_name_t hmacsha384 = {
-	DNS_NAME_MAGIC,
-	hmacsha384_ndata, 13, 2,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	hmacsha384_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-
+static dns_name_t hmacsha384 =
+	DNS_NAME_INITABSOLUTE(hmacsha384_ndata, hmacsha384_offsets);
 LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_hmacsha384_name = &hmacsha384;
 
 static unsigned char hmacsha512_ndata[] = "\013hmac-sha512";
 static unsigned char hmacsha512_offsets[] = { 0, 12 };
-
-static dns_name_t hmacsha512 = {
-	DNS_NAME_MAGIC,
-	hmacsha512_ndata, 13, 2,
-	DNS_NAMEATTR_READONLY | DNS_NAMEATTR_ABSOLUTE,
-	hmacsha512_offsets, NULL,
-	{(void *)-1, (void *)-1},
-	{NULL, NULL}
-};
-
+static dns_name_t hmacsha512 =
+	DNS_NAME_INITABSOLUTE(hmacsha512_ndata, hmacsha512_offsets);
 LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_hmacsha512_name = &hmacsha512;
 
 static isc_result_t
@@ -213,28 +163,31 @@ tsig_log(dns_tsigkey_t *key, int level, const char *fmt, ...) {
 
 	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
 		return;
-	if (key != NULL)
+	if (key != NULL) {
 		dns_name_format(&key->name, namestr, sizeof(namestr));
-	else
-		strcpy(namestr, "<null>");
+	} else {
+		strlcpy(namestr, "<null>", sizeof(namestr));
+	}
 
-	if (key != NULL && key->generated && key->creator)
+	if (key != NULL && key->generated && key->creator) {
 		dns_name_format(key->creator, creatorstr, sizeof(creatorstr));
-	else
-		strcpy(creatorstr, "<null>");
+	} else {
+		strlcpy(creatorstr, "<null>", sizeof(creatorstr));
+	}
 
 	va_start(ap, fmt);
 	vsnprintf(message, sizeof(message), fmt, ap);
 	va_end(ap);
-	if (key != NULL && key->generated)
+	if (key != NULL && key->generated) {
 		isc_log_write(dns_lctx,
 			      DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_TSIG,
 			      level, "tsig key '%s' (%s): %s",
 			      namestr, creatorstr, message);
-	else
+	} else {
 		isc_log_write(dns_lctx,
 			      DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_TSIG,
 			      level, "tsig key '%s': %s", namestr, message);
+	}
 }
 
 static void
@@ -980,7 +933,6 @@ dns_tsig_sign(dns_message_t *msg) {
 		 * has validated at this point. This is why we include a
 		 * MAC length > 0 in the reply.
 		 */
-
 		ret = dst_context_create3(key->key, mctx,
 					  DNS_LOGCATEGORY_DNSSEC,
 					  ISC_TRUE, &ctx);
@@ -993,6 +945,8 @@ dns_tsig_sign(dns_message_t *msg) {
 		if (response) {
 			dns_rdata_t querytsigrdata = DNS_RDATA_INIT;
 
+			INSIST(msg->verified_sig);
+
 			ret = dns_rdataset_first(msg->querytsig);
 			if (ret != ISC_R_SUCCESS)
 				goto cleanup_context;
@@ -1484,6 +1438,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 		} else if (ret != ISC_R_SUCCESS) {
 			goto cleanup_context;
 		}
+		msg->verified_sig = 1;
 	} else if (tsig.error != dns_tsigerror_badsig &&
 		   tsig.error != dns_tsigerror_badkey) {
 		tsig_log(msg->tsigkey, 2, "signature was empty");
@@ -1561,7 +1516,6 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 	}
 
 	msg->tsigstatus = dns_rcode_noerror;
-	msg->verified_sig = 1;
 	ret = ISC_R_SUCCESS;
 
  cleanup_context:
@@ -1728,13 +1682,13 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
 		addcount_n = ntohs(addcount);
 		addcount = htons((isc_uint16_t)(addcount_n - 1));
 		memmove(&header[DNS_MESSAGE_HEADERLEN - 2], &addcount, 2);
-	}
 
-	/*
-	 * Put in the original id.
-	 */
-	/* XXX Can TCP transfers be forwarded?  How would that work? */
-	if (has_tsig) {
+		/*
+		 * Put in the original id.
+		 *
+		 * XXX Can TCP transfers be forwarded?  How would that
+		 * work?
+		 */
 		id = htons(tsig.originalid);
 		memmove(&header[0], &id, 2);
 	}
@@ -1800,6 +1754,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
 		} else if (ret != ISC_R_SUCCESS) {
 			goto cleanup_context;
 		}
+		msg->verified_sig = 1;
 
 		/*
 		 * Here at this point, the MAC has been verified. Even
@@ -1887,7 +1842,6 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
 	}
 
 	msg->tsigstatus = dns_rcode_noerror;
-	msg->verified_sig = 1;
 	ret = ISC_R_SUCCESS;
 
  cleanup_context:
diff --git a/usr.sbin/bind/lib/dns/ttl.c b/usr.sbin/bind/lib/dns/ttl.c
index bf4d43b56ae..38936c13bde 100644
--- a/usr.sbin/bind/lib/dns/ttl.c
+++ b/usr.sbin/bind/lib/dns/ttl.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2011-2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ttl.c,v 1.7 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: ttl.c,v 1.8 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file */
 
@@ -161,8 +160,8 @@ bind_ttl(isc_textregion_t *source, isc_uint32_t *ttl) {
 	 */
 	if (source->length > sizeof(buf) - 1)
 		return (DNS_R_SYNTAX);
-	strncpy(buf, source->base, source->length);
-	buf[source->length] = '\0';
+	/* Copy source->length bytes and NUL terminate. */
+	snprintf(buf, sizeof(buf), "%.*s", (int)source->length, source->base);
 	s = buf;
 
 	do {
diff --git a/usr.sbin/bind/lib/dns/update.c b/usr.sbin/bind/lib/dns/update.c
index 4a982eed153..c7ab2adca42 100644
--- a/usr.sbin/bind/lib/dns/update.c
+++ b/usr.sbin/bind/lib/dns/update.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2013, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.1 2019/12/16 16:31:33 deraadt Exp $ */
+/* $Id: update.c,v 1.2 2019/12/17 01:46:32 sthen Exp $ */
 
 #include <config.h>
 
@@ -22,6 +22,7 @@
 #include <isc/magic.h>
 #include <isc/mem.h>
 #include <isc/netaddr.h>
+#include <isc/platform.h>
 #include <isc/print.h>
 #include <isc/serial.h>
 #include <isc/stats.h>
@@ -1111,6 +1112,8 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
 
 		if (!dst_key_isprivate(keys[i]))
 			continue;
+		if (dst_key_inactive(keys[i]))	/* Should be redundant. */
+			continue;
 
 		if (check_ksk && !REVOKE(keys[i])) {
 			isc_boolean_t have_ksk, have_nonksk;
@@ -1124,6 +1127,10 @@ add_sigs(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
 			for (j = 0; j < nkeys; j++) {
 				if (j == i || ALG(keys[i]) != ALG(keys[j]))
 					continue;
+				if (!dst_key_isprivate(keys[j]))
+					continue;
+				if (dst_key_inactive(keys[j]))	/* SBR */
+					continue;
 				if (REVOKE(keys[j]))
 					continue;
 				if (KSK(keys[j]))
@@ -1388,7 +1395,7 @@ dns_update_signaturesinc(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
 	unsigned int sigs = 0;
 	unsigned int maxsigs = dns_zone_getsignatures(zone);
 
-	if (statep == NULL || (statep != NULL && *statep == NULL)) {
+	if (statep == NULL || *statep == NULL) {
 		if (statep == NULL) {
 			state = &mystate;
 		} else {
@@ -1545,7 +1552,7 @@ dns_update_signaturesinc(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
 
 		update_log(log, zone, ISC_LOG_DEBUG(3),
 			   "updated data signatures");
-		/*FALLTHROUGH*/
+		/* FALLTHROUGH */
 	case remove_orphaned:
 		state->state = remove_orphaned;
 
@@ -1578,7 +1585,7 @@ dns_update_signaturesinc(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
 		update_log(log, zone, ISC_LOG_DEBUG(3),
 			   "rebuilding NSEC chain");
 
-		/*FALLTHROUGH*/
+		/* FALLTHROUGH */
 	case build_chain:
 		state->state = build_chain;
 		/*
@@ -1666,7 +1673,7 @@ dns_update_signaturesinc(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
 
 		CHECK(uniqify_name_list(&state->affected));
 
-		/*FALLTHROUGH*/
+		/* FALLTHROUGH */
 	case process_nsec:
 		state->state = process_nsec;
 
@@ -1783,7 +1790,7 @@ dns_update_signaturesinc(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
 		update_log(log, zone, ISC_LOG_DEBUG(3),
 			   "signing rebuilt NSEC chain");
 
-		/*FALLTHROUGH*/
+		/* FALLTHROUGH */
 	case sign_nsec:
 		state->state = sign_nsec;
 		/* Update RRSIG NSECs. */
@@ -1813,7 +1820,7 @@ dns_update_signaturesinc(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
 		}
 		ISC_LIST_APPENDLIST(state->nsec_mindiff.tuples,
 				    state->work.tuples, link);
-		/*FALLTHROUGH*/
+		/* FALLTHROUGH */
 	case update_nsec3:
 		state->state = update_nsec3;
 
@@ -1901,7 +1908,7 @@ dns_update_signaturesinc(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
 				t = ISC_LIST_NEXT(t, link);
 		}
 
-		/*FALLTHROUGH*/
+		/* FALLTHROUGH */
 	case process_nsec3:
 		state->state = process_nsec3;
 		while ((t = ISC_LIST_HEAD(state->affected.tuples)) != NULL) {
@@ -1956,7 +1963,7 @@ dns_update_signaturesinc(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
 		update_log(log, zone, ISC_LOG_DEBUG(3),
 			   "signing rebuilt NSEC3 chain");
 
-		/*FALLTHROUGH*/
+		/* FALLTHROUGH */
 	case sign_nsec3:
 		state->state = sign_nsec3;
 		/* Update RRSIG NSEC3s. */
@@ -2007,6 +2014,10 @@ dns_update_signaturesinc(dns_update_log_t *log, dns_zone_t *zone, dns_db_t *db,
 	}
 
  failure:
+	if (node != NULL) {
+		dns_db_detachnode(db, &node);
+	}
+
 	dns_diff_clear(&state->sig_diff);
 	dns_diff_clear(&state->nsec_diff);
 	dns_diff_clear(&state->nsec_mindiff);
diff --git a/usr.sbin/bind/lib/dns/validator.c b/usr.sbin/bind/lib/dns/validator.c
index 2ca49cc4d48..aef8bf7b766 100644
--- a/usr.sbin/bind/lib/dns/validator.c
+++ b/usr.sbin/bind/lib/dns/validator.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.8 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: validator.c,v 1.9 2019/12/17 01:46:32 sthen Exp $ */
 
 #include <config.h>
 
@@ -1823,10 +1822,10 @@ dlv_validatezonekey(dns_validator_t *val) {
 	supported_algorithm = ISC_FALSE;
 
 	/*
-	 * If DNS_DSDIGEST_SHA256 is present we are required to prefer
-	 * it over DNS_DSDIGEST_SHA1.  This in practice means that we
-	 * need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256
-	 * is present.
+	 * If DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present we
+	 * are required to prefer it over DNS_DSDIGEST_SHA1.  This in
+	 * practice means that we need to ignore DNS_DSDIGEST_SHA1 if a
+	 * DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present.
 	 */
 	memset(digest_types, 1, sizeof(digest_types));
 	for (result = dns_rdataset_first(&val->dlv);
@@ -1837,13 +1836,21 @@ dlv_validatezonekey(dns_validator_t *val) {
 		result = dns_rdata_tostruct(&dlvrdata, &dlv, NULL);
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
+		if (!dns_resolver_ds_digest_supported(val->view->resolver,
+						      val->event->name,
+						      dlv.digest_type))
+			continue;
+
 		if (!dns_resolver_algorithm_supported(val->view->resolver,
 						      val->event->name,
 						      dlv.algorithm))
 			continue;
 
-		if (dlv.digest_type == DNS_DSDIGEST_SHA256 &&
-		    dlv.length == ISC_SHA256_DIGESTLENGTH) {
+		if ((dlv.digest_type == DNS_DSDIGEST_SHA256 &&
+		     dlv.length == ISC_SHA256_DIGESTLENGTH) ||
+		    (dlv.digest_type == DNS_DSDIGEST_SHA384 &&
+		     dlv.length == ISC_SHA384_DIGESTLENGTH))
+		{
 			digest_types[DNS_DSDIGEST_SHA1] = 0;
 			break;
 		}
@@ -2175,10 +2182,10 @@ validatezonekey(dns_validator_t *val) {
 	supported_algorithm = ISC_FALSE;
 
 	/*
-	 * If DNS_DSDIGEST_SHA256 is present we are required to prefer
-	 * it over DNS_DSDIGEST_SHA1.  This in practice means that we
-	 * need to ignore DNS_DSDIGEST_SHA1 if a DNS_DSDIGEST_SHA256
-	 * is present.
+	 * If DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present we
+	 * are required to prefer it over DNS_DSDIGEST_SHA1.  This in
+	 * practice means that we need to ignore DNS_DSDIGEST_SHA1 if a
+	 * DNS_DSDIGEST_SHA256 or DNS_DSDIGEST_SHA384 is present.
 	 */
 	memset(digest_types, 1, sizeof(digest_types));
 	for (result = dns_rdataset_first(val->dsset);
@@ -2189,13 +2196,21 @@ validatezonekey(dns_validator_t *val) {
 		result = dns_rdata_tostruct(&dsrdata, &ds, NULL);
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
+		if (!dns_resolver_ds_digest_supported(val->view->resolver,
+						      val->event->name,
+						      ds.digest_type))
+			continue;
+
 		if (!dns_resolver_algorithm_supported(val->view->resolver,
 						      val->event->name,
 						      ds.algorithm))
 			continue;
 
-		if (ds.digest_type == DNS_DSDIGEST_SHA256 &&
-		    ds.length == ISC_SHA256_DIGESTLENGTH) {
+		if ((ds.digest_type == DNS_DSDIGEST_SHA256 &&
+		     ds.length == ISC_SHA256_DIGESTLENGTH) ||
+		    (ds.digest_type == DNS_DSDIGEST_SHA384 &&
+		     ds.length == ISC_SHA384_DIGESTLENGTH))
+		{
 			digest_types[DNS_DSDIGEST_SHA1] = 0;
 			break;
 		}
diff --git a/usr.sbin/bind/lib/dns/version.c b/usr.sbin/bind/lib/dns/version.c
index 925dcf8be18..09d46c1769d 100644
--- a/usr.sbin/bind/lib/dns/version.c
+++ b/usr.sbin/bind/lib/dns/version.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: version.c,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/dns/view.c b/usr.sbin/bind/lib/dns/view.c
index 281876f1b08..184b0d02a09 100644
--- a/usr.sbin/bind/lib/dns/view.c
+++ b/usr.sbin/bind/lib/dns/view.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -207,6 +206,7 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	view->requestnsid = ISC_FALSE;
 	view->requestsit = ISC_TRUE;
 	view->trust_anchor_telemetry = ISC_TRUE;
+	view->root_key_sentinel = ISC_TRUE;
 	view->new_zone_file = NULL;
 	view->new_zone_config = NULL;
 	view->cfg_destroy = NULL;
@@ -281,6 +281,7 @@ static inline void
 destroy(dns_view_t *view) {
 	dns_dns64_t *dns64;
 	dns_dlzdb_t *dlzdb;
+	isc_result_t result;
 
 	REQUIRE(!ISC_LINK_LINKED(view, link));
 	REQUIRE(isc_refcount_current(&view->references) == 0);
@@ -295,7 +296,6 @@ destroy(dns_view_t *view) {
 		dns_peerlist_detach(&view->peers);
 
 	if (view->dynamickeys != NULL) {
-		isc_result_t result;
 		char template[20];
 		char keyfile[20];
 		FILE *fp = NULL;
@@ -453,7 +453,8 @@ destroy(dns_view_t *view) {
 		dns_zone_detach(&view->managed_keys);
 	if (view->redirect != NULL)
 		dns_zone_detach(&view->redirect);
-	dns_view_setnewzones(view, ISC_FALSE, NULL, NULL);
+	result = dns_view_setnewzones(view, ISC_FALSE, NULL, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 	dns_fwdtable_destroy(&view->fwdtable);
 	dns_aclenv_destroy(&view->aclenv);
 	DESTROYLOCK(&view->lock);
@@ -1402,7 +1403,7 @@ dns_viewlist_findzone(dns_viewlist_t *list, dns_name_t *name,
 	dns_view_t *view;
 	isc_result_t result;
 	dns_zone_t *zone1 = NULL, *zone2 = NULL;
-	dns_zone_t **zp = NULL;;
+	dns_zone_t **zp = NULL;
 
 	REQUIRE(list != NULL);
 	REQUIRE(zonep != NULL && *zonep == NULL);
@@ -1600,7 +1601,7 @@ dns_view_flushnode(dns_view_t *view, dns_name_t *name, isc_boolean_t tree) {
 isc_result_t
 dns_view_adddelegationonly(dns_view_t *view, dns_name_t *name) {
 	isc_result_t result;
-	dns_name_t *new;
+	dns_name_t *item;
 	isc_uint32_t hash;
 
 	REQUIRE(DNS_VIEW_VALID(view));
@@ -1615,27 +1616,27 @@ dns_view_adddelegationonly(dns_view_t *view, dns_name_t *name) {
 			ISC_LIST_INIT(view->delonly[hash]);
 	}
 	hash = dns_name_hash(name, ISC_FALSE) % DNS_VIEW_DELONLYHASH;
-	new = ISC_LIST_HEAD(view->delonly[hash]);
-	while (new != NULL && !dns_name_equal(new, name))
-		new = ISC_LIST_NEXT(new, link);
-	if (new != NULL)
+	item = ISC_LIST_HEAD(view->delonly[hash]);
+	while (item != NULL && !dns_name_equal(item, name))
+		item = ISC_LIST_NEXT(item, link);
+	if (item != NULL)
 		return (ISC_R_SUCCESS);
-	new = isc_mem_get(view->mctx, sizeof(*new));
-	if (new == NULL)
+	item = isc_mem_get(view->mctx, sizeof(*item));
+	if (item == NULL)
 		return (ISC_R_NOMEMORY);
-	dns_name_init(new, NULL);
-	result = dns_name_dup(name, view->mctx, new);
+	dns_name_init(item, NULL);
+	result = dns_name_dup(name, view->mctx, item);
 	if (result == ISC_R_SUCCESS)
-		ISC_LIST_APPEND(view->delonly[hash], new, link);
+		ISC_LIST_APPEND(view->delonly[hash], item, link);
 	else
-		isc_mem_put(view->mctx, new, sizeof(*new));
+		isc_mem_put(view->mctx, item, sizeof(*item));
 	return (result);
 }
 
 isc_result_t
 dns_view_excludedelegationonly(dns_view_t *view, dns_name_t *name) {
 	isc_result_t result;
-	dns_name_t *new;
+	dns_name_t *item;
 	isc_uint32_t hash;
 
 	REQUIRE(DNS_VIEW_VALID(view));
@@ -1650,26 +1651,26 @@ dns_view_excludedelegationonly(dns_view_t *view, dns_name_t *name) {
 			ISC_LIST_INIT(view->rootexclude[hash]);
 	}
 	hash = dns_name_hash(name, ISC_FALSE) % DNS_VIEW_DELONLYHASH;
-	new = ISC_LIST_HEAD(view->rootexclude[hash]);
-	while (new != NULL && !dns_name_equal(new, name))
-		new = ISC_LIST_NEXT(new, link);
-	if (new != NULL)
+	item = ISC_LIST_HEAD(view->rootexclude[hash]);
+	while (item != NULL && !dns_name_equal(item, name))
+		item = ISC_LIST_NEXT(item, link);
+	if (item != NULL)
 		return (ISC_R_SUCCESS);
-	new = isc_mem_get(view->mctx, sizeof(*new));
-	if (new == NULL)
+	item = isc_mem_get(view->mctx, sizeof(*item));
+	if (item == NULL)
 		return (ISC_R_NOMEMORY);
-	dns_name_init(new, NULL);
-	result = dns_name_dup(name, view->mctx, new);
+	dns_name_init(item, NULL);
+	result = dns_name_dup(name, view->mctx, item);
 	if (result == ISC_R_SUCCESS)
-		ISC_LIST_APPEND(view->rootexclude[hash], new, link);
+		ISC_LIST_APPEND(view->rootexclude[hash], item, link);
 	else
-		isc_mem_put(view->mctx, new, sizeof(*new));
+		isc_mem_put(view->mctx, item, sizeof(*item));
 	return (result);
 }
 
 isc_boolean_t
 dns_view_isdelegationonly(dns_view_t *view, dns_name_t *name) {
-	dns_name_t *new;
+	dns_name_t *item;
 	isc_uint32_t hash;
 
 	REQUIRE(DNS_VIEW_VALID(view));
@@ -1681,20 +1682,20 @@ dns_view_isdelegationonly(dns_view_t *view, dns_name_t *name) {
 	if (view->rootdelonly && dns_name_countlabels(name) <= 2) {
 		if (view->rootexclude == NULL)
 			return (ISC_TRUE);
-		new = ISC_LIST_HEAD(view->rootexclude[hash]);
-		while (new != NULL && !dns_name_equal(new, name))
-			new = ISC_LIST_NEXT(new, link);
-		if (new == NULL)
+		item = ISC_LIST_HEAD(view->rootexclude[hash]);
+		while (item != NULL && !dns_name_equal(item, name))
+			item = ISC_LIST_NEXT(item, link);
+		if (item == NULL)
 			return (ISC_TRUE);
 	}
 
 	if (view->delonly == NULL)
 		return (ISC_FALSE);
 
-	new = ISC_LIST_HEAD(view->delonly[hash]);
-	while (new != NULL && !dns_name_equal(new, name))
-		new = ISC_LIST_NEXT(new, link);
-	if (new == NULL)
+	item = ISC_LIST_HEAD(view->delonly[hash]);
+	while (item != NULL && !dns_name_equal(item, name))
+		item = ISC_LIST_NEXT(item, link);
+	if (item == NULL)
 		return (ISC_FALSE);
 	return (ISC_TRUE);
 }
@@ -1853,7 +1854,7 @@ dns_view_untrust(dns_view_t *view, dns_name_t *keyname,
 
 #define NZF ".nzf"
 
-void
+isc_result_t
 dns_view_setnewzones(dns_view_t *view, isc_boolean_t allow, void *cfgctx,
 		     void (*cfg_destroy)(void **))
 {
@@ -1876,9 +1877,12 @@ dns_view_setnewzones(dns_view_t *view, isc_boolean_t allow, void *cfgctx,
 		/* Truncate the hash at 16 chars; full length is overkill */
 		isc_string_printf(buffer + 16, sizeof(NZF), "%s", NZF);
 		view->new_zone_file = isc_mem_strdup(view->mctx, buffer);
+		if (view->new_zone_file == NULL)
+			return (ISC_R_NOMEMORY);
 		view->new_zone_config = cfgctx;
 		view->cfg_destroy = cfg_destroy;
 	}
+	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
@@ -1968,3 +1972,47 @@ dns_view_searchdlz(dns_view_t *view, dns_name_t *name, unsigned int minlabels,
 
 	return (ISC_R_NOTFOUND);
 }
+
+void
+dns_view_setviewcommit(dns_view_t *view) {
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	LOCK(&view->lock);
+
+	if (view->redirect != NULL) {
+		dns_zone_setviewcommit(view->redirect);
+	}
+	if (view->managed_keys != NULL) {
+		dns_zone_setviewcommit(view->managed_keys);
+	}
+	if (view->zonetable != NULL) {
+		dns_zt_setviewcommit(view->zonetable);
+	}
+
+	UNLOCK(&view->lock);
+}
+
+void
+dns_view_setviewrevert(dns_view_t *view) {
+	dns_zt_t *zonetable;
+
+	REQUIRE(DNS_VIEW_VALID(view));
+
+	/*
+	 * dns_zt_setviewrevert() attempts to lock this view, so we must
+	 * release the lock.
+	 */
+	LOCK(&view->lock);
+	if (view->redirect != NULL) {
+		dns_zone_setviewrevert(view->redirect);
+	}
+	if (view->managed_keys != NULL) {
+		dns_zone_setviewrevert(view->managed_keys);
+	}
+	zonetable = view->zonetable;
+	UNLOCK(&view->lock);
+
+	if (zonetable != NULL) {
+		dns_zt_setviewrevert(zonetable);
+	}
+}
diff --git a/usr.sbin/bind/lib/dns/xfrin.c b/usr.sbin/bind/lib/dns/xfrin.c
index be5ac88de8a..79fe6be29b4 100644
--- a/usr.sbin/bind/lib/dns/xfrin.c
+++ b/usr.sbin/bind/lib/dns/xfrin.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2011-2013, 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: xfrin.c,v 1.11 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: xfrin.c,v 1.12 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file */
 
@@ -621,6 +620,7 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, isc_uint32_t ttl,
 	case XFRST_IXFR_END:
 		FAIL(DNS_R_EXTRADATA);
 		/* NOTREACHED */
+		/* FALLTHROUGH */
 	default:
 		INSIST(0);
 		break;
@@ -1022,8 +1022,9 @@ xfrin_connect_done(isc_task_t *task, isc_event_t *event) {
 	result = isc_socket_getsockname(xfr->socket, &sockaddr);
 	if (result == ISC_R_SUCCESS) {
 		isc_sockaddr_format(&sockaddr, sourcetext, sizeof(sourcetext));
-	} else
-		strcpy(sourcetext, "<UNKNOWN>");
+	} else {
+		strlcpy(sourcetext, "<UNKNOWN>", sizeof(sourcetext));
+	}
 	xfrin_log(xfr, ISC_LOG_INFO, "connected using %s", sourcetext);
 
 	dns_tcpmsg_init(xfr->mctx, xfr->socket, &xfr->tcpmsg);
diff --git a/usr.sbin/bind/lib/dns/zone.c b/usr.sbin/bind/lib/dns/zone.c
index ccaaf74696f..57612684abd 100644
--- a/usr.sbin/bind/lib/dns/zone.c
+++ b/usr.sbin/bind/lib/dns/zone.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2017  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -86,6 +85,8 @@
 
 #include <dst/dst.h>
 
+#include "zone_p.h"
+
 #define ZONE_MAGIC			ISC_MAGIC('Z', 'O', 'N', 'E')
 #define DNS_ZONE_VALID(zone)		ISC_MAGIC_VALID(zone, ZONE_MAGIC)
 
@@ -310,6 +311,7 @@ struct dns_zone {
 	isc_uint32_t		sigvalidityinterval;
 	isc_uint32_t		sigresigninginterval;
 	dns_view_t		*view;
+	dns_view_t		*prev_view;
 	dns_acache_t		*acache;
 	dns_checkmxfunc_t	checkmx;
 	dns_checksrvfunc_t	checksrv;
@@ -415,14 +417,9 @@ struct dns_zone {
 	dns_update_state_t      *rss_state;
 };
 
-typedef struct {
-	dns_diff_t	*diff;
-	isc_boolean_t	offline;
-} zonediff_t;
-
 #define zonediff_init(z, d) \
 	do { \
-		zonediff_t *_z = (z); \
+		dns__zonediff_t *_z = (z); \
 		(_z)->diff = (d); \
 		(_z)->offline = ISC_FALSE; \
 	} while (0)
@@ -635,7 +632,7 @@ struct dns_signing {
 	dns_dbiterator_t	*dbiterator;
 	dns_secalg_t		algorithm;
 	isc_uint16_t		keyid;
-	isc_boolean_t		delete;
+	isc_boolean_t		deleteit;
 	isc_boolean_t		done;
 	ISC_LINK(dns_signing_t)	link;
 };
@@ -799,7 +796,8 @@ static void zone_maintenance(dns_zone_t *zone);
 static void zone_notify(dns_zone_t *zone, isc_time_t *now);
 static void dump_done(void *arg, isc_result_t result);
 static isc_result_t zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm,
-				     isc_uint16_t keyid, isc_boolean_t delete);
+				     isc_uint16_t keyid,
+				     isc_boolean_t deleteit);
 static isc_result_t delete_nsec(dns_db_t *db, dns_dbversion_t *ver,
 				dns_dbnode_t *node, dns_name_t *name,
 				dns_diff_t *diff);
@@ -879,19 +877,22 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 
 	TIME_NOW(&now);
 	zone = isc_mem_get(mctx, sizeof(*zone));
-	if (zone == NULL)
+	if (zone == NULL) {
 		return (ISC_R_NOMEMORY);
+	}
 
 	zone->mctx = NULL;
 	isc_mem_attach(mctx, &zone->mctx);
 
 	result = isc_mutex_init(&zone->lock);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		goto free_zone;
+	}
 
 	result = ZONEDB_INITLOCK(&zone->dblock);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		goto free_mutex;
+	}
 
 	/* XXX MPA check that all elements are initialised */
 #ifdef DNS_ZONE_CHECKLOCK
@@ -901,8 +902,9 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	zone->zmgr = NULL;
 	ISC_LINK_INIT(zone, link);
 	result = isc_refcount_init(&zone->erefs, 1);	/* Implicit attach. */
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		goto free_dblock;
+	}
 	zone->irefs = 0;
 	dns_name_init(&zone->origin, NULL);
 	zone->strnamerd = NULL;
@@ -998,6 +1000,7 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	zone->sigvalidityinterval = 30 * 24 * 3600;
 	zone->sigresigninginterval = 7 * 24 * 3600;
 	zone->view = NULL;
+	zone->prev_view = NULL;
 	zone->acache = NULL;
 	zone->checkmx = NULL;
 	zone->checksrv = NULL;
@@ -1033,13 +1036,15 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	zone->rss_event = NULL;
 	zone->rss_state = NULL;
 	zone->updatemethod = dns_updatemethod_increment;
+	zone->maxrecords = 0U;
 
 	zone->magic = ZONE_MAGIC;
 
 	/* Must be after magic is set. */
 	result = dns_zone_setdbtype(zone, dbargc_default, dbargv_default);
-	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS) {
 		goto free_erefs;
+	}
 
 	ISC_EVENT_INIT(&zone->ctlevent, sizeof(zone->ctlevent), 0, NULL,
 		       DNS_EVENT_ZONECONTROL, zone_shutdown, zone, zone,
@@ -1083,18 +1088,25 @@ zone_free(dns_zone_t *zone) {
 	/*
 	 * Managed objects.  Order is important.
 	 */
-	if (zone->request != NULL)
+	if (zone->request != NULL) {
 		dns_request_destroy(&zone->request); /* XXXMPA */
+	}
 	INSIST(zone->readio == NULL);
 	INSIST(zone->statelist == NULL);
 	INSIST(zone->writeio == NULL);
 
-	if (zone->task != NULL)
+	if (zone->task != NULL) {
 		isc_task_detach(&zone->task);
-	if (zone->loadtask != NULL)
+	}
+	if (zone->loadtask != NULL) {
 		isc_task_detach(&zone->loadtask);
-	if (zone->view != NULL)
+	}
+	if (zone->view != NULL) {
 		dns_view_weakdetach(&zone->view);
+	}
+	if (zone->prev_view != NULL) {
+		dns_view_weakdetach(&zone->prev_view);
+	}
 
 	/* Unmanaged objects */
 	for (signing = ISC_LIST_HEAD(zone->signing);
@@ -1127,61 +1139,80 @@ zone_free(dns_zone_t *zone) {
 		isc_mem_free(zone->mctx, include->name);
 		isc_mem_put(zone->mctx, include, sizeof *include);
 	}
-	if (zone->masterfile != NULL)
+	if (zone->masterfile != NULL) {
 		isc_mem_free(zone->mctx, zone->masterfile);
+	}
 	zone->masterfile = NULL;
-	if (zone->keydirectory != NULL)
+	if (zone->keydirectory != NULL) {
 		isc_mem_free(zone->mctx, zone->keydirectory);
+	}
 	zone->keydirectory = NULL;
 	zone->journalsize = -1;
-	if (zone->journal != NULL)
+	if (zone->journal != NULL) {
 		isc_mem_free(zone->mctx, zone->journal);
+	}
 	zone->journal = NULL;
-	if (zone->stats != NULL)
+	if (zone->stats != NULL) {
 		isc_stats_detach(&zone->stats);
-	if (zone->requeststats != NULL)
+	}
+	if (zone->requeststats != NULL) {
 		isc_stats_detach(&zone->requeststats);
-	if (zone->rcvquerystats != NULL)
+	}
+	if (zone->rcvquerystats != NULL){
 		dns_stats_detach(&zone->rcvquerystats);
-	if (zone->db != NULL)
+	}
+	if (zone->db != NULL) {
 		zone_detachdb(zone);
-	if (zone->acache != NULL)
+	}
+	if (zone->acache != NULL) {
 		dns_acache_detach(&zone->acache);
+	}
 	if (zone->rpzs != NULL) {
 		REQUIRE(zone->rpz_num < zone->rpzs->p.num_zones);
 		dns_rpz_detach_rpzs(&zone->rpzs);
 		zone->rpz_num = DNS_RPZ_INVALID_NUM;
 	}
 	zone_freedbargs(zone);
-	RUNTIME_CHECK(dns_zone_setmasterswithkeys(zone, NULL, NULL, 0)
-		      == ISC_R_SUCCESS);
-	RUNTIME_CHECK(dns_zone_setalsonotify(zone, NULL, 0)
-		      == ISC_R_SUCCESS);
+	RUNTIME_CHECK(dns_zone_setmasterswithkeys(zone, NULL,
+						  NULL, 0) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(dns_zone_setalsonotify(zone, NULL, 0) == ISC_R_SUCCESS);
 	zone->check_names = dns_severity_ignore;
-	if (zone->update_acl != NULL)
+	if (zone->update_acl != NULL) {
 		dns_acl_detach(&zone->update_acl);
-	if (zone->forward_acl != NULL)
+	}
+	if (zone->forward_acl != NULL) {
 		dns_acl_detach(&zone->forward_acl);
-	if (zone->notify_acl != NULL)
+	}
+	if (zone->notify_acl != NULL) {
 		dns_acl_detach(&zone->notify_acl);
-	if (zone->query_acl != NULL)
+	}
+	if (zone->query_acl != NULL) {
 		dns_acl_detach(&zone->query_acl);
-	if (zone->queryon_acl != NULL)
+	}
+	if (zone->queryon_acl != NULL) {
 		dns_acl_detach(&zone->queryon_acl);
-	if (zone->xfr_acl != NULL)
+	}
+	if (zone->xfr_acl != NULL) {
 		dns_acl_detach(&zone->xfr_acl);
-	if (dns_name_dynamic(&zone->origin))
+	}
+	if (dns_name_dynamic(&zone->origin)) {
 		dns_name_free(&zone->origin, zone->mctx);
-	if (zone->strnamerd != NULL)
+	}
+	if (zone->strnamerd != NULL) {
 		isc_mem_free(zone->mctx, zone->strnamerd);
-	if (zone->strname != NULL)
+	}
+	if (zone->strname != NULL) {
 		isc_mem_free(zone->mctx, zone->strname);
-	if (zone->strrdclass != NULL)
+	}
+	if (zone->strrdclass != NULL) {
 		isc_mem_free(zone->mctx, zone->strrdclass);
-	if (zone->strviewname != NULL)
+	}
+	if (zone->strviewname != NULL) {
 		isc_mem_free(zone->mctx, zone->strviewname);
-	if (zone->ssutable != NULL)
+	}
+	if (zone->ssutable != NULL) {
 		dns_ssutable_detach(&zone->ssutable);
+	}
 
 	/* last stuff */
 	ZONEDB_DESTROYLOCK(&zone->dblock);
@@ -1349,7 +1380,7 @@ dns_zone_getdbtype(dns_zone_t *zone, char ***argv, isc_mem_t *mctx) {
 	unsigned int i;
 	isc_result_t result = ISC_R_SUCCESS;
 	void *mem;
-	char **tmp, *tmp2;
+	char **tmp, *tmp2, *base;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 	REQUIRE(argv != NULL && *argv == NULL);
@@ -1362,10 +1393,11 @@ dns_zone_getdbtype(dns_zone_t *zone, char ***argv, isc_mem_t *mctx) {
 	if (mem != NULL) {
 		tmp = mem;
 		tmp2 = mem;
+		base = mem;
 		tmp2 += (zone->db_argc + 1) * sizeof(char *);
 		for (i = 0; i < zone->db_argc; i++) {
 			*tmp++ = tmp2;
-			strcpy(tmp2, zone->db_argv[i]);
+			strlcpy(tmp2, zone->db_argv[i], size - (tmp2 - base));
 			tmp2 += strlen(tmp2) + 1;
 		}
 		*tmp = NULL;
@@ -1378,9 +1410,10 @@ dns_zone_getdbtype(dns_zone_t *zone, char ***argv, isc_mem_t *mctx) {
 
 isc_result_t
 dns_zone_setdbtype(dns_zone_t *zone,
-		   unsigned int dbargc, const char * const *dbargv) {
+		   unsigned int dbargc, const char * const *dbargv)
+{
 	isc_result_t result = ISC_R_SUCCESS;
-	char **new = NULL;
+	char **argv = NULL;
 	unsigned int i;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
@@ -1390,14 +1423,16 @@ dns_zone_setdbtype(dns_zone_t *zone,
 	LOCK_ZONE(zone);
 
 	/* Set up a new database argument list. */
-	new = isc_mem_get(zone->mctx, dbargc * sizeof(*new));
-	if (new == NULL)
+	argv = isc_mem_get(zone->mctx, dbargc * sizeof(*argv));
+	if (argv == NULL) {
 		goto nomem;
-	for (i = 0; i < dbargc; i++)
-		new[i] = NULL;
+	}
 	for (i = 0; i < dbargc; i++) {
-		new[i] = isc_mem_strdup(zone->mctx, dbargv[i]);
-		if (new[i] == NULL)
+		argv[i] = NULL;
+	}
+	for (i = 0; i < dbargc; i++) {
+		argv[i] = isc_mem_strdup(zone->mctx, dbargv[i]);
+		if (argv[i] == NULL)
 			goto nomem;
 	}
 
@@ -1405,16 +1440,18 @@ dns_zone_setdbtype(dns_zone_t *zone,
 	zone_freedbargs(zone);
 
 	zone->db_argc = dbargc;
-	zone->db_argv = new;
+	zone->db_argv = argv;
 	result = ISC_R_SUCCESS;
 	goto unlock;
 
  nomem:
-	if (new != NULL) {
-		for (i = 0; i < dbargc; i++)
-			if (new[i] != NULL)
-				isc_mem_free(zone->mctx, new[i]);
-		isc_mem_put(zone->mctx, new, dbargc * sizeof(*new));
+	if (argv != NULL) {
+		for (i = 0; i < dbargc; i++) {
+			if (argv[i] != NULL) {
+				isc_mem_free(zone->mctx, argv[i]);
+			}
+		}
+		isc_mem_put(zone->mctx, argv, dbargc * sizeof(*argv));
 	}
 	result = ISC_R_NOMEMORY;
 
@@ -1423,30 +1460,43 @@ dns_zone_setdbtype(dns_zone_t *zone,
 	return (result);
 }
 
-void
-dns_zone_setview(dns_zone_t *zone, dns_view_t *view) {
+static void
+dns_zone_setview_helper(dns_zone_t *zone, dns_view_t *view) {
 	char namebuf[1024];
-	REQUIRE(DNS_ZONE_VALID(zone));
 
-	LOCK_ZONE(zone);
+	if (zone->prev_view == NULL && zone->view != NULL) {
+		dns_view_weakattach(zone->view, &zone->prev_view);
+	}
+
 	INSIST(zone != zone->raw);
-	if (zone->view != NULL)
+	if (zone->view != NULL) {
 		dns_view_weakdetach(&zone->view);
+	}
 	dns_view_weakattach(view, &zone->view);
 
-	if (zone->strviewname != NULL)
+	if (zone->strviewname != NULL) {
 		isc_mem_free(zone->mctx, zone->strviewname);
-	if (zone->strnamerd != NULL)
+	}
+	if (zone->strnamerd != NULL) {
 		isc_mem_free(zone->mctx, zone->strnamerd);
+	}
 
 	zone_namerd_tostr(zone, namebuf, sizeof namebuf);
 	zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
 	zone_viewname_tostr(zone, namebuf, sizeof namebuf);
 	zone->strviewname = isc_mem_strdup(zone->mctx, namebuf);
 
-	if (inline_secure(zone))
+	if (inline_secure(zone)) {
 		dns_zone_setview(zone->raw, view);
+	}
+}
+
+void
+dns_zone_setview(dns_zone_t *zone, dns_view_t *view) {
+	REQUIRE(DNS_ZONE_VALID(zone));
 
+	LOCK_ZONE(zone);
+	dns_zone_setview_helper(zone, view);
 	UNLOCK_ZONE(zone);
 }
 
@@ -1457,6 +1507,27 @@ dns_zone_getview(dns_zone_t *zone) {
 	return (zone->view);
 }
 
+void
+dns_zone_setviewcommit(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->prev_view != NULL)
+		dns_view_weakdetach(&zone->prev_view);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setviewrevert(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->prev_view != NULL) {
+		dns_zone_setview_helper(zone, zone->prev_view);
+		dns_view_weakdetach(&zone->prev_view);
+	}
+	UNLOCK_ZONE(zone);
+}
 
 isc_result_t
 dns_zone_setorigin(dns_zone_t *zone, const dns_name_t *origin) {
@@ -1605,8 +1676,8 @@ default_journal(dns_zone_t *zone) {
 		journal = isc_mem_allocate(zone->mctx, len);
 		if (journal == NULL)
 			return (ISC_R_NOMEMORY);
-		strcpy(journal, zone->masterfile);
-		strcat(journal, ".jnl");
+		strlcpy(journal, zone->masterfile, len);
+		strlcat(journal, ".jnl", len);
 	} else {
 		journal = NULL;
 	}
@@ -2004,39 +2075,25 @@ static void
 zone_asyncload(isc_task_t *task, isc_event_t *event) {
 	dns_asyncload_t *asl = event->ev_arg;
 	dns_zone_t *zone = asl->zone;
-	isc_result_t result = ISC_R_SUCCESS;
-	isc_boolean_t load_pending;
+	isc_result_t result;
 
 	UNUSED(task);
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 
-	if ((event->ev_attributes & ISC_EVENTATTR_CANCELED) != 0)
-		result = ISC_R_CANCELED;
 	isc_event_free(&event);
 
-	if (result == ISC_R_CANCELED)
-		goto cleanup;
-
-	/* Make sure load is still pending */
 	LOCK_ZONE(zone);
-	load_pending = ISC_TF(DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING));
-
-	if (!load_pending) {
-		UNLOCK_ZONE(zone);
-		goto cleanup;
+	result = zone_load(zone, 0, ISC_TRUE);
+	if (result != DNS_R_CONTINUE) {
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADPENDING);
 	}
-
-	zone_load(zone, 0, ISC_TRUE);
-
-	DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_LOADPENDING);
 	UNLOCK_ZONE(zone);
 
 	/* Inform the zone table we've finished loading */
 	if (asl->loaded != NULL)
 		(asl->loaded)(asl->loaded_arg, zone, task);
 
- cleanup:
 	isc_mem_put(zone->mctx, asl, sizeof (*asl));
 	dns_zone_idetach(&zone);
 }
@@ -2053,8 +2110,11 @@ dns_zone_asyncload(dns_zone_t *zone, dns_zt_zoneloaded_t done, void *arg) {
 		return (ISC_R_FAILURE);
 
 	/* If we already have a load pending, stop now */
-	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING))
+	LOCK_ZONE(zone);
+	if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADPENDING)) {
+		UNLOCK_ZONE(zone);
 		return (ISC_R_ALREADYRUNNING);
+	}
 
 	asl = isc_mem_get(zone->mctx, sizeof (*asl));
 	if (asl == NULL)
@@ -2071,7 +2131,6 @@ dns_zone_asyncload(dns_zone_t *zone, dns_zt_zoneloaded_t done, void *arg) {
 	if (e == NULL)
 		CHECK(ISC_R_NOMEMORY);
 
-	LOCK_ZONE(zone);
 	zone_iattach(zone, &asl->zone);
 	DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_LOADPENDING);
 	isc_task_send(zone->loadtask, &e);
@@ -2082,6 +2141,7 @@ dns_zone_asyncload(dns_zone_t *zone, dns_zt_zoneloaded_t done, void *arg) {
   failure:
 	if (asl != NULL)
 		isc_mem_put(zone->mctx, asl, sizeof (*asl));
+	UNLOCK_ZONE(zone);
 	return (result);
 }
 
@@ -2606,10 +2666,24 @@ zone_check_glue(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
 	dns_rdataset_init(&a);
 	dns_rdataset_init(&aaaa);
 
+	/*
+	 * Perform a regular lookup to catch DNAME records then look
+	 * for glue.
+	 */
 	result = dns_db_find(db, name, NULL, dns_rdatatype_a,
-			     DNS_DBFIND_GLUEOK, 0, NULL,
-			     foundname, &a, NULL);
-
+			     0, 0, NULL, foundname, &a, NULL);
+	switch (result) {
+	case ISC_R_SUCCESS:
+	case DNS_R_DNAME:
+	case DNS_R_CNAME:
+		break;
+	default:
+		if (dns_rdataset_isassociated(&a))
+			dns_rdataset_disassociate(&a);
+		result = dns_db_find(db, name, NULL, dns_rdatatype_a,
+				     DNS_DBFIND_GLUEOK, 0, NULL,
+				     foundname, &a, NULL);
+	}
 	if (result == ISC_R_SUCCESS) {
 		dns_rdataset_disassociate(&a);
 		return (ISC_TRUE);
@@ -2627,7 +2701,7 @@ zone_check_glue(dns_zone_t *zone, dns_db_t *db, dns_name_t *name,
 			dns_rdataset_disassociate(&aaaa);
 			return (ISC_TRUE);
 		}
-		if (tresult == DNS_R_DELEGATION)
+		if (tresult == DNS_R_DELEGATION || tresult == DNS_R_DNAME)
 			dns_rdataset_disassociate(&aaaa);
 		if (result == DNS_R_GLUE || tresult == DNS_R_GLUE) {
 			/*
@@ -2873,14 +2947,14 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) {
 		 * Don't check the NS records at the origin.
 		 */
 		if (dns_name_equal(name, &zone->origin))
-			goto checkmx;
+			goto checkfordname;
 
 		result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_ns,
 					     0, 0, &rdataset, NULL);
 		if (result != ISC_R_SUCCESS)
-			goto checkmx;
+			goto checkfordname;
 		/*
-		 * Remember bottom of zone.
+		 * Remember bottom of zone due to NS.
 		 */
 		dns_name_copy(name, bottom, NULL);
 
@@ -2897,7 +2971,18 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) {
 		dns_rdataset_disassociate(&rdataset);
 		goto next;
 
- checkmx:
+ checkfordname:
+		result = dns_db_findrdataset(db, node, NULL,
+					     dns_rdatatype_dname, 0, 0,
+					     &rdataset, NULL);
+		if (result == ISC_R_SUCCESS) {
+			/*
+			 * Remember bottom of zone due to DNAME.
+			 */
+			dns_name_copy(name, bottom, NULL);
+			dns_rdataset_disassociate(&rdataset);
+		}
+
 		result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_mx,
 					     0, 0, &rdataset, NULL);
 		if (result != ISC_R_SUCCESS)
@@ -3119,6 +3204,12 @@ resume_signingwithkey(dns_zone_t *zone) {
 	}
 }
 
+/*
+ * Initiate adding/removing NSEC3 records belonging to the chain defined by the
+ * supplied NSEC3PARAM RDATA.
+ *
+ * Zone must be locked by caller.
+ */
 static isc_result_t
 zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
 	dns_nsec3chain_t *nsec3chain, *current;
@@ -3130,7 +3221,6 @@ zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
 	char saltbuf[255*2+1];
 	char flags[sizeof("INITIAL|REMOVE|CREATE|NONSEC|OPTOUT")];
 	dns_db_t *db = NULL;
-	int i;
 
 	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
 	if (zone->db != NULL)
@@ -3142,6 +3232,11 @@ zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
 		goto cleanup;
 	}
 
+	/*
+	 * If this zone is not NSEC3-capable, attempting to remove any NSEC3
+	 * chain from it is pointless as it would not be possible for the
+	 * latter to exist in the first place.
+	 */
 	dns_db_currentversion(db, &version);
 	result = dns_nsec_nseconly(db, version, &nseconly);
 	nsec3ok = (result == ISC_R_SUCCESS && !nseconly);
@@ -3151,6 +3246,11 @@ zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
 		goto cleanup;
 	}
 
+	/*
+	 * Allocate and initialize structure preserving state of
+	 * adding/removing records belonging to this NSEC3 chain between
+	 * separate zone_nsec3chain() calls.
+	 */
 	nsec3chain = isc_mem_get(zone->mctx, sizeof *nsec3chain);
 	if (nsec3chain == NULL) {
 		result = ISC_R_NOMEMORY;
@@ -3173,6 +3273,9 @@ zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
 	nsec3chain->delete_nsec = ISC_FALSE;
 	nsec3chain->save_delete_nsec = ISC_FALSE;
 
+	/*
+	 * Log NSEC3 parameters defined by supplied NSEC3PARAM RDATA.
+	 */
 	if (nsec3param->flags == 0)
 		strlcpy(flags, "NONE", sizeof(flags));
 	else {
@@ -3204,16 +3307,19 @@ zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
 				strlcat(flags, "|OPTOUT", sizeof(flags));
 		}
 	}
-	if (nsec3param->salt_length == 0)
-		strlcpy(saltbuf, "-", sizeof(saltbuf));
-	else
-		for (i = 0; i < nsec3param->salt_length; i++)
-			sprintf(&saltbuf[i*2], "%02X", nsec3chain->salt[i]);
+	result = dns_nsec3param_salttotext(nsec3param, saltbuf,
+					   sizeof(saltbuf));
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 	dns_zone_log(zone, ISC_LOG_INFO,
 		     "zone_addnsec3chain(%u,%s,%u,%s)",
 		      nsec3param->hash, flags, nsec3param->iterations,
 		      saltbuf);
 
+	/*
+	 * If the NSEC3 chain defined by the supplied NSEC3PARAM RDATA is
+	 * currently being processed, interrupt its processing to avoid
+	 * simultaneously adding and removing records for the same NSEC3 chain.
+	 */
 	for (current = ISC_LIST_HEAD(zone->nsec3chain);
 	     current != NULL;
 	     current = ISC_LIST_NEXT(current, link)) {
@@ -3226,14 +3332,27 @@ zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
 			current->done = ISC_TRUE;
 	}
 
+	/*
+	 * Attach zone database to the structure initialized above and create
+	 * an iterator for it with appropriate options in order to avoid
+	 * creating NSEC3 records for NSEC3 records.
+	 */
 	dns_db_attach(db, &nsec3chain->db);
 	if ((nsec3chain->nsec3param.flags & DNS_NSEC3FLAG_CREATE) != 0)
 		options = DNS_DB_NONSEC3;
 	result = dns_db_createiterator(nsec3chain->db, options,
 				       &nsec3chain->dbiterator);
 	if (result == ISC_R_SUCCESS)
-		dns_dbiterator_first(nsec3chain->dbiterator);
+		result = dns_dbiterator_first(nsec3chain->dbiterator);
 	if (result == ISC_R_SUCCESS) {
+		/*
+		 * Database iterator initialization succeeded.  We are now
+		 * ready to kick off adding/removing records belonging to this
+		 * NSEC3 chain.  Append the structure initialized above to the
+		 * "nsec3chain" list for the zone and set the appropriate zone
+		 * timer so that zone_nsec3chain() is called as soon as
+		 * possible.
+		 */
 		dns_dbiterator_pause(nsec3chain->dbiterator);
 		ISC_LIST_INITANDAPPEND(zone->nsec3chain,
 				       nsec3chain, link);
@@ -3260,6 +3379,13 @@ zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
 	return (result);
 }
 
+/*
+ * Find private-type records at the zone apex which signal that an NSEC3 chain
+ * should be added or removed.  For each such record, extract NSEC3PARAM RDATA
+ * and pass it to zone_addnsec3chain().
+ *
+ * Zone must be locked by caller.
+ */
 static void
 resume_addnsec3chain(dns_zone_t *zone) {
 	dns_dbnode_t *node = NULL;
@@ -3270,6 +3396,8 @@ resume_addnsec3chain(dns_zone_t *zone) {
 	isc_boolean_t nseconly = ISC_FALSE, nsec3ok = ISC_FALSE;
 	dns_db_t *db = NULL;
 
+	INSIST(LOCKED_ZONE(zone));
+
 	if (zone->privatetype == 0)
 		return;
 
@@ -3286,9 +3414,16 @@ resume_addnsec3chain(dns_zone_t *zone) {
 
 	dns_db_currentversion(db, &version);
 
+	/*
+	 * In order to create NSEC3 chains we need the DNSKEY RRset at zone
+	 * apex to exist and contain no keys using NSEC-only algorithms.
+	 */
 	result = dns_nsec_nseconly(db, version, &nseconly);
 	nsec3ok = (result == ISC_R_SUCCESS && !nseconly);
 
+	/*
+	 * Get the RRset containing all private-type records at the zone apex.
+	 */
 	dns_rdataset_init(&rdataset);
 	result = dns_db_findrdataset(db, node, version,
 				     zone->privatetype, dns_rdatatype_none,
@@ -3307,6 +3442,11 @@ resume_addnsec3chain(dns_zone_t *zone) {
 		dns_rdata_t private = DNS_RDATA_INIT;
 
 		dns_rdataset_current(&rdataset, &private);
+		/*
+		 * Try extracting NSEC3PARAM RDATA from this private-type
+		 * record.  Failure means this private-type record does not
+		 * represent an NSEC3PARAM record, so skip it.
+		 */
 		if (!dns_nsec3param_fromprivate(&private, &rdata, buf,
 						sizeof(buf)))
 			continue;
@@ -3315,6 +3455,11 @@ resume_addnsec3chain(dns_zone_t *zone) {
 		if (((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) ||
 		    ((nsec3param.flags & DNS_NSEC3FLAG_CREATE) != 0 && nsec3ok))
 		{
+			/*
+			 * Pass the NSEC3PARAM RDATA contained in this
+			 * private-type record to zone_addnsec3chain() so that
+			 * it can kick off adding or removing NSEC3 records.
+			 */
 			result = zone_addnsec3chain(zone, &nsec3param);
 			if (result != ISC_R_SUCCESS) {
 				dns_zone_log(zone, ISC_LOG_ERROR,
@@ -5374,31 +5519,33 @@ dns_zone_getnotifysrc6(dns_zone_t *zone) {
 }
 
 static isc_boolean_t
-same_addrs(const isc_sockaddr_t *old, const isc_sockaddr_t *new,
-	     isc_uint32_t count)
+same_addrs(isc_sockaddr_t const *oldlist, isc_sockaddr_t const *newlist,
+	   isc_uint32_t count)
 {
 	unsigned int i;
 
 	for (i = 0; i < count; i++)
-		if (!isc_sockaddr_equal(&old[i], &new[i]))
+		if (!isc_sockaddr_equal(&oldlist[i], &newlist[i]))
 			return (ISC_FALSE);
 	return (ISC_TRUE);
 }
 
 static isc_boolean_t
-same_keynames(dns_name_t **old, dns_name_t **new, isc_uint32_t count) {
+same_keynames(dns_name_t * const *oldlist, dns_name_t * const *newlist,
+	      isc_uint32_t count)
+{
 	unsigned int i;
 
-	if (old == NULL && new == NULL)
+	if (oldlist == NULL && newlist == NULL)
 		return (ISC_TRUE);
-	if (old == NULL || new == NULL)
+	if (oldlist == NULL || newlist == NULL)
 		return (ISC_FALSE);
 
 	for (i = 0; i < count; i++) {
-		if (old[i] == NULL && new[i] == NULL)
+		if (oldlist[i] == NULL && newlist[i] == NULL)
 			continue;
-		if (old[i] == NULL || new[i] == NULL ||
-		     !dns_name_equal(old[i], new[i]))
+		if (oldlist[i] == NULL || newlist[i] == NULL ||
+		    !dns_name_equal(oldlist[i], newlist[i]))
 			return (ISC_FALSE);
 	}
 	return (ISC_TRUE);
@@ -5767,10 +5914,16 @@ was_dumping(dns_zone_t *zone) {
 	return (dumping);
 }
 
-static isc_result_t
-find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
-	       isc_mem_t *mctx, unsigned int maxkeys,
-	       dst_key_t **keys, unsigned int *nkeys)
+/*%
+ * Find up to 'maxkeys' DNSSEC keys used for signing version 'ver' of database
+ * 'db' for zone 'zone' in its key directory, then load these keys into 'keys'.
+ * Only load the public part of a given key if it is not active at timestamp
+ * 'now'.  Store the number of keys found in 'nkeys'.
+ */
+isc_result_t
+dns__zone_findkeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+		   isc_mem_t *mctx, unsigned int maxkeys,
+		   dst_key_t **keys, unsigned int *nkeys)
 {
 	isc_result_t result;
 	dns_dbnode_t *node = NULL;
@@ -5790,7 +5943,7 @@ find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
 }
 
 static isc_result_t
-offline(dns_db_t *db, dns_dbversion_t *ver, zonediff_t *zonediff,
+offline(dns_db_t *db, dns_dbversion_t *ver, dns__zonediff_t *zonediff,
 	dns_name_t *name, dns_ttl_t ttl, dns_rdata_t *rdata)
 {
 	isc_result_t result;
@@ -5833,7 +5986,7 @@ set_key_expiry_warning(dns_zone_t *zone, isc_stdtime_t when, isc_stdtime_t now)
 		isc_time_set(&zone->keywarntime, when - delta, 0);
 	}  else {
 		isc_time_set(&zone->keywarntime, when - 7 * 24 * 3600, 0);
-		isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
+		isc_time_formattimestamp(&zone->keywarntime, timebuf, 80);
 		dns_zone_log(zone, ISC_LOG_NOTICE,
 			     "setting keywarntime to %s", timebuf);
 	}
@@ -5899,7 +6052,7 @@ delsig_ok(dns_rdata_rrsig_t *rrsig_ptr, dst_key_t **keys, unsigned int nkeys,
  */
 static isc_result_t
 del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-	 dns_rdatatype_t type, zonediff_t *zonediff, dst_key_t **keys,
+	 dns_rdatatype_t type, dns__zonediff_t *zonediff, dst_key_t **keys,
 	 unsigned int nkeys, isc_stdtime_t now, isc_boolean_t incremental)
 {
 	isc_result_t result;
@@ -6118,6 +6271,8 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 
 		if (!dst_key_isprivate(keys[i]))
 			continue;
+		if (dst_key_inactive(keys[i]))	/* Should be redundant. */
+			continue;
 
 		if (check_ksk && !REVOKE(keys[i])) {
 			isc_boolean_t have_ksk, have_nonksk;
@@ -6131,6 +6286,10 @@ add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 			for (j = 0; j < nkeys; j++) {
 				if (j == i || ALG(keys[i]) != ALG(keys[j]))
 					continue;
+				if (!dst_key_isprivate(keys[j]))
+					continue;
+				if (dst_key_inactive(keys[j]))	/* SBR */
+					continue;
 				if (REVOKE(keys[j]))
 					continue;
 				if (KSK(keys[j]))
@@ -6178,7 +6337,7 @@ zone_resigninc(dns_zone_t *zone) {
 	dns_db_t *db = NULL;
 	dns_dbversion_t *version = NULL;
 	dns_diff_t _sig_diff;
-	zonediff_t zonediff;
+	dns__zonediff_t zonediff;
 	dns_fixedname_t fixed;
 	dns_name_t *name;
 	dns_rdataset_t rdataset;
@@ -6187,7 +6346,7 @@ zone_resigninc(dns_zone_t *zone) {
 	isc_boolean_t check_ksk, keyset_kskonly = ISC_FALSE;
 	isc_result_t result;
 	isc_stdtime_t now, inception, soaexpire, expire, stop;
-	isc_uint32_t jitter;
+	isc_uint32_t jitter, sigvalidityinterval;
 	unsigned int i;
 	unsigned int nkeys = 0;
 	unsigned int resign;
@@ -6222,25 +6381,35 @@ zone_resigninc(dns_zone_t *zone) {
 		goto failure;
 	}
 
-	result = find_zone_keys(zone, db, version, zone->mctx, DNS_MAXZONEKEYS,
-				zone_keys, &nkeys);
+	result = dns__zone_findkeys(zone, db, version, zone->mctx,
+				    DNS_MAXZONEKEYS, zone_keys, &nkeys);
 	if (result != ISC_R_SUCCESS) {
 		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "zone_resigninc:find_zone_keys -> %s",
+			     "zone_resigninc:dns__zone_findkeys -> %s",
 			     dns_result_totext(result));
 		goto failure;
 	}
 
 	isc_stdtime_get(&now);
+	sigvalidityinterval = zone->sigvalidityinterval;
 	inception = now - 3600;	/* Allow for clock skew. */
-	soaexpire = now + dns_zone_getsigvalidityinterval(zone);
+	soaexpire = now + sigvalidityinterval;
 	/*
 	 * Spread out signatures over time if they happen to be
 	 * clumped.  We don't do this for each add_sigs() call as
 	 * we still want some clustering to occur.
 	 */
-	isc_random_get(&jitter);
-	expire = soaexpire - jitter % 3600;
+	if (sigvalidityinterval >= 3600U) {
+		isc_random_get(&jitter);
+		if (sigvalidityinterval > 7200U) {
+			jitter %= 3600;
+		} else {
+			jitter %= 1200;
+		}
+		expire = soaexpire - jitter - 1;
+	} else {
+		expire = soaexpire - 1;
+	}
 	stop = now + 5;
 
 	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
@@ -6316,7 +6485,8 @@ zone_resigninc(dns_zone_t *zone) {
 	 */
 	if (ISC_LIST_EMPTY(zonediff.diff->tuples)) {
 		/*
-		 * Commit the changes if any key has been marked as offline.			 */
+		 * Commit the changes if any key has been marked as offline.
+		 */
 		if (zonediff.offline)
 			dns_db_closeversion(db, &version, ISC_TRUE);
 		goto failure;
@@ -6357,7 +6527,7 @@ zone_resigninc(dns_zone_t *zone) {
 	for (i = 0; i < nkeys; i++)
 		dst_key_free(&zone_keys[i]);
 	if (version != NULL) {
-		dns_db_closeversion(zone->db, &version, ISC_FALSE);
+		dns_db_closeversion(db, &version, ISC_FALSE);
 		dns_db_detach(&db);
 	} else if (db != NULL)
 		dns_db_detach(&db);
@@ -6685,17 +6855,17 @@ updatesignwithkey(dns_zone_t *zone, dns_signing_t *signing,
 			continue;
 		}
 		/*
-		 * We have a match.  If we were signing (!signing->delete)
+		 * We have a match.  If we were signing (!signing->deleteit)
 		 * and we already have a record indicating that we have
 		 * finished signing (rdata.data[4] != 0) then keep it.
 		 * Otherwise it needs to be deleted as we have removed all
-		 * the signatures (signing->delete), so any record indicating
+		 * the signatures (signing->deleteit), so any record indicating
 		 * completion is now out of date, or we have finished signing
 		 * with the new record so we no longer need to remember that
 		 * we need to sign the zone with the matching key across a
 		 * nameserver re-start.
 		 */
-		if (!signing->delete && rdata.data[4] != 0) {
+		if (!signing->deleteit && rdata.data[4] != 0) {
 			seen_done = ISC_TRUE;
 			have_rr = ISC_TRUE;
 		} else
@@ -6706,7 +6876,7 @@ updatesignwithkey(dns_zone_t *zone, dns_signing_t *signing,
 	}
 	if (result == ISC_R_NOMORE)
 		result = ISC_R_SUCCESS;
-	if (!signing->delete && !seen_done) {
+	if (!signing->deleteit && !seen_done) {
 		/*
 		 * If we were signing then we need to indicate that we have
 		 * finished signing the zone with this key.  If it is already
@@ -6745,9 +6915,28 @@ updatesignwithkey(dns_zone_t *zone, dns_signing_t *signing,
 }
 
 /*
- * If 'active' is set then we are not done with the chain yet so only
- * delete the nsec3param record which indicates a full chain exists
- * (flags == 0).
+ * Called from zone_nsec3chain() in order to update zone records indicating
+ * processing status of given NSEC3 chain:
+ *
+ *   - If the supplied dns_nsec3chain_t structure has been fully processed
+ *     (which is indicated by "active" being set to ISC_FALSE):
+ *
+ *       - remove all NSEC3PARAM records matching the relevant NSEC3 chain,
+ *
+ *       - remove all private-type records containing NSEC3PARAM RDATA matching
+ *         the relevant NSEC3 chain.
+ *
+ *   - If the supplied dns_nsec3chain_t structure has not been fully processed
+ *     (which is indicated by "active" being set to ISC_TRUE), only remove the
+ *     NSEC3PARAM record which matches the relevant NSEC3 chain and has the
+ *     "flags" field set to 0.
+ *
+ *   - If given NSEC3 chain is being added, add an NSEC3PARAM record contained
+ *     in the relevant private-type record, but with the "flags" field set to
+ *     0, indicating that this NSEC3 chain is now complete for this zone.
+ *
+ * Note that this function is called at different processing stages for NSEC3
+ * chain additions vs. removals and needs to handle all cases properly.
  */
 static isc_result_t
 fixup_nsec3param(dns_db_t *db, dns_dbversion_t *ver, dns_nsec3chain_t *chain,
@@ -7033,12 +7222,18 @@ need_nsec_chain(dns_db_t *db, dns_dbversion_t *ver,
 	return (result);
 }
 
-static isc_result_t
-update_sigs(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *version,
-	    dst_key_t *zone_keys[], unsigned int nkeys, dns_zone_t *zone,
-	    isc_stdtime_t inception, isc_stdtime_t expire, isc_stdtime_t now,
-	    isc_boolean_t check_ksk, isc_boolean_t keyset_kskonly,
-	    zonediff_t *zonediff)
+/*%
+ * Add/remove DNSSEC signatures for the list of "raw" zone changes supplied in
+ * 'diff'.  Gradually remove tuples from 'diff' and append them to 'zonediff'
+ * along with tuples representing relevant signature changes.
+ */
+isc_result_t
+dns__zone_updatesigs(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *version,
+		     dst_key_t *zone_keys[], unsigned int nkeys,
+		     dns_zone_t *zone, isc_stdtime_t inception,
+		     isc_stdtime_t expire, isc_stdtime_t now,
+		     isc_boolean_t check_ksk, isc_boolean_t keyset_kskonly,
+		     dns__zonediff_t *zonediff)
 {
 	dns_difftuple_t *tuple;
 	isc_result_t result;
@@ -7051,7 +7246,7 @@ update_sigs(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *version,
 				  zone_keys, nkeys, now, ISC_FALSE);
 		if (result != ISC_R_SUCCESS) {
 			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "update_sigs:del_sigs -> %s",
+				     "dns__zone_updatesigs:del_sigs -> %s",
 				     dns_result_totext(result));
 			return (result);
 		}
@@ -7061,7 +7256,7 @@ update_sigs(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *version,
 				  expire, check_ksk, keyset_kskonly);
 		if (result != ISC_R_SUCCESS) {
 			dns_zone_log(zone, ISC_LOG_ERROR,
-				     "update_sigs:add_sigs -> %s",
+				     "dns__zone_updatesigs:add_sigs -> %s",
 				     dns_result_totext(result));
 			return (result);
 		}
@@ -7095,7 +7290,7 @@ zone_nsec3chain(dns_zone_t *zone) {
 	dns_diff_t nsec_diff;
 	dns_diff_t nsec3_diff;
 	dns_diff_t param_diff;
-	zonediff_t zonediff;
+	dns__zonediff_t zonediff;
 	dns_fixedname_t fixed;
 	dns_fixedname_t nextfixed;
 	dns_name_t *name, *nextname;
@@ -7109,7 +7304,7 @@ zone_nsec3chain(dns_zone_t *zone) {
 	isc_boolean_t first;
 	isc_result_t result;
 	isc_stdtime_t now, inception, soaexpire, expire;
-	isc_uint32_t jitter;
+	isc_uint32_t jitter, sigvalidityinterval;
 	unsigned int i;
 	unsigned int nkeys = 0;
 	isc_uint32_t nodes;
@@ -7144,8 +7339,22 @@ zone_nsec3chain(dns_zone_t *zone) {
 	}
 
 	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
-	dns_db_attach(zone->db, &db);
+	/*
+	 * This function is called when zone timer fires, after the latter gets
+	 * set by zone_addnsec3chain().  If the action triggering the call to
+	 * zone_addnsec3chain() is closely followed by a zone deletion request,
+	 * it might turn out that the timer thread will not be woken up until
+	 * after the zone is deleted by rmzone(), which calls dns_db_detach()
+	 * for zone->db, causing the latter to become NULL.  Return immediately
+	 * if that happens.
+	 */
+	if (zone->db != NULL) {
+		dns_db_attach(zone->db, &db);
+	}
 	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+	if (db == NULL) {
+		return;
+	}
 
 	result = dns_db_newversion(db, &version);
 	if (result != ISC_R_SUCCESS) {
@@ -7155,26 +7364,36 @@ zone_nsec3chain(dns_zone_t *zone) {
 		goto failure;
 	}
 
-	result = find_zone_keys(zone, db, version, zone->mctx,
-				DNS_MAXZONEKEYS, zone_keys, &nkeys);
+	result = dns__zone_findkeys(zone, db, version, zone->mctx,
+				    DNS_MAXZONEKEYS, zone_keys, &nkeys);
 	if (result != ISC_R_SUCCESS) {
 		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "zone_nsec3chain:find_zone_keys -> %s",
+			     "zone_nsec3chain:dns__zone_findkeys -> %s",
 			     dns_result_totext(result));
 		goto failure;
 	}
 
 	isc_stdtime_get(&now);
+	sigvalidityinterval = dns_zone_getsigvalidityinterval(zone);
 	inception = now - 3600;	/* Allow for clock skew. */
-	soaexpire = now + dns_zone_getsigvalidityinterval(zone);
+	soaexpire = now + sigvalidityinterval;
 
 	/*
 	 * Spread out signatures over time if they happen to be
 	 * clumped.  We don't do this for each add_sigs() call as
 	 * we still want some clustering to occur.
 	 */
-	isc_random_get(&jitter);
-	expire = soaexpire - jitter % 3600;
+	if (sigvalidityinterval >= 3600U) {
+		isc_random_get(&jitter);
+		if (sigvalidityinterval > 7200U) {
+			jitter %= 3600;
+		} else {
+			jitter %= 1200;
+		}
+		expire = soaexpire - jitter - 1;
+	} else {
+		expire = soaexpire - 1;
+	}
 
 	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
 	keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
@@ -7195,6 +7414,25 @@ zone_nsec3chain(dns_zone_t *zone) {
 		nsec3chain->save_delete_nsec = nsec3chain->delete_nsec;
 	/*
 	 * Generate new NSEC3 chains first.
+	 *
+	 * The following while loop iterates over nodes in the zone database,
+	 * updating the NSEC3 chain by calling dns_nsec3_addnsec3() for each of
+	 * them.  Once all nodes are processed, the "delete_nsec" field is
+	 * consulted to check whether we are supposed to remove NSEC records
+	 * from the zone database; if so, the database iterator is reset to
+	 * point to the first node and the loop traverses all of them again,
+	 * this time removing NSEC records.  If we hit a node which is obscured
+	 * by a delegation or a DNAME, nodes are skipped over until we find one
+	 * that is not obscured by the same obscuring name and then normal
+	 * processing is resumed.
+	 *
+	 * The above is repeated until all requested NSEC3 chain changes are
+	 * applied or when we reach the limits for this quantum, whichever
+	 * happens first.
+	 *
+	 * Note that the "signatures" variable is only used here to limit the
+	 * amount of work performed.  Actual DNSSEC signatures are only
+	 * generated by dns__zone_updatesigs() calls later in this function.
 	 */
 	while (nsec3chain != NULL && nodes-- > 0 && signatures > 0) {
 		LOCK_ZONE(zone);
@@ -7396,6 +7634,16 @@ zone_nsec3chain(dns_zone_t *zone) {
 
 	/*
 	 * Process removals.
+	 *
+	 * This is a counterpart of the above while loop which takes care of
+	 * removing an NSEC3 chain.  It starts with determining whether the
+	 * zone needs to switch from NSEC3 to NSEC; if so, it first builds an
+	 * NSEC chain by iterating over all nodes in the zone database and only
+	 * then goes on to remove NSEC3 records be iterating over all nodes
+	 * again and calling deletematchingnsec3() for each of them; otherwise,
+	 * it starts removing NSEC3 records immediately.  Rules for processing
+	 * obscured nodes and interrupting work are the same as for the while
+	 * loop above.
 	 */
 	LOCK_ZONE(zone);
 	nsec3chain = ISC_LIST_HEAD(zone->nsec3chain);
@@ -7441,7 +7689,7 @@ zone_nsec3chain(dns_zone_t *zone) {
 
 		if (!buildnsecchain) {
 			/*
-			 * Delete the NSECPARAM record that matches this chain.
+			 * Delete the NSEC3PARAM record matching this chain.
 			 */
 			if (first) {
 				result = fixup_nsec3param(db, version,
@@ -7458,7 +7706,7 @@ zone_nsec3chain(dns_zone_t *zone) {
 			}
 
 			/*
-			 *  Delete the NSEC3 records.
+			 * Delete the NSEC3 records.
 			 */
 			result = deletematchingnsec3(db, version, node, name,
 						     &nsec3chain->nsec3param,
@@ -7538,6 +7786,7 @@ zone_nsec3chain(dns_zone_t *zone) {
 			dns_dbiterator_pause(nsec3chain->dbiterator);
 			CHECK(add_nsec(db, version, name, node, zone->minimum,
 				       delegation, &nsec_diff));
+			signatures--;
 		}
 
  next_removenode:
@@ -7669,12 +7918,13 @@ zone_nsec3chain(dns_zone_t *zone) {
 	 */
 	if (nsec3chain != NULL)
 		dns_dbiterator_pause(nsec3chain->dbiterator);
-	result = update_sigs(&nsec3_diff, db, version, zone_keys,
-			     nkeys, zone, inception, expire, now,
-			     check_ksk, keyset_kskonly, &zonediff);
+	result = dns__zone_updatesigs(&nsec3_diff, db, version, zone_keys,
+				      nkeys, zone, inception, expire, now,
+				      check_ksk, keyset_kskonly, &zonediff);
 	if (result != ISC_R_SUCCESS) {
 		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
-			     "update_sigs -> %s", dns_result_totext(result));
+			     "dns__zone_updatesigs -> %s",
+			     dns_result_totext(result));
 		goto failure;
 	}
 
@@ -7682,12 +7932,13 @@ zone_nsec3chain(dns_zone_t *zone) {
 	 * We have changed the NSEC3PARAM or private RRsets
 	 * above so we need to update the signatures.
 	 */
-	result = update_sigs(&param_diff, db, version, zone_keys,
-			     nkeys, zone, inception, expire, now,
-			     check_ksk, keyset_kskonly, &zonediff);
+	result = dns__zone_updatesigs(&param_diff, db, version, zone_keys,
+				      nkeys, zone, inception, expire, now,
+				      check_ksk, keyset_kskonly, &zonediff);
 	if (result != ISC_R_SUCCESS) {
 		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
-			     "update_sigs -> %s", dns_result_totext(result));
+			     "dns__zone_updatesigs -> %s",
+			     dns_result_totext(result));
 		goto failure;
 	}
 
@@ -7702,12 +7953,13 @@ zone_nsec3chain(dns_zone_t *zone) {
 		}
 	}
 
-	result = update_sigs(&nsec_diff, db, version, zone_keys,
-			     nkeys, zone, inception, expire, now,
-			     check_ksk, keyset_kskonly, &zonediff);
+	result = dns__zone_updatesigs(&nsec_diff, db, version, zone_keys,
+				      nkeys, zone, inception, expire, now,
+				      check_ksk, keyset_kskonly, &zonediff);
 	if (result != ISC_R_SUCCESS) {
 		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
-			     "update_sigs -> %s", dns_result_totext(result));
+			     "dns__zone_updatesigs -> %s",
+			     dns_result_totext(result));
 		goto failure;
 	}
 
@@ -7871,15 +8123,26 @@ zone_nsec3chain(dns_zone_t *zone) {
 	INSIST(version == NULL);
 }
 
+/*%
+ * Delete all RRSIG records with the given algorithm and keyid.
+ * Remove the NSEC record and RRSIGs if nkeys is zero.
+ * If all remaining RRsets are signed with the given algorithm
+ * set *has_algp to ISC_TRUE.
+ */
 static isc_result_t
 del_sig(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 	dns_dbnode_t *node, unsigned int nkeys, dns_secalg_t algorithm,
-	isc_uint16_t keyid, dns_diff_t *diff)
+	isc_uint16_t keyid, isc_boolean_t *has_algp, dns_diff_t *diff)
 {
 	dns_rdata_rrsig_t rrsig;
 	dns_rdataset_t rdataset;
 	dns_rdatasetiter_t *iterator = NULL;
 	isc_result_t result;
+	isc_boolean_t alg_missed = ISC_FALSE;
+	isc_boolean_t alg_found = ISC_FALSE;
+
+	char namebuf[DNS_NAME_FORMATSIZE];
+	dns_name_format(name, namebuf, sizeof(namebuf));
 
 	result = dns_db_allrdatasets(db, node, version, 0, &iterator);
 	if (result != ISC_R_SUCCESS) {
@@ -7892,6 +8155,7 @@ del_sig(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 	for (result = dns_rdatasetiter_first(iterator);
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdatasetiter_next(iterator)) {
+		isc_boolean_t has_alg = ISC_FALSE;
 		dns_rdatasetiter_current(iterator, &rdataset);
 		if (nkeys == 0 && rdataset.type == dns_rdatatype_nsec) {
 			for (result = dns_rdataset_first(&rdataset);
@@ -7914,13 +8178,20 @@ del_sig(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 		}
 		for (result = dns_rdataset_first(&rdataset);
 		     result == ISC_R_SUCCESS;
-		     result = dns_rdataset_next(&rdataset)) {
+		     result = dns_rdataset_next(&rdataset))
+		{
 			dns_rdata_t rdata = DNS_RDATA_INIT;
 			dns_rdataset_current(&rdataset, &rdata);
 			CHECK(dns_rdata_tostruct(&rdata, &rrsig, NULL));
-			if (rrsig.algorithm != algorithm ||
-			    rrsig.keyid != keyid)
+			if (nkeys != 0 &&
+			    (rrsig.algorithm != algorithm ||
+			     rrsig.keyid != keyid))
+			{
+				if (rrsig.algorithm == algorithm) {
+					has_alg = ISC_TRUE;
+				}
 				continue;
+			}
 			CHECK(update_one_rr(db, version, diff,
 					    DNS_DIFFOP_DELRESIGN, name,
 					    rdataset.ttl, &rdata));
@@ -7928,9 +8199,25 @@ del_sig(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
 		dns_rdataset_disassociate(&rdataset);
 		if (result != ISC_R_NOMORE)
 			break;
+
+		/*
+		 * After deleting, if there's still a signature for
+		 * 'algorithm', set alg_found; if not, set alg_missed.
+		 */
+		if (has_alg) {
+			alg_found = ISC_TRUE;
+		} else {
+			alg_missed = ISC_TRUE;
+		}
 	}
 	if (result == ISC_R_NOMORE)
 		result = ISC_R_SUCCESS;
+
+	/*
+	 * Set `has_algp` if the algorithm was found in every RRset:
+	 * i.e., found in at least one, and not missing from any.
+	 */
+	*has_algp = ISC_TF(alg_found && !alg_missed);
  failure:
 	if (dns_rdataset_isassociated(&rdataset))
 		dns_rdataset_disassociate(&rdataset);
@@ -7950,7 +8237,7 @@ zone_sign(dns_zone_t *zone) {
 	dns_dbversion_t *version = NULL;
 	dns_diff_t _sig_diff;
 	dns_diff_t post_diff;
-	zonediff_t zonediff;
+	dns__zonediff_t zonediff;
 	dns_fixedname_t fixed;
 	dns_fixedname_t nextfixed;
 	dns_name_t *name, *nextname;
@@ -7960,6 +8247,7 @@ zone_sign(dns_zone_t *zone) {
 	dst_key_t *zone_keys[DNS_MAXZONEKEYS];
 	isc_int32_t signatures;
 	isc_boolean_t check_ksk, keyset_kskonly, is_ksk;
+	isc_boolean_t with_ksk, with_zsk;
 	isc_boolean_t commit = ISC_FALSE;
 	isc_boolean_t delegation;
 	isc_boolean_t build_nsec = ISC_FALSE;
@@ -7967,7 +8255,7 @@ zone_sign(dns_zone_t *zone) {
 	isc_boolean_t first;
 	isc_result_t result;
 	isc_stdtime_t now, inception, soaexpire, expire;
-	isc_uint32_t jitter;
+	isc_uint32_t jitter, sigvalidityinterval;
 	unsigned int i, j;
 	unsigned int nkeys = 0;
 	isc_uint32_t nodes;
@@ -8009,26 +8297,36 @@ zone_sign(dns_zone_t *zone) {
 		goto failure;
 	}
 
-	result = find_zone_keys(zone, db, version, zone->mctx,
-				DNS_MAXZONEKEYS, zone_keys, &nkeys);
+	result = dns__zone_findkeys(zone, db, version, zone->mctx,
+				    DNS_MAXZONEKEYS, zone_keys, &nkeys);
 	if (result != ISC_R_SUCCESS) {
 		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "zone_sign:find_zone_keys -> %s",
+			     "zone_sign:dns__zone_findkeys -> %s",
 			     dns_result_totext(result));
 		goto failure;
 	}
 
 	isc_stdtime_get(&now);
+	sigvalidityinterval = dns_zone_getsigvalidityinterval(zone);
 	inception = now - 3600;	/* Allow for clock skew. */
-	soaexpire = now + dns_zone_getsigvalidityinterval(zone);
+	soaexpire = now + sigvalidityinterval;
 
 	/*
 	 * Spread out signatures over time if they happen to be
 	 * clumped.  We don't do this for each add_sigs() call as
 	 * we still want some clustering to occur.
 	 */
-	isc_random_get(&jitter);
-	expire = soaexpire - jitter % 3600;
+	if (sigvalidityinterval >= 3600U) {
+		isc_random_get(&jitter);
+		if (sigvalidityinterval > 7200U) {
+			jitter %= 3600;
+		} else {
+			jitter %= 1200;
+		}
+		expire = soaexpire - jitter - 1;
+	} else {
+		expire = soaexpire - 1;
+	}
 
 	/*
 	 * We keep pulling nodes off each iterator in turn until
@@ -8052,6 +8350,7 @@ zone_sign(dns_zone_t *zone) {
 		build_nsec = ISC_TRUE;
 
 	while (signing != NULL && nodes-- > 0 && signatures > 0) {
+		isc_boolean_t has_alg = ISC_FALSE;
 		nextsigning = ISC_LIST_NEXT(signing, link);
 
 		ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
@@ -8073,7 +8372,7 @@ zone_sign(dns_zone_t *zone) {
 
 		delegation = ISC_FALSE;
 
-		if (first && signing->delete) {
+		if (first && signing->deleteit) {
 			/*
 			 * Remove the key we are deleting from consideration.
 			 */
@@ -8091,16 +8390,19 @@ zone_sign(dns_zone_t *zone) {
 				zone_keys[j] = zone_keys[i];
 				j++;
 			}
+			for (i = j; i < nkeys; i++) {
+				zone_keys[i] = NULL;
+			}
 			nkeys = j;
 		}
 
 		dns_dbiterator_current(signing->dbiterator, &node, name);
 
-		if (signing->delete) {
+		if (signing->deleteit) {
 			dns_dbiterator_pause(signing->dbiterator);
 			CHECK(del_sig(db, version, name, node, nkeys,
 				      signing->algorithm, signing->keyid,
-				      zonediff.diff));
+				      &has_alg, zonediff.diff));
 		}
 
 		/*
@@ -8117,7 +8419,7 @@ zone_sign(dns_zone_t *zone) {
 					     DNS_DBFIND_NOWILD, 0, NULL, found,
 					     NULL, NULL);
 			if ((result == DNS_R_DELEGATION ||
-			    result == DNS_R_DNAME) &&
+			     result == DNS_R_DNAME) &&
 			    !dns_name_equal(name, found)) {
 				/*
 				 * Remember the obscuring name so that
@@ -8132,8 +8434,10 @@ zone_sign(dns_zone_t *zone) {
 		/*
 		 * Process one node.
 		 */
+		with_ksk = ISC_FALSE;
+		with_zsk = ISC_FALSE;
 		dns_dbiterator_pause(signing->dbiterator);
-		for (i = 0; i < nkeys; i++) {
+		for (i = 0; !has_alg && i < nkeys; i++) {
 			isc_boolean_t both = ISC_FALSE;
 
 			/*
@@ -8141,11 +8445,16 @@ zone_sign(dns_zone_t *zone) {
 			 */
 			if (!dst_key_isprivate(zone_keys[i]))
 				continue;
+			/*
+			 * Should be redundant.
+			 */
+			if (dst_key_inactive(zone_keys[i]))
+				continue;
 
 			/*
 			 * When adding look for the specific key.
 			 */
-			if (!signing->delete &&
+			if (!signing->deleteit &&
 			    (dst_key_alg(zone_keys[i]) != signing->algorithm ||
 			     dst_key_id(zone_keys[i]) != signing->keyid))
 				continue;
@@ -8154,7 +8463,7 @@ zone_sign(dns_zone_t *zone) {
 			 * When deleting make sure we are properly signed
 			 * with the algorithm that was being removed.
 			 */
-			if (signing->delete &&
+			if (signing->deleteit &&
 			    ALG(zone_keys[i]) != signing->algorithm)
 				continue;
 
@@ -8175,6 +8484,13 @@ zone_sign(dns_zone_t *zone) {
 					    ALG(zone_keys[i]) !=
 					    ALG(zone_keys[j]))
 						continue;
+					if (!dst_key_isprivate(zone_keys[j]))
+						continue;
+					/*
+					 * Should be redundant.
+					 */
+					if (dst_key_inactive(zone_keys[j]))
+						continue;
 					if (REVOKE(zone_keys[j]))
 						continue;
 					if (KSK(zone_keys[j]))
@@ -8191,6 +8507,19 @@ zone_sign(dns_zone_t *zone) {
 			else
 				is_ksk = ISC_FALSE;
 
+			/*
+			 * If deleting signatures, we need to ensure that
+			 * the RRset is still signed at least once by a
+			 * KSK and a ZSK.
+			 */
+			if (signing->deleteit && !is_ksk && with_zsk) {
+				continue;
+			}
+
+			if (signing->deleteit && is_ksk && with_ksk) {
+				continue;
+			}
+
 			CHECK(sign_a_node(db, name, node, version, build_nsec3,
 					  build_nsec, zone_keys[i], inception,
 					  expire, zone->minimum, is_ksk,
@@ -8201,8 +8530,15 @@ zone_sign(dns_zone_t *zone) {
 			 * If we are adding we are done.  Look for other keys
 			 * of the same algorithm if deleting.
 			 */
-			if (!signing->delete)
+			if (!signing->deleteit) {
 				break;
+			}
+			if (!is_ksk) {
+				with_zsk = ISC_TRUE;
+			}
+			if (KSK(zone_keys[i])) {
+				with_ksk = ISC_TRUE;
+			}
 		}
 
 		/*
@@ -8275,12 +8611,14 @@ zone_sign(dns_zone_t *zone) {
 	}
 
 	if (ISC_LIST_HEAD(post_diff.tuples) != NULL) {
-		result = update_sigs(&post_diff, db, version, zone_keys,
-				     nkeys, zone, inception, expire, now,
-				     check_ksk, keyset_kskonly, &zonediff);
+		result = dns__zone_updatesigs(&post_diff, db, version,
+					      zone_keys, nkeys, zone,
+					      inception, expire, now,
+					      check_ksk, keyset_kskonly,
+					      &zonediff);
 		if (result != ISC_R_SUCCESS) {
 			dns_zone_log(zone, ISC_LOG_ERROR, "zone_sign:"
-				     "update_sigs -> %s",
+				     "dns__zone_updatesigs -> %s",
 				     dns_result_totext(result));
 			goto failure;
 		}
@@ -8719,7 +9057,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 	dst_key_t *dstkey;
 	isc_stdtime_t now;
 	int pending = 0;
-	isc_boolean_t secure;
+	isc_boolean_t secure = ISC_FALSE;
 	isc_boolean_t free_needed;
 
 	UNUSED(task);
@@ -8762,6 +9100,10 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 	if (alldone)
 		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING);
 
+	dns_zone_log(zone, ISC_LOG_DEBUG(3),
+		     "Returned from key fetch in keyfetch_done() for "
+		     "'%s': %s", namebuf, dns_result_totext(eresult));
+
 	/* Fetch failed */
 	if (eresult != ISC_R_SUCCESS ||
 	    !dns_rdataset_isassociated(&kfetch->dnskeyset)) {
@@ -8842,15 +9184,22 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 		if (keynode != NULL)
 			dns_keytable_detachkeynode(secroots, &keynode);
 
-		if (kfetch->dnskeyset.trust == dns_trust_secure)
+		if (kfetch->dnskeyset.trust == dns_trust_secure) {
+			secure = ISC_TRUE;
 			break;
+		}
 	}
 
 	/*
 	 * If we were not able to verify the answer using the current
 	 * trusted keys then all we can do is look at any revoked keys.
 	 */
-	secure = ISC_TF(kfetch->dnskeyset.trust == dns_trust_secure);
+
+	if (!secure) {
+		dns_zone_log(zone, ISC_LOG_DEBUG(3),
+			     "DNSKEY set for zone '%s' could not be verified "
+			     "with current keys", namebuf);
+	}
 
 	/*
 	 * First scan keydataset to find keys that are not in dnskeyset
@@ -8868,12 +9217,19 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 	initializing = ISC_TRUE;
 	for (result = dns_rdataset_first(&kfetch->keydataset);
 	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(&kfetch->keydataset)) {
+	     result = dns_rdataset_next(&kfetch->keydataset))
+	{
+		dns_keytag_t keytag;
+
 		dns_rdata_reset(&keydatarr);
 		dns_rdataset_current(&kfetch->keydataset, &keydatarr);
 		result = dns_rdata_tostruct(&keydatarr, &keydata, NULL);
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
+		dns_keydata_todnskey(&keydata, &dnskey, NULL);
+		result = compute_tag(keyname, &dnskey, mctx, &keytag);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
 		/*
 		 * If any keydata record has a nonzero add holddown, then
 		 * there was a pre-existing trust anchor for this domain;
@@ -8887,27 +9243,35 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 
 			if (!secure) {
 				if (keydata.removehd != 0 &&
-				    keydata.removehd <= now)
+				    keydata.removehd <= now) {
 					deletekey = ISC_TRUE;
+				}
 			} else if (keydata.addhd == 0) {
 				deletekey = ISC_TRUE;
 			} else if (keydata.addhd > now) {
-				dns_zone_log(zone, ISC_LOG_WARNING,
-					     "Pending key unexpectedly missing "
-					     "from %s; restarting acceptance "
-					     "timer", namebuf);
+				dns_zone_log(zone, ISC_LOG_DEBUG(3),
+					     "Pending key %d for zone %s "
+					     "unexpectedly missing "
+					     "restarting 30-day acceptance "
+					     "timer", keytag, namebuf);
 				if (keydata.addhd < now + dns_zone_mkey_month)
 					keydata.addhd =
 						now + dns_zone_mkey_month;
 				keydata.refresh = refresh_time(kfetch,
 							       ISC_FALSE);
 			} else if (keydata.removehd == 0) {
-				dns_zone_log(zone, ISC_LOG_WARNING,
-					     "Active key unexpectedly missing "
-					     "from %s", namebuf);
+				dns_zone_log(zone, ISC_LOG_DEBUG(3),
+					     "Active key %d for zone %s "
+					     "unexpectedly missing",
+					     keytag, namebuf);
 				keydata.refresh = now + dns_zone_mkey_hour;
 			} else if (keydata.removehd <= now) {
 				deletekey = ISC_TRUE;
+				dns_zone_log(zone, ISC_LOG_DEBUG(3),
+					     "Revoked key %d for zone %s "
+					     "missing: deleting from "
+					     "managed keys database",
+					     keytag, namebuf);
 			} else {
 				keydata.refresh = refresh_time(kfetch,
 							       ISC_FALSE);
@@ -8963,6 +9327,7 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 		isc_boolean_t updatekey = ISC_FALSE;
 		isc_boolean_t deletekey = ISC_FALSE;
 		isc_boolean_t trustkey = ISC_FALSE;
+		dns_keytag_t keytag;
 
 		dns_rdata_reset(&dnskeyrr);
 		dns_rdataset_current(&kfetch->dnskeyset, &dnskeyrr);
@@ -8973,6 +9338,9 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 		if (!ISC_TF(dnskey.flags & DNS_KEYFLAG_KSK))
 			continue;
 
+		result = compute_tag(keyname, &dnskey, mctx, &keytag);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
 		revoked = ISC_TF(dnskey.flags & DNS_KEYFLAG_REVOKE);
 
 		if (matchkey(&kfetch->keydataset, &dnskeyrr)) {
@@ -8988,6 +9356,13 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 					 * it's been revoked?  Just remove it
 					 */
 					deletekey = ISC_TRUE;
+					dns_zone_log(zone, ISC_LOG_DEBUG(3),
+						     "Pending key %d "
+						     "for zone %s is now "
+						     "revoked: "
+						     "deleting from the "
+						     "managed keys database",
+						     keytag, namebuf);
 				} else if (keydata.removehd == 0) {
 					/*
 					 * Remove key from secroots.
@@ -9004,16 +9379,30 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 						keydata.flags |=
 							DNS_KEYFLAG_REVOKE;
 					}
+
+					dns_zone_log(zone, ISC_LOG_INFO,
+						     "Trusted key %d "
+						     "for zone %s is now "
+						     "revoked",
+						     keytag, namebuf);
 				} else if (keydata.removehd < now) {
 					/* Scheduled for removal */
 					deletekey = ISC_TRUE;
+
+					dns_zone_log(zone, ISC_LOG_INFO,
+						     "Revoked key %d "
+						     "for zone %s removal "
+						     "timer complete: "
+						     "deleting from the "
+						     "managed keys database",
+						     keytag, namebuf);
 				}
 			} else if (revoked && keydata.removehd == 0) {
 				dns_zone_log(zone, ISC_LOG_WARNING,
-					     "Active key for zone "
-					     "'%s' is revoked but "
+					     "Active key %d for zone "
+					     "%s is revoked but "
 					     "did not self-sign; "
-					     "ignoring.", namebuf);
+					     "ignoring", keytag, namebuf);
 					continue;
 			} else if (secure) {
 				if (keydata.removehd != 0) {
@@ -9022,20 +9411,34 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 					 * seems it used to be.
 					 * Remove it now and add it
 					 * back as if it were a fresh key,
-					 * with a 30 day acceptance timer.
+					 * with a 30-day acceptance timer.
 					 */
 					deletekey = ISC_TRUE;
 					newkey = ISC_TRUE;
 					keydata.removehd = 0;
 					keydata.addhd =
 						now + dns_zone_mkey_month;
+
+					dns_zone_log(zone, ISC_LOG_DEBUG(3),
+						     "Revoked key %d "
+						     "for zone %s "
+						     "has returned: starting "
+						     "30-day acceptance timer",
+						     keytag, namebuf);
 				} else if (keydata.addhd > now)
 					pending++;
 				else if (keydata.addhd == 0)
 					keydata.addhd = now;
 
-				if (keydata.addhd <= now)
+				if (keydata.addhd <= now) {
 					trustkey = ISC_TRUE;
+					dns_zone_log(zone, ISC_LOG_INFO,
+						     "Key %d for zone %s "
+						     "acceptance timer "
+						     "complete: "
+						     "key now trusted",
+						     keytag, namebuf);
+				}
 			} else if (keydata.addhd > now) {
 				/*
 				 * Not secure, and key is pending:
@@ -9043,6 +9446,12 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 				 */
 				pending++;
 				keydata.addhd = now + dns_zone_mkey_month;
+				dns_zone_log(zone, ISC_LOG_DEBUG(3),
+					     "Pending key %d "
+					     "for zone %s was "
+					     "not validated: restarting "
+					     "30-day acceptance timer",
+					     keytag, namebuf);
 			}
 
 			if (!deletekey && !newkey)
@@ -9059,17 +9468,21 @@ keyfetch_done(isc_task_t *task, isc_event_t *event) {
 			newkey = ISC_TRUE;
 
 			if (initializing) {
-				dns_keytag_t tag = 0;
-				CHECK(compute_tag(keyname, &dnskey,
-						  mctx, &tag));
 				dns_zone_log(zone, ISC_LOG_WARNING,
 					     "Initializing automatic trust "
 					     "anchor management for zone '%s'; "
 					     "DNSKEY ID %d is now trusted, "
 					     "waiving the normal 30-day "
 					     "waiting period.",
-					     namebuf, tag);
+					     namebuf, keytag);
 				trustkey = ISC_TRUE;
+			} else {
+				dns_zone_log(zone, ISC_LOG_INFO,
+					     "New key %d observed "
+					     "for zone '%s': "
+					     "starting 30-day "
+					     "acceptance timer",
+					     keytag, namebuf);
 			}
 		} else {
 			/*
@@ -9268,7 +9681,7 @@ zone_refreshkeys(dns_zone_t *zone) {
 			}
 
 			/* Acceptance timer expired? */
-			if (kd.addhd != 0 && kd.addhd < now)
+			if (kd.addhd <= now)
 				timer = kd.addhd;
 
 			/* Or do we just need to refresh the keyset? */
@@ -9300,11 +9713,31 @@ zone_refreshkeys(dns_zone_t *zone) {
 		dns_db_attach(db, &kfetch->db);
 		kfetch->fetch = NULL;
 
+		if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) {
+			char namebuf[DNS_NAME_FORMATSIZE];
+			dns_name_format(kname, namebuf,
+					sizeof(namebuf));
+			dns_zone_log(zone, ISC_LOG_DEBUG(3),
+				     "Creating key fetch in "
+				     "zone_refreshkeys() for '%s'",
+				     namebuf);
+		}
+
+		/*
+		 * Use of DNS_FETCHOPT_NOCACHED is essential here.  If it is
+		 * not set and the cache still holds a non-expired, validated
+		 * version of the RRset being queried for by the time the
+		 * response is received, the cached RRset will be passed to
+		 * keyfetch_done() instead of the one received in the response
+		 * as the latter will have a lower trust level due to not being
+		 * validated until keyfetch_done() is called.
+		 */
 		result = dns_resolver_createfetch(zone->view->resolver,
 						  kname, dns_rdatatype_dnskey,
 						  NULL, NULL, NULL,
 						  DNS_FETCHOPT_NOVALIDATE|
-						  DNS_FETCHOPT_UNSHARED,
+						  DNS_FETCHOPT_UNSHARED|
+						  DNS_FETCHOPT_NOCACHED,
 						  zone->task,
 						  keyfetch_done, kfetch,
 						  &kfetch->dnskeyset,
@@ -9350,12 +9783,10 @@ zone_refreshkeys(dns_zone_t *zone) {
 		isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80);
 		dns_zone_log(zone, ISC_LOG_DEBUG(1), "retry key refresh: %s",
 			     timebuf);
-
-		if (!fetching)
-			DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING);
 	}
 
-	UNLOCK_ZONE(zone);
+	if (!fetching)
+		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_REFRESHING);
 
 	dns_diff_clear(&diff);
 	if (ver != NULL) {
@@ -9364,6 +9795,8 @@ zone_refreshkeys(dns_zone_t *zone) {
 	}
 	dns_db_detach(&db);
 
+	UNLOCK_ZONE(zone);
+
 	INSIST(ver == NULL);
 }
 
@@ -9402,6 +9835,7 @@ zone_maintenance(dns_zone_t *zone) {
 	case dns_zone_redirect:
 		if (zone->masters == NULL)
 			break;
+		/* FALLTHROUGH */
 	case dns_zone_slave:
 	case dns_zone_stub:
 		LOCK_ZONE(zone);
@@ -9423,6 +9857,7 @@ zone_maintenance(dns_zone_t *zone) {
 	case dns_zone_redirect:
 		if (zone->masters == NULL)
 			break;
+		/* FALLTHROUGH */
 	case dns_zone_slave:
 	case dns_zone_stub:
 		if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_DIALREFRESH) &&
@@ -10444,13 +10879,13 @@ notify_send_toaddr(isc_task_t *task, isc_event_t *event) {
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
+	isc_sockaddr_format(&notify->dst, addrbuf, sizeof(addrbuf));
 	if (notify->key != NULL) {
 		/* Transfer ownership of key */
 		key = notify->key;
 		notify->key = NULL;
 	} else {
 		isc_netaddr_fromsockaddr(&dstip, &notify->dst);
-		isc_sockaddr_format(&notify->dst, addrbuf, sizeof(addrbuf));
 		result = dns_view_getpeertsig(notify->zone->view, &dstip, &key);
 		if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
 			notify_log(notify->zone, ISC_LOG_ERROR,
@@ -10533,7 +10968,7 @@ notify_send(dns_notify_t *notify) {
 	dns_adbaddrinfo_t *ai;
 	isc_sockaddr_t dst;
 	isc_result_t result;
-	dns_notify_t *new = NULL;
+	dns_notify_t *newnotify = NULL;
 	unsigned int flags;
 	isc_boolean_t startup;
 
@@ -10555,24 +10990,24 @@ notify_send(dns_notify_t *notify) {
 			continue;
 		if (notify_isself(notify->zone, &dst))
 			continue;
-		new = NULL;
+		newnotify = NULL;
 		flags = notify->flags & DNS_NOTIFY_NOSOA;
-		result = notify_create(notify->mctx, flags, &new);
+		result = notify_create(notify->mctx, flags, &newnotify);
 		if (result != ISC_R_SUCCESS)
 			goto cleanup;
-		zone_iattach(notify->zone, &new->zone);
-		ISC_LIST_APPEND(new->zone->notifies, new, link);
-		new->dst = dst;
+		zone_iattach(notify->zone, &newnotify->zone);
+		ISC_LIST_APPEND(newnotify->zone->notifies, newnotify, link);
+		newnotify->dst = dst;
 		startup = ISC_TF((notify->flags & DNS_NOTIFY_STARTUP) != 0);
-		result = notify_send_queue(new, startup);
+		result = notify_send_queue(newnotify, startup);
 		if (result != ISC_R_SUCCESS)
 			goto cleanup;
-		new = NULL;
+		newnotify = NULL;
 	}
 
  cleanup:
-	if (new != NULL)
-		notify_destroy(new, ISC_TRUE);
+	if (newnotify != NULL)
+		notify_destroy(newnotify, ISC_TRUE);
 }
 
 void
@@ -12525,6 +12960,13 @@ isc_result_t
 dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
 		       dns_message_t *msg)
 {
+	return (dns_zone_notifyreceive2(zone, from, NULL, msg));
+}
+
+isc_result_t
+dns_zone_notifyreceive2(dns_zone_t *zone, isc_sockaddr_t *from,
+			isc_sockaddr_t *to, dns_message_t *msg)
+{
 	unsigned int i;
 	dns_rdata_soa_t soa;
 	dns_rdataset_t *rdataset = NULL;
@@ -12533,7 +12975,6 @@ dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
 	char fromtext[ISC_SOCKADDR_FORMATSIZE];
 	int match = 0;
 	isc_netaddr_t netaddr;
-	isc_sockaddr_t local, remote;
 	isc_uint32_t serial = 0;
 	isc_boolean_t have_serial = ISC_FALSE;
 	dns_tsigkey_t *tsigkey;
@@ -12569,7 +13010,7 @@ dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
 	LOCK_ZONE(zone);
 	INSIST(zone != zone->raw);
 	if (inline_secure(zone)) {
-		result = dns_zone_notifyreceive(zone->raw, from, msg);
+		result = dns_zone_notifyreceive2(zone->raw, from, to, msg);
 		UNLOCK_ZONE(zone);
 		return (result);
 	}
@@ -12713,10 +13154,11 @@ dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
 		dns_zone_log(zone, ISC_LOG_INFO, "notify from %s: no serial",
 			     fromtext);
 	zone->notifyfrom = *from;
-	remote = zone->masteraddr;
-	local = zone->sourceaddr;
 	UNLOCK_ZONE(zone);
-	dns_zonemgr_unreachabledel(zone->zmgr, &remote, &local);
+
+	if (to != NULL) {
+		dns_zonemgr_unreachabledel(zone->zmgr, from, to);
+	}
 	dns_zone_refresh(zone);
 	return (ISC_R_SUCCESS);
 }
@@ -13535,6 +13977,7 @@ receive_secure_serial(isc_task_t *task, isc_event_t *event) {
 	dns_zone_t *zone;
 	dns_difftuple_t *tuple = NULL, *soatuple = NULL;
 	dns_update_log_t log = { update_log_cb, NULL };
+	isc_uint32_t newserial = 0, desired = 0;
 	isc_time_t timenow;
 
 	UNUSED(task);
@@ -13642,7 +14085,7 @@ receive_secure_serial(isc_task_t *task, isc_event_t *event) {
 				     zone->rss_newver));
 
 		if (soatuple != NULL) {
-			isc_uint32_t oldserial, newserial, desired;
+			isc_uint32_t oldserial;
 
 			CHECK(dns_db_createsoatuple(zone->rss_db,
 						    zone->rss_oldver,
@@ -13661,9 +14104,6 @@ receive_secure_serial(isc_task_t *task, isc_event_t *event) {
 					   zone->rss_newver, &zone->rss_diff));
 			CHECK(do_one_tuple(&soatuple, zone->rss_db,
 					   zone->rss_newver, &zone->rss_diff));
-			dns_zone_log(zone, ISC_LOG_INFO,
-				     "serial %u (unsigned %u)",
-				     newserial, desired);
 		} else
 			CHECK(update_soa_serial(zone->rss_db, zone->rss_newver,
 						&zone->rss_diff, zone->mctx,
@@ -13682,8 +14122,17 @@ receive_secure_serial(isc_task_t *task, isc_event_t *event) {
 		fprintf(stderr, "looping on dns_update_signaturesinc\n");
 		return;
 	}
-	if (result != ISC_R_SUCCESS)
+	/*
+	 * If something went wrong while trying to update the secure zone and
+	 * the latter was already signed before, do not apply raw zone deltas
+	 * to it as that would break existing DNSSEC signatures.  However, if
+	 * the secure zone was not yet signed (e.g. because no signing keys
+	 * were created for it), commence applying raw zone deltas to it so
+	 * that contents of the raw zone and the secure zone are kept in sync.
+	 */
+	if (result != ISC_R_SUCCESS && dns_db_issecure(zone->rss_db)) {
 		goto failure;
+	}
 
 	if (rjournal == NULL)
 		CHECK(dns_journal_open(zone->rss_raw->mctx,
@@ -13709,6 +14158,11 @@ receive_secure_serial(isc_task_t *task, isc_event_t *event) {
 	dns_db_closeversion(zone->rss_db, &zone->rss_oldver, ISC_FALSE);
 	dns_db_closeversion(zone->rss_db, &zone->rss_newver, ISC_TRUE);
 
+	if (newserial != 0) {
+		dns_zone_log(zone, ISC_LOG_INFO, "serial %u (unsigned %u)",
+			     newserial, desired);
+	}
+
  failure:
 	isc_event_free(&zone->rss_event);
 	event = ISC_LIST_HEAD(zone->rss_events);
@@ -13741,6 +14195,7 @@ receive_secure_serial(isc_task_t *task, isc_event_t *event) {
 		LOCK_ZONE(zone);
 		INSIST(zone->irefs > 1);
 		zone->irefs--;
+		ISC_LIST_UNLINK(zone->rss_events, event, ev_link);
 		goto nextevent;
 	}
 	dns_zone_idetach(&zone);
@@ -13974,9 +14429,7 @@ save_nsec3param(dns_zone_t *zone, nsec3paramlist_t *nsec3list) {
 }
 
 /*
- * Walk the list of the nsec3 chains desired for the zone, converting
- * parameters to private type records using dns_nsec3param_toprivate(),
- * and insert them into the new zone db.
+ * Populate new zone db with private type records found by save_nsec3param().
  */
 static isc_result_t
 restore_nsec3param(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
@@ -14009,20 +14462,11 @@ restore_nsec3param(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version,
 		rdata.data = nsec3p->data;
 		rdata.type = zone->privatetype;
 		rdata.rdclass = zone->rdclass;
-		CHECK(update_one_rr(db, version, &diff, DNS_DIFFOP_ADD,
-				    &zone->origin, 0, &rdata));
-	}
-
-	result = ISC_R_SUCCESS;
-
-failure:
-	for (nsec3p = ISC_LIST_HEAD(*nsec3list);
-	     nsec3p != NULL;
-	     nsec3p = next)
-	{
-		next = ISC_LIST_NEXT(nsec3p, link);
-		ISC_LIST_UNLINK(*nsec3list, nsec3p, link);
-		isc_mem_put(zone->mctx, nsec3p, sizeof(nsec3param_t));
+		result = update_one_rr(db, version, &diff, DNS_DIFFOP_ADD,
+				       &zone->origin, 0, &rdata);
+		if (result != ISC_R_SUCCESS) {
+			break;
+		}
 	}
 
 	dns_diff_clear(&diff);
@@ -14146,8 +14590,12 @@ receive_secure_db(isc_task_t *task, isc_event_t *event) {
 	 * Call restore_nsec3param() to create private-type records from
 	 * the old nsec3 parameters and insert them into db
 	 */
-	if (!ISC_LIST_EMPTY(nsec3list))
-		restore_nsec3param(zone, db, version, &nsec3list);
+	if (!ISC_LIST_EMPTY(nsec3list)) {
+		result = restore_nsec3param(zone, db, version, &nsec3list);
+		if (result != ISC_R_SUCCESS) {
+			goto failure;
+		}
+	}
 
 	dns_db_closeversion(db, &version, ISC_TRUE);
 
@@ -14336,8 +14784,14 @@ zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
 
 		result = dns_db_diff(zone->mctx, db, ver, zone->db, NULL,
 				     zone->journal);
-		if (result != ISC_R_SUCCESS)
-			goto fail;
+		if (result != ISC_R_SUCCESS) {
+			char strbuf[ISC_STRERRORSIZE];
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "ixfr-from-differences: failed: "
+				     "%s", strbuf);
+			goto fallback;
+		}
 		if (dump)
 			zone_needdump(zone, DNS_DUMP_DELAY);
 		else if (zone->journalsize != -1) {
@@ -14361,6 +14815,7 @@ zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
 		if (zone->type == dns_zone_master && inline_raw(zone))
 			zone_send_secureserial(zone, serial);
 	} else {
+ fallback:
 		if (dump && zone->masterfile != NULL) {
 			/*
 			 * If DNS_ZONEFLG_FORCEXFER was set we don't want
@@ -14503,7 +14958,7 @@ zone_xfrdone(dns_zone_t *zone, isc_result_t result) {
 	switch (xfrresult) {
 	case ISC_R_SUCCESS:
 		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
-		/*FALLTHROUGH*/
+		/* FALLTHROUGH */
 	case DNS_R_UPTODATE:
 		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLG_FORCEXFER);
 		/*
@@ -16629,7 +17084,7 @@ dns_zone_getnotifydelay(dns_zone_t *zone) {
 
 isc_result_t
 dns_zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm,
-		     isc_uint16_t keyid, isc_boolean_t delete)
+		     isc_uint16_t keyid, isc_boolean_t deleteit)
 {
 	isc_result_t result;
 	REQUIRE(DNS_ZONE_VALID(zone));
@@ -16638,31 +17093,27 @@ dns_zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm,
 		     "dns_zone_signwithkey(algorithm=%u, keyid=%u)",
 		     algorithm, keyid);
 	LOCK_ZONE(zone);
-	result = zone_signwithkey(zone, algorithm, keyid, delete);
+	result = zone_signwithkey(zone, algorithm, keyid, deleteit);
 	UNLOCK_ZONE(zone);
 
 	return (result);
 }
 
-static const char *hex = "0123456789ABCDEF";
-
+/*
+ * Called when a dynamic update for an NSEC3PARAM record is received.
+ *
+ * If set, transform the NSEC3 salt into human-readable form so that it can be
+ * logged.  Then call zone_addnsec3chain(), passing NSEC3PARAM RDATA to it.
+ */
 isc_result_t
 dns_zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
 	isc_result_t result;
 	char salt[255*2+1];
-	unsigned int i, j;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 
-	if (nsec3param->salt_length != 0) {
-		INSIST((nsec3param->salt_length * 2U) < sizeof(salt));
-		for (i = 0, j = 0; i < nsec3param->salt_length; i++) {
-			salt[j++] = hex[(nsec3param->salt[i] >> 4) & 0xf];
-			salt[j++] = hex[nsec3param->salt[i] & 0xf];
-		}
-		salt[j] = '\0';
-	} else
-		strcpy(salt, "-");
+	result = dns_nsec3param_salttotext(nsec3param, salt, sizeof(salt));
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 	dns_zone_log(zone, ISC_LOG_NOTICE,
 		     "dns_zone_addnsec3chain(hash=%u, iterations=%u, salt=%s)",
 		     nsec3param->hash, nsec3param->iterations,
@@ -16718,7 +17169,7 @@ dns_zone_getprivatetype(dns_zone_t *zone) {
 
 static isc_result_t
 zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm, isc_uint16_t keyid,
-		 isc_boolean_t delete)
+		 isc_boolean_t deleteit)
 {
 	dns_signing_t *signing;
 	dns_signing_t *current;
@@ -16735,7 +17186,7 @@ zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm, isc_uint16_t keyid,
 	signing->dbiterator = NULL;
 	signing->algorithm = algorithm;
 	signing->keyid = keyid;
-	signing->delete = delete;
+	signing->deleteit = deleteit;
 	signing->done = ISC_FALSE;
 
 	TIME_NOW(&now);
@@ -16758,7 +17209,7 @@ zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm, isc_uint16_t keyid,
 		if (current->db == signing->db &&
 		    current->algorithm == signing->algorithm &&
 		    current->keyid == signing->keyid) {
-			if (current->delete != signing->delete)
+			if (current->deleteit != signing->deleteit)
 				current->done = ISC_TRUE;
 			else
 				goto cleanup;
@@ -16954,7 +17405,7 @@ add_signing_records(dns_db_t *db, dns_rdatatype_t privatetype,
 
 static isc_result_t
 sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
-	  dns_diff_t *diff, zonediff_t *zonediff)
+	  dns_diff_t *diff, dns__zonediff_t *zonediff)
 {
 	isc_result_t result;
 	isc_stdtime_t now, inception, soaexpire;
@@ -16963,11 +17414,11 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
 	unsigned int nkeys = 0, i;
 	dns_difftuple_t *tuple;
 
-	result = find_zone_keys(zone, db, ver, zone->mctx, DNS_MAXZONEKEYS,
-				zone_keys, &nkeys);
+	result = dns__zone_findkeys(zone, db, ver, zone->mctx,
+				    DNS_MAXZONEKEYS, zone_keys, &nkeys);
 	if (result != ISC_R_SUCCESS) {
 		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "sign_apex:find_zone_keys -> %s",
+			     "sign_apex:dns__zone_findkeys -> %s",
 			     dns_result_totext(result));
 		return (result);
 	}
@@ -16980,9 +17431,8 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
 	keyset_kskonly = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_DNSKEYKSKONLY);
 
 	/*
-	 * See if update_sigs will update DNSKEY signature and if not
-	 * cause them to sign so that so that newly activated keys
-	 * are used.
+	 * See if dns__zone_updatesigs() will update DNSKEY signature and if
+	 * not cause them to sign so that newly activated keys are used.
 	 */
 	for (tuple = ISC_LIST_HEAD(diff->tuples);
 	     tuple != NULL;
@@ -17014,13 +17464,12 @@ sign_apex(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
 		}
 	}
 
-	result = update_sigs(diff, db, ver, zone_keys, nkeys, zone,
-			     inception, soaexpire, now, check_ksk,
-			     keyset_kskonly, zonediff);
-
+	result = dns__zone_updatesigs(diff, db, ver, zone_keys, nkeys, zone,
+				      inception, soaexpire, now, check_ksk,
+				      keyset_kskonly, zonediff);
 	if (result != ISC_R_SUCCESS) {
 		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "sign_apex:update_sigs -> %s",
+			     "sign_apex:dns__zone_updatesigs -> %s",
 			     dns_result_totext(result));
 		goto failure;
 	}
@@ -17174,7 +17623,7 @@ zone_rekey(dns_zone_t *zone) {
 	dns_dnsseckeylist_t dnskeys, keys, rmkeys;
 	dns_dnsseckey_t *key;
 	dns_diff_t diff, _sig_diff;
-	zonediff_t zonediff;
+	dns__zonediff_t zonediff;
 	isc_boolean_t commit = ISC_FALSE, newactive = ISC_FALSE;
 	isc_boolean_t newalg = ISC_FALSE;
 	isc_boolean_t fullsign;
@@ -18012,7 +18461,7 @@ dns_zone_keydone(dns_zone_t *zone, const char *keystr) {
 
 		kd->all = ISC_FALSE;
 
-		n = sscanf(keystr, "%hd/", &keyid);
+		n = sscanf(keystr, "%hu/", &keyid);
 		if (n == 0U)
 			CHECK(ISC_R_FAILURE);
 
@@ -18022,7 +18471,7 @@ dns_zone_keydone(dns_zone_t *zone, const char *keystr) {
 		else
 			CHECK(ISC_R_FAILURE);
 
-		n = sscanf(algstr, "%hhd", &alg);
+		n = sscanf(algstr, "%hhu", &alg);
 		if (n == 0U) {
 			DE_CONST(algstr, r.base);
 			r.length = strlen(algstr);
@@ -18048,6 +18497,15 @@ dns_zone_keydone(dns_zone_t *zone, const char *keystr) {
 	return (result);
 }
 
+/*
+ * Called from the zone task's queue after the relevant event is posted by
+ * dns_zone_setnsec3param().
+ *
+ * Check whether NSEC3 chain addition or removal specified by the private-type
+ * record passed with the event was already queued (or even fully performed).
+ * If not, modify the relevant private-type records at the zone apex and call
+ * resume_addnsec3chain().
+ */
 static void
 setnsec3param(isc_task_t *task, isc_event_t *event) {
 	const char *me = "setnsec3param";
@@ -18148,7 +18606,9 @@ setnsec3param(isc_task_t *task, isc_event_t *event) {
 
 
 	/*
-	 * We need to remove any existing NSEC3 chains.
+	 * We need to remove any existing NSEC3 chains if the supplied NSEC3
+	 * parameters are supposed to replace the current ones or if we are
+	 * switching to NSEC.
 	 */
 	if (!exists && np->replace && (np->length != 0 || np->nsec))
 		CHECK(dns_nsec3param_deletechains(db, newver, zone,
@@ -18156,12 +18616,14 @@ setnsec3param(isc_task_t *task, isc_event_t *event) {
 
 	if (!exists && np->length != 0) {
 		/*
-		 * We're creating an NSEC3 chain.
+		 * We're creating an NSEC3 chain.  Add the private-type record
+		 * passed in the event handler's argument to the zone apex.
 		 *
-		 * If the zone is not currently capable of supporting
-		 * an NSEC3 chain, add the INITIAL flag, so these
-		 * parameters can be used later when NSEC3 becomes
-		 * available.
+		 * If the zone is not currently capable of supporting an NSEC3
+		 * chain (due to the DNSKEY RRset at the zone apex not existing
+		 * or containing at least one key using an NSEC-only
+		 * algorithm), add the INITIAL flag, so these parameters can be
+		 * used later when NSEC3 becomes available.
 		 */
 		dns_rdata_init(&rdata);
 
@@ -18178,8 +18640,13 @@ setnsec3param(isc_task_t *task, isc_event_t *event) {
 				    &zone->origin, 0, &rdata));
 	}
 
+	/*
+	 * If we changed anything in the zone, write changes to journal file
+	 * and set commit to ISC_TRUE so that resume_addnsec3chain() will be
+	 * called below in order to kick off adding/removing relevant NSEC3
+	 * records.
+	 */
 	if (!ISC_LIST_EMPTY(diff.tuples)) {
-		/* Write changes to journal file. */
 		CHECK(update_soa_serial(db, newver, &diff, zone->mctx,
 					zone->updatemethod));
 		result = dns_update_signatures(&log, zone, db,
@@ -18209,8 +18676,11 @@ setnsec3param(isc_task_t *task, isc_event_t *event) {
 		dns_db_closeversion(db, &newver, commit);
 	if (db != NULL)
 		dns_db_detach(&db);
-	if (commit)
+	if (commit) {
+		LOCK_ZONE(zone);
 		resume_addnsec3chain(zone);
+		UNLOCK_ZONE(zone);
+	}
 	dns_diff_clear(&diff);
 	isc_event_free(&event);
 	dns_zone_idetach(&zone);
@@ -18219,6 +18689,25 @@ setnsec3param(isc_task_t *task, isc_event_t *event) {
 	INSIST(newver == NULL);
 }
 
+/*
+ * Called when an "rndc signing -nsec3param ..." command is received.
+ *
+ * Allocate and prepare an nsec3param_t structure which holds information about
+ * the NSEC3 changes requested for the zone:
+ *
+ *   - if NSEC3 is to be disabled ("-nsec3param none"), only set the "nsec"
+ *     field of the structure to ISC_TRUE and the "replace" field to the value
+ *     of the "replace" argument, leaving other fields initialized to zeros, to
+ *     signal that the zone should be signed using NSEC instead of NSEC3,
+ *
+ *   - otherwise, prepare NSEC3PARAM RDATA that will eventually be inserted at
+ *     the zone apex, convert it to a private-type record and store the latter
+ *     in the "data" field of the nsec3param_t structure.
+ *
+ * Once the nsec3param_t structure is prepared, post an event to the zone's
+ * task which will cause setnsec3param() to be called with the prepared
+ * structure passed as an argument.
+ */
 isc_result_t
 dns_zone_setnsec3param(dns_zone_t *zone, isc_uint8_t hash, isc_uint8_t flags,
 		       isc_uint16_t iter, isc_uint8_t saltlen,
@@ -18271,6 +18760,7 @@ dns_zone_setnsec3param(dns_zone_t *zone, isc_uint8_t hash, isc_uint8_t flags,
 		dns_nsec3param_toprivate(&nrdata, &prdata, zone->privatetype,
 					 np->data, sizeof(np->data));
 		np->length = prdata.length;
+		np->nsec = ISC_FALSE;
 	}
 
 	zone_iattach(zone, &dummy);
diff --git a/usr.sbin/bind/lib/dns/zone_p.h b/usr.sbin/bind/lib/dns/zone_p.h
new file mode 100644
index 00000000000..44feb8cb0c3
--- /dev/null
+++ b/usr.sbin/bind/lib/dns/zone_p.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef DNS_ZONE_P_H
+#define DNS_ZONE_P_H
+
+/*! \file */
+
+/*%
+ *     Types and functions below not be used outside this module and its
+ *     associated unit tests.
+ */
+
+ISC_LANG_BEGINDECLS
+
+typedef struct {
+	dns_diff_t	*diff;
+	isc_boolean_t	offline;
+} dns__zonediff_t;
+
+isc_result_t
+dns__zone_findkeys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+		   isc_mem_t *mctx, unsigned int maxkeys,
+		   dst_key_t **keys, unsigned int *nkeys);
+
+isc_result_t
+dns__zone_updatesigs(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *version,
+		     dst_key_t *zone_keys[], unsigned int nkeys,
+		     dns_zone_t *zone, isc_stdtime_t inception,
+		     isc_stdtime_t expire, isc_stdtime_t now,
+		     isc_boolean_t check_ksk, isc_boolean_t keyset_kskonly,
+		     dns__zonediff_t *zonediff);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_ZONE_P_H */
diff --git a/usr.sbin/bind/lib/dns/zonekey.c b/usr.sbin/bind/lib/dns/zonekey.c
index 02873949791..78bb2efdac2 100644
--- a/usr.sbin/bind/lib/dns/zonekey.c
+++ b/usr.sbin/bind/lib/dns/zonekey.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zonekey.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: zonekey.c,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file */
 
@@ -50,6 +49,6 @@ dns_zonekey_iszonekey(dns_rdata_t *keyrdata) {
 	if (key.protocol != DNS_KEYPROTO_DNSSEC &&
 	key.protocol != DNS_KEYPROTO_ANY)
 		iszonekey = ISC_FALSE;
-	
+
 	return (iszonekey);
 }
diff --git a/usr.sbin/bind/lib/dns/zt.c b/usr.sbin/bind/lib/dns/zt.c
index 021cc2db7a5..d520c1b782d 100644
--- a/usr.sbin/bind/lib/dns/zt.c
+++ b/usr.sbin/bind/lib/dns/zt.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2011-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zt.c,v 1.2 2019/12/16 16:16:24 deraadt Exp $ */
+/* $Id: zt.c,v 1.3 2019/12/17 01:46:32 sthen Exp $ */
 
 /*! \file */
 
@@ -432,6 +431,54 @@ freezezones(dns_zone_t *zone, void *uap) {
 	return (result);
 }
 
+void
+dns_zt_setviewcommit(dns_zt_t *zt) {
+	dns_rbtnode_t *node;
+	dns_rbtnodechain_t chain;
+	isc_result_t result;
+
+	REQUIRE(VALID_ZT(zt));
+
+	dns_rbtnodechain_init(&chain, zt->mctx);
+
+	result = dns_rbtnodechain_first(&chain, zt->table, NULL, NULL);
+	while (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
+		result = dns_rbtnodechain_current(&chain, NULL, NULL,
+						  &node);
+		if (result == ISC_R_SUCCESS && node->data != NULL) {
+			dns_zone_setviewcommit(node->data);
+		}
+
+		result = dns_rbtnodechain_next(&chain, NULL, NULL);
+	}
+
+	dns_rbtnodechain_invalidate(&chain);
+}
+
+void
+dns_zt_setviewrevert(dns_zt_t *zt) {
+	dns_rbtnode_t *node;
+	dns_rbtnodechain_t chain;
+	isc_result_t result;
+
+	REQUIRE(VALID_ZT(zt));
+
+	dns_rbtnodechain_init(&chain, zt->mctx);
+
+	result = dns_rbtnodechain_first(&chain, zt->table, NULL, NULL);
+	while (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
+		result = dns_rbtnodechain_current(&chain, NULL, NULL,
+						  &node);
+		if (result == ISC_R_SUCCESS && node->data != NULL) {
+			dns_zone_setviewrevert(node->data);
+		}
+
+		result = dns_rbtnodechain_next(&chain, NULL, NULL);
+	}
+
+	dns_rbtnodechain_invalidate(&chain);
+}
+
 isc_result_t
 dns_zt_apply(dns_zt_t *zt, isc_boolean_t stop,
 	     isc_result_t (*action)(dns_zone_t *, void *), void *uap)
diff --git a/usr.sbin/bind/lib/irs/Makefile.in b/usr.sbin/bind/lib/irs/Makefile.in
index aa9e31d1b42..bb5b5f51934 100644
--- a/usr.sbin/bind/lib/irs/Makefile.in
+++ b/usr.sbin/bind/lib/irs/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2009, 2012, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1 2019/12/16 16:31:35 deraadt Exp $
+# $Id: Makefile.in,v 1.2 2019/12/17 01:46:34 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -26,7 +26,7 @@ VERSION=@BIND9_VERSION@
 
 CINCLUDES =	-I. -I./include -I${srcdir}/include \
 		${DNS_INCLUDES} ${ISC_INCLUDES} \
-		@ISC_OPENSSL_INC@ ${ISCCFG_INCLUDES}
+		${ISCCFG_INCLUDES} @ISC_OPENSSL_INC@
 
 CDEFINES =	@CRYPTO@
 CWARNINGS =
@@ -72,6 +72,8 @@ libirs.la: ${OBJS} version.@O@
 timestamp: libirs.@A@
 	touch timestamp
 
+testdirs: libirs.@A@
+
 installdirs:
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
 
diff --git a/usr.sbin/bind/lib/irs/api b/usr.sbin/bind/lib/irs/api
index 6538b214934..a28187df4b8 100644
--- a/usr.sbin/bind/lib/irs/api
+++ b/usr.sbin/bind/lib/irs/api
@@ -2,10 +2,12 @@
 # 9.6: 50-59, 110-119
 # 9.7: 60-79
 # 9.8: 80-89, 120-129
-# 9.9: 90-109
-# 9.9-sub: 130-139
-# 9.10: 140-149, 170-179
-# 9.11: 160-169
+# 9.9: 90-109, 170-179
+# 9.9-sub: 130-139, 150-159, 200-209
+# 9.10: 140-149, 190-199
+# 9.10-sub: 180-189
+# 9.11: 160-169,1100-1199
+# 9.12: 1200-1299
 LIBINTERFACE = 141
-LIBREVISION = 5
+LIBREVISION = 9
 LIBAGE = 0
diff --git a/usr.sbin/bind/lib/irs/context.c b/usr.sbin/bind/lib/irs/context.c
index 231bd625780..cc8ad9ec547 100644
--- a/usr.sbin/bind/lib/irs/context.c
+++ b/usr.sbin/bind/lib/irs/context.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: context.c,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: context.c,v 1.2 2019/12/17 01:46:34 sthen Exp $ */
 
 #include <config.h>
 
diff --git a/usr.sbin/bind/lib/irs/dnsconf.c b/usr.sbin/bind/lib/irs/dnsconf.c
index a11323b428d..bf873ce15c3 100644
--- a/usr.sbin/bind/lib/irs/dnsconf.c
+++ b/usr.sbin/bind/lib/irs/dnsconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnsconf.c,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: dnsconf.c,v 1.2 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/irs/gai_strerror.c b/usr.sbin/bind/lib/irs/gai_strerror.c
index ee043dde8b2..ff92d883e9c 100644
--- a/usr.sbin/bind/lib/irs/gai_strerror.c
+++ b/usr.sbin/bind/lib/irs/gai_strerror.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gai_strerror.c,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: gai_strerror.c,v 1.2 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file gai_strerror.c
  * gai_strerror() returns an error message corresponding to an
diff --git a/usr.sbin/bind/lib/irs/getaddrinfo.c b/usr.sbin/bind/lib/irs/getaddrinfo.c
index 4c5c5812f4e..96c3fe4b7b2 100644
--- a/usr.sbin/bind/lib/irs/getaddrinfo.c
+++ b/usr.sbin/bind/lib/irs/getaddrinfo.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2012-2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getaddrinfo.c,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: getaddrinfo.c,v 1.2 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
@@ -135,6 +135,7 @@
 #include <isc/buffer.h>
 #include <isc/lib.h>
 #include <isc/mem.h>
+#include <isc/print.h>
 #include <isc/sockaddr.h>
 #include <isc/string.h>
 #include <isc/util.h>
@@ -381,8 +382,7 @@ getaddrinfo(const char *hostname, const char *servname,
 		 */
 		ntmp[0] = '\0';
 		if (strchr(hostname, '%') != NULL) {
-			strncpy(ntmp, hostname, sizeof(ntmp) - 1);
-			ntmp[sizeof(ntmp) - 1] = '\0';
+			strlcpy(ntmp, hostname, sizeof(ntmp));
 			p = strchr(ntmp, '%');
 			ep = NULL;
 
@@ -689,6 +689,7 @@ process_answer(isc_task_t *task, isc_event_t *event) {
 	dns_clientresevent_t *rev = (dns_clientresevent_t *)event;
 	dns_rdatatype_t qtype;
 	dns_name_t *name;
+	isc_boolean_t wantcname;
 
 	REQUIRE(trans != NULL);
 	resstate = trans->resstate;
@@ -732,14 +733,26 @@ process_answer(isc_task_t *task, isc_event_t *event) {
 		goto done;
 	}
 
+	wantcname = ISC_TF((resstate->head->ai_flags & AI_CANONNAME) != 0);
+
 	/* Parse the response and construct the addrinfo chain */
 	for (name = ISC_LIST_HEAD(rev->answerlist); name != NULL;
 	     name = ISC_LIST_NEXT(name, link)) {
 		isc_result_t result;
 		dns_rdataset_t *rdataset;
-		isc_buffer_t b;
-		isc_region_t r;
-		char t[1024];
+		char cname[1024];
+
+		if (wantcname) {
+			isc_buffer_t b;
+
+			isc_buffer_init(&b, cname, sizeof(cname));
+			result = dns_name_totext(name, ISC_TRUE, &b);
+			if (result != ISC_R_SUCCESS) {
+				error = EAI_FAIL;
+				goto done;
+			}
+			isc_buffer_putuint8(&b, '\0');
+		}
 
 		for (rdataset = ISC_LIST_HEAD(name->list);
 		     rdataset != NULL;
@@ -749,17 +762,6 @@ process_answer(isc_task_t *task, isc_event_t *event) {
 			if (rdataset->type != qtype)
 				continue;
 
-			if ((resstate->head->ai_flags & AI_CANONNAME) != 0) {
-				isc_buffer_init(&b, t, sizeof(t));
-				result = dns_name_totext(name, ISC_TRUE, &b);
-				if (result != ISC_R_SUCCESS) {
-					error = EAI_FAIL;
-					goto done;
-				}
-				isc_buffer_putuint8(&b, '\0');
-				isc_buffer_usedregion(&b, &r);
-			}
-
 			for (result = dns_rdataset_first(rdataset);
 			     result == ISC_R_SUCCESS;
 			     result = dns_rdataset_next(rdataset)) {
@@ -788,7 +790,8 @@ process_answer(isc_task_t *task, isc_event_t *event) {
 				switch (family) {
 				case AF_INET:
 					dns_rdataset_current(rdataset, &rdata);
-					result = dns_rdata_tostruct(&rdata, &rdata_a,
+					result = dns_rdata_tostruct(&rdata,
+								    &rdata_a,
 								    NULL);
 					RUNTIME_CHECK(result == ISC_R_SUCCESS);
 					SIN(ai->ai_addr)->sin_port =
@@ -799,7 +802,8 @@ process_answer(isc_task_t *task, isc_event_t *event) {
 					break;
 				case AF_INET6:
 					dns_rdataset_current(rdataset, &rdata);
-					result = dns_rdata_tostruct(&rdata, &rdata_aaaa,
+					result = dns_rdata_tostruct(&rdata,
+								    &rdata_aaaa,
 								    NULL);
 					RUNTIME_CHECK(result == ISC_R_SUCCESS);
 					SIN6(ai->ai_addr)->sin6_port =
@@ -810,10 +814,8 @@ process_answer(isc_task_t *task, isc_event_t *event) {
 					break;
 				}
 
-				if ((resstate->head->ai_flags & AI_CANONNAME)
-				    != 0) {
-					ai->ai_canonname =
-						strdup((const char *)r.base);
+				if (wantcname) {
+					ai->ai_canonname = strdup(cname);
 					if (ai->ai_canonname == NULL) {
 						error = EAI_MEMORY;
 						goto done;
diff --git a/usr.sbin/bind/lib/irs/getnameinfo.c b/usr.sbin/bind/lib/irs/getnameinfo.c
index 9d7e3c7429e..44c264d5bec 100644
--- a/usr.sbin/bind/lib/irs/getnameinfo.c
+++ b/usr.sbin/bind/lib/irs/getnameinfo.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2011-2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getnameinfo.c,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: getnameinfo.c,v 1.2 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
@@ -103,6 +103,7 @@
 #include <isc/netaddr.h>
 #include <isc/print.h>
 #include <isc/sockaddr.h>
+#include <isc/string.h>
 #include <isc/util.h>
 
 #include <dns/byaddr.h>
@@ -213,11 +214,11 @@ getnameinfo(const struct sockaddr *sa, IRS_GETNAMEINFO_SOCKLEN_T salen,
 		snprintf(numserv, sizeof(numserv), "%d", ntohs(port));
 		if ((strlen(numserv) + 1) > servlen)
 			ERR(EAI_OVERFLOW);
-		strcpy(serv, numserv);
+		strlcpy(serv, numserv, servlen);
 	} else {
 		if ((strlen(sp->s_name) + 1) > servlen)
 			ERR(EAI_OVERFLOW);
-		strcpy(serv, sp->s_name);
+		strlcpy(serv, sp->s_name, servlen);
 	}
 
 #if 0
@@ -274,7 +275,7 @@ getnameinfo(const struct sockaddr *sa, IRS_GETNAMEINFO_SOCKLEN_T salen,
 #endif
 		if (strlen(numaddr) + 1 > hostlen)
 			ERR(EAI_OVERFLOW);
-		strcpy(host, numaddr);
+		strlcpy(host, numaddr, hostlen);
 	} else {
 		isc_netaddr_t netaddr;
 		dns_fixedname_t ptrfname;
@@ -328,8 +329,13 @@ getnameinfo(const struct sockaddr *sa, IRS_GETNAMEINFO_SOCKLEN_T salen,
 		case DNS_R_NOVALIDKEY:
 		case DNS_R_NOVALIDDS:
 		case DNS_R_NOVALIDSIG:
-			ERR(EAI_INSECUREDATA);
-			break;
+			/*
+			 * Don't use ERR as GCC 7 wants to raise a
+			 * warning with ERR about possible falling
+			 * through which is impossible.
+			 */
+			result = EAI_INSECUREDATA;
+			goto cleanup;
 		default:
 			ERR(EAI_FAIL);
 		}
@@ -400,7 +406,7 @@ getnameinfo(const struct sockaddr *sa, IRS_GETNAMEINFO_SOCKLEN_T salen,
 				ERR(EAI_SYSTEM);
 			if ((strlen(numaddr) + 1) > hostlen)
 				ERR(EAI_OVERFLOW);
-			strcpy(host, numaddr);
+			strlcpy(host, numaddr, hostlen);
 		}
 	}
 	result = SUCCESS;
diff --git a/usr.sbin/bind/lib/irs/include/Makefile.in b/usr.sbin/bind/lib/irs/include/Makefile.in
index 8c547353d55..3ba19487bf2 100644
--- a/usr.sbin/bind/lib/irs/include/Makefile.in
+++ b/usr.sbin/bind/lib/irs/include/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1 2019/12/16 16:31:35 deraadt Exp $
+# $Id: Makefile.in,v 1.2 2019/12/17 01:46:34 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/irs/include/irs/Makefile.in b/usr.sbin/bind/lib/irs/include/irs/Makefile.in
index 732920786bf..35c4e466771 100644
--- a/usr.sbin/bind/lib/irs/include/irs/Makefile.in
+++ b/usr.sbin/bind/lib/irs/include/irs/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2009, 2012, 2014, 2016  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1 2019/12/16 16:31:35 deraadt Exp $
+# $Id: Makefile.in,v 1.2 2019/12/17 01:46:34 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/irs/include/irs/context.h b/usr.sbin/bind/lib/irs/include/irs/context.h
index 0d64eae869b..0cf5b1b8ab5 100644
--- a/usr.sbin/bind/lib/irs/include/irs/context.h
+++ b/usr.sbin/bind/lib/irs/include/irs/context.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: context.h,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: context.h,v 1.2 2019/12/17 01:46:34 sthen Exp $ */
 
 #ifndef IRS_CONTEXT_H
 #define IRS_CONTEXT_H 1
diff --git a/usr.sbin/bind/lib/irs/include/irs/dnsconf.h b/usr.sbin/bind/lib/irs/include/irs/dnsconf.h
index ba093c5f3a3..37dd8573a3d 100644
--- a/usr.sbin/bind/lib/irs/include/irs/dnsconf.h
+++ b/usr.sbin/bind/lib/irs/include/irs/dnsconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnsconf.h,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: dnsconf.h,v 1.2 2019/12/17 01:46:34 sthen Exp $ */
 
 #ifndef IRS_DNSCONF_H
 #define IRS_DNSCONF_H 1
diff --git a/usr.sbin/bind/lib/irs/include/irs/netdb.h.in b/usr.sbin/bind/lib/irs/include/irs/netdb.h.in
index 173f8716729..48b7aecb6dd 100644
--- a/usr.sbin/bind/lib/irs/include/irs/netdb.h.in
+++ b/usr.sbin/bind/lib/irs/include/irs/netdb.h.in
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netdb.h.in,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: netdb.h.in,v 1.2 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/irs/include/irs/platform.h.in b/usr.sbin/bind/lib/irs/include/irs/platform.h.in
index be719071ba4..86dc8182c5c 100644
--- a/usr.sbin/bind/lib/irs/include/irs/platform.h.in
+++ b/usr.sbin/bind/lib/irs/include/irs/platform.h.in
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: platform.h.in,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: platform.h.in,v 1.2 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/irs/include/irs/resconf.h b/usr.sbin/bind/lib/irs/include/irs/resconf.h
index ba2b813d296..dea4753aa2f 100644
--- a/usr.sbin/bind/lib/irs/include/irs/resconf.h
+++ b/usr.sbin/bind/lib/irs/include/irs/resconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resconf.h,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: resconf.h,v 1.2 2019/12/17 01:46:34 sthen Exp $ */
 
 #ifndef IRS_RESCONF_H
 #define IRS_RESCONF_H 1
diff --git a/usr.sbin/bind/lib/irs/include/irs/types.h b/usr.sbin/bind/lib/irs/include/irs/types.h
index 78d95b7bb60..11244cb10ec 100644
--- a/usr.sbin/bind/lib/irs/include/irs/types.h
+++ b/usr.sbin/bind/lib/irs/include/irs/types.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: types.h,v 1.2 2019/12/17 01:46:34 sthen Exp $ */
 
 #ifndef IRS_TYPES_H
 #define IRS_TYPES_H 1
diff --git a/usr.sbin/bind/lib/irs/include/irs/version.h b/usr.sbin/bind/lib/irs/include/irs/version.h
index d3ec43d396b..23c22a95c72 100644
--- a/usr.sbin/bind/lib/irs/include/irs/version.h
+++ b/usr.sbin/bind/lib/irs/include/irs/version.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.h,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: version.h,v 1.2 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/irs/resconf.c b/usr.sbin/bind/lib/irs/resconf.c
index 3dc6e089724..010ed37776b 100644
--- a/usr.sbin/bind/lib/irs/resconf.c
+++ b/usr.sbin/bind/lib/irs/resconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2011, 2012, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resconf.c,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: resconf.c,v 1.2 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file resconf.c */
 
@@ -508,6 +508,7 @@ irs_resconf_load(isc_mem_t *mctx, const char *filename, irs_resconf_t **confp)
 
 	conf->mctx = mctx;
 	ISC_LIST_INIT(conf->nameservers);
+	ISC_LIST_INIT(conf->searchlist);
 	conf->numns = 0;
 	conf->domainname = NULL;
 	conf->searchnxt = 0;
@@ -562,6 +563,10 @@ irs_resconf_load(isc_mem_t *mctx, const char *filename, irs_resconf_t **confp)
 		}
 	}
 
+	if (ret != ISC_R_SUCCESS) {
+		goto error;
+	}
+
 	/* If we don't find a nameserver fall back to localhost */
 	if (conf->numns == 0U) {
 		INSIST(ISC_LIST_EMPTY(conf->nameservers));
@@ -575,7 +580,6 @@ irs_resconf_load(isc_mem_t *mctx, const char *filename, irs_resconf_t **confp)
 	 * Construct unified search list from domain or configured
 	 * search list
 	 */
-	ISC_LIST_INIT(conf->searchlist);
 	if (conf->domainname != NULL) {
 		ret = add_search(conf, conf->domainname);
 	} else if (conf->searchnxt > 0) {
@@ -586,6 +590,7 @@ irs_resconf_load(isc_mem_t *mctx, const char *filename, irs_resconf_t **confp)
 		}
 	}
 
+ error:
 	conf->magic = IRS_RESCONF_MAGIC;
 
 	if (ret != ISC_R_SUCCESS)
diff --git a/usr.sbin/bind/lib/irs/version.c b/usr.sbin/bind/lib/irs/version.c
index bf6cb4e6a49..08828addcdd 100644
--- a/usr.sbin/bind/lib/irs/version.c
+++ b/usr.sbin/bind/lib/irs/version.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: version.c,v 1.2 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isc/Makefile.in b/usr.sbin/bind/lib/isc/Makefile.in
index c52896efe0e..f7ca5e957a3 100644
--- a/usr.sbin/bind/lib/isc/Makefile.in
+++ b/usr.sbin/bind/lib/isc/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2003  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -29,7 +28,7 @@ CINCLUDES =	-I${srcdir}/unix/include \
 		-I${srcdir}/@ISC_THREAD_DIR@/include \
 		-I${srcdir}/@ISC_ARCH_DIR@/include \
 		-I./include \
-		-I${srcdir}/include @ISC_OPENSSL_INC@ ${DNS_INCLUDES}
+		-I${srcdir}/include ${DNS_INCLUDES} @ISC_OPENSSL_INC@
 CDEFINES =	@CRYPTO@ -DPK11_LIB_LOCATION=\"${PROVIDER}\"
 CWARNINGS =
 
@@ -133,6 +132,8 @@ libisc-nosymtbl.la: ${OBJS}
 timestamp: libisc.@A@ libisc-nosymtbl.@A@
 	touch timestamp
 
+testdirs: libisc.@A@ libisc-nosymtbl.@A@
+
 installdirs:
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
 
diff --git a/usr.sbin/bind/lib/isc/aes.c b/usr.sbin/bind/lib/isc/aes.c
index 708a47e60c9..ffdc172b38c 100644
--- a/usr.sbin/bind/lib/isc/aes.c
+++ b/usr.sbin/bind/lib/isc/aes.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014, 2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: aes.c,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: aes.c,v 1.2 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file isc/aes.c */
 
@@ -33,7 +33,7 @@
 #include <openssl/opensslv.h>
 #include <openssl/evp.h>
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 #define EVP_CIPHER_CTX_new() &(_context), EVP_CIPHER_CTX_init(&_context)
 #define EVP_CIPHER_CTX_free(c) RUNTIME_CHECK(EVP_CIPHER_CTX_cleanup(c) == 1)
 #endif
@@ -42,7 +42,7 @@ void
 isc_aes128_crypt(const unsigned char *key, const unsigned char *in,
 		 unsigned char *out)
 {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 	EVP_CIPHER_CTX _context;
 #endif
 	EVP_CIPHER_CTX *c;
@@ -62,7 +62,7 @@ void
 isc_aes192_crypt(const unsigned char *key, const unsigned char *in,
 		 unsigned char *out)
 {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 	EVP_CIPHER_CTX _context;
 #endif
 	EVP_CIPHER_CTX *c;
@@ -82,7 +82,7 @@ void
 isc_aes256_crypt(const unsigned char *key, const unsigned char *in,
 		 unsigned char *out)
 {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 	EVP_CIPHER_CTX _context;
 #endif
 	EVP_CIPHER_CTX *c;
diff --git a/usr.sbin/bind/lib/isc/alpha/Makefile.in b/usr.sbin/bind/lib/isc/alpha/Makefile.in
index bd22fcd7ce7..f5e6ae31d38 100644
--- a/usr.sbin/bind/lib/isc/alpha/Makefile.in
+++ b/usr.sbin/bind/lib/isc/alpha/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:26 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:34 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/alpha/include/Makefile.in b/usr.sbin/bind/lib/isc/alpha/include/Makefile.in
index 8185c77d537..da088d317a6 100644
--- a/usr.sbin/bind/lib/isc/alpha/include/Makefile.in
+++ b/usr.sbin/bind/lib/isc/alpha/include/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:26 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:34 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/alpha/include/isc/Makefile.in b/usr.sbin/bind/lib/isc/alpha/include/isc/Makefile.in
index 246239b2a51..7f32bd84323 100644
--- a/usr.sbin/bind/lib/isc/alpha/include/isc/Makefile.in
+++ b/usr.sbin/bind/lib/isc/alpha/include/isc/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2007, 2012, 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:26 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:34 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/alpha/include/isc/atomic.h b/usr.sbin/bind/lib/isc/alpha/include/isc/atomic.h
index b7ca1f53fb4..740a9a42645 100644
--- a/usr.sbin/bind/lib/isc/alpha/include/isc/atomic.h
+++ b/usr.sbin/bind/lib/isc/alpha/include/isc/atomic.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: atomic.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: atomic.h,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 /*
  * This code was written based on FreeBSD's kernel source whose copyright
diff --git a/usr.sbin/bind/lib/isc/api b/usr.sbin/bind/lib/isc/api
index 104bcb00e6b..a4d222b4d03 100644
--- a/usr.sbin/bind/lib/isc/api
+++ b/usr.sbin/bind/lib/isc/api
@@ -2,10 +2,12 @@
 # 9.6: 50-59, 110-119
 # 9.7: 60-79
 # 9.8: 80-89, 120-129
-# 9.9: 90-109
-# 9.9-sub: 130-139
-# 9.10: 140-149, 170-179
-# 9.11: 160-169
-LIBINTERFACE = 170
-LIBREVISION = 0
+# 9.9: 90-109, 170-179
+# 9.9-sub: 130-139, 150-159, 200-209
+# 9.10: 140-149, 190-199
+# 9.10-sub: 180-189
+# 9.11: 160-169,1100-1199
+# 9.12: 1200-1299
+LIBINTERFACE = 191
+LIBREVISION = 3
 LIBAGE = 0
diff --git a/usr.sbin/bind/lib/isc/app_api.c b/usr.sbin/bind/lib/isc/app_api.c
index 3098e95c43f..bd5d43ce550 100644
--- a/usr.sbin/bind/lib/isc/app_api.c
+++ b/usr.sbin/bind/lib/isc/app_api.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2013-2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: app_api.c,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: app_api.c,v 1.2 2019/12/17 01:46:34 sthen Exp $ */
 
 #include <config.h>
 
diff --git a/usr.sbin/bind/lib/isc/assertions.c b/usr.sbin/bind/lib/isc/assertions.c
index cbc31603cf6..d7a8db140cc 100644
--- a/usr.sbin/bind/lib/isc/assertions.c
+++ b/usr.sbin/bind/lib/isc/assertions.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007-2009, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1997-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: assertions.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: assertions.c,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isc/backtrace-emptytbl.c b/usr.sbin/bind/lib/isc/backtrace-emptytbl.c
index e782fa0b4c6..827ef3b253a 100644
--- a/usr.sbin/bind/lib/isc/backtrace-emptytbl.c
+++ b/usr.sbin/bind/lib/isc/backtrace-emptytbl.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: backtrace-emptytbl.c,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: backtrace-emptytbl.c,v 1.2 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isc/backtrace.c b/usr.sbin/bind/lib/isc/backtrace.c
index 103a494957a..2116e4f6d03 100644
--- a/usr.sbin/bind/lib/isc/backtrace.c
+++ b/usr.sbin/bind/lib/isc/backtrace.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2013-2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: backtrace.c,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: backtrace.c,v 1.2 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isc/base32.c b/usr.sbin/bind/lib/isc/base32.c
index 80ace7c439d..e40e3c056f7 100644
--- a/usr.sbin/bind/lib/isc/base32.c
+++ b/usr.sbin/bind/lib/isc/base32.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008, 2009, 2013-2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: base32.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: base32.c,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isc/base64.c b/usr.sbin/bind/lib/isc/base64.c
index 4d8a732d56b..6906cf2c110 100644
--- a/usr.sbin/bind/lib/isc/base64.c
+++ b/usr.sbin/bind/lib/isc/base64.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2013-2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: base64.c,v 1.5 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: base64.c,v 1.6 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isc/bind9.c b/usr.sbin/bind/lib/isc/bind9.c
index 5a62243d65e..c08b3b8571a 100644
--- a/usr.sbin/bind/lib/isc/bind9.c
+++ b/usr.sbin/bind/lib/isc/bind9.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/isc/buffer.c b/usr.sbin/bind/lib/isc/buffer.c
index e2dbb4ef2f4..a28208f128b 100644
--- a/usr.sbin/bind/lib/isc/buffer.c
+++ b/usr.sbin/bind/lib/isc/buffer.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: buffer.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: buffer.c,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isc/bufferlist.c b/usr.sbin/bind/lib/isc/bufferlist.c
index d274f604901..024d12a9474 100644
--- a/usr.sbin/bind/lib/isc/bufferlist.c
+++ b/usr.sbin/bind/lib/isc/bufferlist.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: bufferlist.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: bufferlist.c,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isc/commandline.c b/usr.sbin/bind/lib/isc/commandline.c
index 4f034e92053..f283158306b 100644
--- a/usr.sbin/bind/lib/isc/commandline.c
+++ b/usr.sbin/bind/lib/isc/commandline.c
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2005, 2007, 2008, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2001  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -44,7 +43,7 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: commandline.c,v 1.6 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: commandline.c,v 1.7 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file
  * This file was adapted from the NetBSD project's source tree, RCS ID:
diff --git a/usr.sbin/bind/lib/isc/counter.c b/usr.sbin/bind/lib/isc/counter.c
index d7d187bbeee..e26a6b36a2b 100644
--- a/usr.sbin/bind/lib/isc/counter.c
+++ b/usr.sbin/bind/lib/isc/counter.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/isc/crc64.c b/usr.sbin/bind/lib/isc/crc64.c
index 5c158f31752..1e538f5208c 100644
--- a/usr.sbin/bind/lib/isc/crc64.c
+++ b/usr.sbin/bind/lib/isc/crc64.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/isc/entropy.c b/usr.sbin/bind/lib/isc/entropy.c
index 3b0f1845a0d..fb881f7624a 100644
--- a/usr.sbin/bind/lib/isc/entropy.c
+++ b/usr.sbin/bind/lib/isc/entropy.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2010, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: entropy.c,v 1.5 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: entropy.c,v 1.6 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file
  * \brief
@@ -42,6 +41,7 @@
 #include <isc/platform.h>
 #include <isc/print.h>
 #include <isc/region.h>
+#include <isc/safe.h>
 #include <isc/sha1.h>
 #include <isc/string.h>
 #include <isc/time.h>
@@ -334,9 +334,11 @@ entropypool_adddata(isc_entropy_t *ent, void *p, unsigned int len,
 		case 3:
 			val = *buf++;
 			len--;
+			/* FALLTHROUGH */
 		case 2:
 			val = val << 8 | *buf++;
 			len--;
+			/* FALLTHROUGH */
 		case 1:
 			val = val << 8 | *buf++;
 			len--;
@@ -357,8 +359,10 @@ entropypool_adddata(isc_entropy_t *ent, void *p, unsigned int len,
 		switch (len) {
 		case 3:
 			val = *buf++;
+			/* FALLTHROUGH */
 		case 2:
 			val = val << 8 | *buf++;
+			/* FALLTHROUGH */
 		case 1:
 			val = val << 8 | *buf++;
 		}
@@ -639,7 +643,7 @@ isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length,
 	}
 
  partial_output:
-	memset(digest, 0, sizeof(digest));
+	isc_safe_memwipe(digest, sizeof(digest));
 
 	if (returned != NULL)
 		*returned = (length - remain);
@@ -651,8 +655,8 @@ isc_entropy_getdata(isc_entropy_t *ent, void *data, unsigned int length,
  zeroize:
 	/* put the entropy we almost extracted back */
 	add_entropy(ent, total);
-	memset(data, 0, length);
-	memset(digest, 0, sizeof(digest));
+	isc_safe_memwipe(data, length);
+	isc_safe_memwipe(digest, sizeof(digest));
 	if (returned != NULL)
 		*returned = 0;
 
@@ -762,9 +766,8 @@ destroysource(isc_entropysource_t **sourcep) {
 		break;
 	}
 
-	memset(source, 0, sizeof(isc_entropysource_t));
-
-	isc_mem_put(ent->mctx, source, sizeof(isc_entropysource_t));
+	isc_safe_memwipe(source, sizeof(*source));
+	isc_mem_put(ent->mctx, source, sizeof(*source));
 }
 
 static inline isc_boolean_t
@@ -830,8 +833,8 @@ destroy(isc_entropy_t **entp) {
 
 	DESTROYLOCK(&ent->lock);
 
-	memset(ent, 0, sizeof(isc_entropy_t));
-	isc_mem_put(mctx, ent, sizeof(isc_entropy_t));
+	isc_safe_memwipe(ent, sizeof(*ent));
+	isc_mem_put(mctx, ent, sizeof(*ent));
 	isc_mem_detach(&mctx);
 }
 
diff --git a/usr.sbin/bind/lib/isc/error.c b/usr.sbin/bind/lib/isc/error.c
index 5c0e5b53b68..2ef74701504 100644
--- a/usr.sbin/bind/lib/isc/error.c
+++ b/usr.sbin/bind/lib/isc/error.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: error.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: error.c,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isc/event.c b/usr.sbin/bind/lib/isc/event.c
index f251916f6d2..97718b600b0 100644
--- a/usr.sbin/bind/lib/isc/event.c
+++ b/usr.sbin/bind/lib/isc/event.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: event.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: event.c,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 /*!
  * \file
@@ -100,6 +99,9 @@ isc_event_free(isc_event_t **eventp) {
 	event = *eventp;
 	REQUIRE(event != NULL);
 
+	REQUIRE(!ISC_LINK_LINKED(event, ev_link));
+	REQUIRE(!ISC_LINK_LINKED(event, ev_ratelink));
+
 	if (event->ev_destroy != NULL)
 		(event->ev_destroy)(event);
 
diff --git a/usr.sbin/bind/lib/isc/fsaccess.c b/usr.sbin/bind/lib/isc/fsaccess.c
index 1d7530fb8d3..8229ac0df7a 100644
--- a/usr.sbin/bind/lib/isc/fsaccess.c
+++ b/usr.sbin/bind/lib/isc/fsaccess.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,13 +14,14 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: fsaccess.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: fsaccess.c,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file
  * \brief
  * This file contains the OS-independent functionality of the API.
  */
 #include <isc/fsaccess.h>
+#include <isc/print.h>
 #include <isc/result.h>
 #include <isc/util.h>
 
diff --git a/usr.sbin/bind/lib/isc/hash.c b/usr.sbin/bind/lib/isc/hash.c
index 6890523aa21..c09f21c3af2 100644
--- a/usr.sbin/bind/lib/isc/hash.c
+++ b/usr.sbin/bind/lib/isc/hash.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2013-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hash.c,v 1.5 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: hash.c,v 1.6 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file
  * Some portion of this code was derived from universal hash function
diff --git a/usr.sbin/bind/lib/isc/heap.c b/usr.sbin/bind/lib/isc/heap.c
index bdb9a9a30cb..88a27ce6337 100644
--- a/usr.sbin/bind/lib/isc/heap.c
+++ b/usr.sbin/bind/lib/isc/heap.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2010-2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1997-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: heap.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: heap.c,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file
  * Heap implementation of priority queues adapted from the following:
@@ -72,6 +71,18 @@ struct isc_heap {
 	isc_heapindex_t			index;
 };
 
+#ifdef ISC_HEAP_CHECK
+static void
+heap_check(isc_heap_t *heap) {
+	unsigned int i;
+	for (i = 1; i <= heap->last; i++) {
+		INSIST(HEAPCONDITION(i));
+	}
+}
+#else
+#define heap_check(x) (void)0
+#endif
+
 isc_result_t
 isc_heap_create(isc_mem_t *mctx, isc_heapcompare_t compare,
 		isc_heapindex_t idx, unsigned int size_increment,
@@ -158,6 +169,7 @@ float_up(isc_heap_t *heap, unsigned int i, void *elt) {
 		(heap->index)(heap->array[i], i);
 
 	INSIST(HEAPCONDITION(i));
+	heap_check(heap);
 }
 
 static void
@@ -183,6 +195,7 @@ sink_down(isc_heap_t *heap, unsigned int i, void *elt) {
 		(heap->index)(heap->array[i], i);
 
 	INSIST(HEAPCONDITION(i));
+	heap_check(heap);
 }
 
 isc_result_t
@@ -191,6 +204,7 @@ isc_heap_insert(isc_heap_t *heap, void *elt) {
 
 	REQUIRE(VALID_HEAP(heap));
 
+	heap_check(heap);
 	new_last = heap->last + 1;
 	RUNTIME_CHECK(new_last > 0); /* overflow check */
 	if (new_last >= heap->size && !resize(heap))
@@ -210,9 +224,13 @@ isc_heap_delete(isc_heap_t *heap, unsigned int idx) {
 	REQUIRE(VALID_HEAP(heap));
 	REQUIRE(idx >= 1 && idx <= heap->last);
 
+	heap_check(heap);
+	if (heap->index != NULL)
+		(heap->index)(heap->array[idx], 0);
 	if (idx == heap->last) {
 		heap->array[heap->last] = NULL;
 		heap->last--;
+		heap_check(heap);
 	} else {
 		elt = heap->array[heap->last];
 		heap->array[heap->last] = NULL;
@@ -248,6 +266,7 @@ isc_heap_element(isc_heap_t *heap, unsigned int idx) {
 	REQUIRE(VALID_HEAP(heap));
 	REQUIRE(idx >= 1);
 
+	heap_check(heap);
 	if (idx <= heap->last)
 		return (heap->array[idx]);
 	return (NULL);
diff --git a/usr.sbin/bind/lib/isc/hex.c b/usr.sbin/bind/lib/isc/hex.c
index 4e1f91a28ad..cc5e37e64bb 100644
--- a/usr.sbin/bind/lib/isc/hex.c
+++ b/usr.sbin/bind/lib/isc/hex.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008, 2013-2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hex.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: hex.c,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isc/hmacmd5.c b/usr.sbin/bind/lib/isc/hmacmd5.c
index b75c29327b9..4700cf58f91 100644
--- a/usr.sbin/bind/lib/isc/hmacmd5.c
+++ b/usr.sbin/bind/lib/isc/hmacmd5.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2013-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hmacmd5.c,v 1.2 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: hmacmd5.c,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file
  * This code implements the HMAC-MD5 keyed hash algorithm
@@ -43,7 +42,7 @@
 #endif
 
 #ifdef ISC_PLATFORM_OPENSSLHASH
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 #define HMAC_CTX_new() &(ctx->_ctx), HMAC_CTX_init(&(ctx->_ctx))
 #define HMAC_CTX_free(ptr) HMAC_CTX_cleanup(ptr)
 #endif
@@ -104,8 +103,19 @@ isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
 		{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
 		{ CKA_VALUE, NULL, (CK_ULONG) len }
 	};
-
+#ifdef PK11_PAD_HMAC_KEYS
+	CK_BYTE keypad[ISC_MD5_DIGESTLENGTH];
+
+	if (len < ISC_MD5_DIGESTLENGTH) {
+		memset(keypad, 0, ISC_MD5_DIGESTLENGTH);
+		memmove(keypad, key, len);
+		keyTemplate[5].pValue = keypad;
+		keyTemplate[5].ulValueLen = ISC_MD5_DIGESTLENGTH;
+	} else
+		DE_CONST(key, keyTemplate[5].pValue);
+#else
 	DE_CONST(key, keyTemplate[5].pValue);
+#endif
 	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
 				       ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
 	ctx->object = CK_INVALID_HANDLE;
@@ -124,7 +134,7 @@ isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) {
 	if (ctx->handle == NULL)
 		return;
 	(void) pkcs_C_SignFinal(ctx->session, garbage, &len);
-	memset(garbage, 0, sizeof(garbage));
+	isc_safe_memwipe(garbage, sizeof(garbage));
 	if (ctx->object != CK_INVALID_HANDLE)
 		(void) pkcs_C_DestroyObject(ctx->session, ctx->object);
 	ctx->object = CK_INVALID_HANDLE;
@@ -279,7 +289,7 @@ isc_hmacmd5_init(isc_hmacmd5_t *ctx, const unsigned char *key,
 void
 isc_hmacmd5_invalidate(isc_hmacmd5_t *ctx) {
 	isc_md5_invalidate(&ctx->md5ctx);
-	memset(ctx->key, 0, sizeof(ctx->key));
+	isc_safe_memwipe(ctx->key, sizeof(ctx->key));
 }
 
 /*!
@@ -334,6 +344,72 @@ isc_hmacmd5_verify2(isc_hmacmd5_t *ctx, unsigned char *digest, size_t len) {
 	return (isc_safe_memequal(digest, newdigest, len));
 }
 
+/*
+ * Check for MD5 support; if it does not work, raise a fatal error.
+ *
+ * Use the first test vector from RFC 2104, with a second round using
+ * a too-short key.
+ *
+ * Standard use is testing 0 and expecting result true.
+ * Testing use is testing 1..4 and expecting result false.
+ */
+isc_boolean_t
+isc_hmacmd5_check(int testing) {
+	isc_hmacmd5_t ctx;
+	unsigned char key[] = { /* 0x0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b */
+		0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+		0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b
+	};
+	unsigned char input[] = { /* "Hi There" */
+		0x48, 0x69, 0x20, 0x54, 0x68, 0x65, 0x72, 0x65
+	};
+	unsigned char expected[] = {
+		0x92, 0x94, 0x72, 0x7a, 0x36, 0x38, 0xbb, 0x1c,
+		0x13, 0xf4, 0x8e, 0xf8, 0x15, 0x8b, 0xfc, 0x9d
+	};
+	unsigned char expected2[] = {
+		0xad, 0xb8, 0x48, 0x05, 0xb8, 0x8d, 0x03, 0xe5,
+		0x90, 0x1e, 0x4b, 0x05, 0x69, 0xce, 0x35, 0xea
+	};
+	isc_boolean_t result;
+
+	/*
+	 * Introduce a fault for testing.
+	 */
+	switch (testing) {
+	case 0:
+	default:
+		break;
+	case 1:
+		key[0] ^= 0x01;
+		break;
+	case 2:
+		input[0] ^= 0x01;
+		break;
+	case 3:
+		expected[0] ^= 0x01;
+		break;
+	case 4:
+		expected2[0] ^= 0x01;
+		break;
+	}
+
+	/*
+	 * These functions do not return anything; any failure will be fatal.
+	 */
+	isc_hmacmd5_init(&ctx, key, 16U);
+	isc_hmacmd5_update(&ctx, input, 8U);
+	result = isc_hmacmd5_verify2(&ctx, expected, sizeof(expected));
+	if (!result) {
+		return (result);
+	}
+
+	/* Second round using a byte key */
+	isc_hmacmd5_init(&ctx, key, 1U);
+	isc_hmacmd5_update(&ctx, input, 8U);
+	return (isc_hmacmd5_verify2(&ctx, expected2, sizeof(expected2)));
+}
+
 #else /* !PK11_MD5_DISABLE */
 #ifdef WIN32
 /* Make the Visual Studio linker happy */
@@ -345,5 +421,6 @@ void isc_hmacmd5_sign() { INSIST(0); }
 void isc_hmacmd5_update() { INSIST(0); }
 void isc_hmacmd5_verify() { INSIST(0); }
 void isc_hmacmd5_verify2() { INSIST(0); }
+void isc_hmacmd5_check() { INSIST(0); }
 #endif
 #endif /* PK11_MD5_DISABLE */
diff --git a/usr.sbin/bind/lib/isc/hmacsha.c b/usr.sbin/bind/lib/isc/hmacsha.c
index de163342879..727a4a1f025 100644
--- a/usr.sbin/bind/lib/isc/hmacsha.c
+++ b/usr.sbin/bind/lib/isc/hmacsha.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2007, 2009, 2011-2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hmacsha.c,v 1.3 2019/12/16 16:16:25 deraadt Exp $ */
+/* $Id: hmacsha.c,v 1.4 2019/12/17 01:46:34 sthen Exp $ */
 
 /*
  * This code implements the HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384
@@ -40,7 +40,7 @@
 #endif
 
 #ifdef ISC_PLATFORM_OPENSSLHASH
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 #define HMAC_CTX_new() &(ctx->_ctx), HMAC_CTX_init(&(ctx->_ctx))
 #define HMAC_CTX_free(ptr) HMAC_CTX_cleanup(ptr)
 #endif
@@ -80,7 +80,7 @@ isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
 	HMAC_CTX_free(ctx->ctx);
 	ctx->ctx = NULL;
 	memmove(digest, newdigest, len);
-	memset(newdigest, 0, sizeof(newdigest));
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
 }
 
 void
@@ -118,7 +118,7 @@ isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
 	HMAC_CTX_free(ctx->ctx);
 	ctx->ctx = NULL;
 	memmove(digest, newdigest, len);
-	memset(newdigest, 0, sizeof(newdigest));
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
 }
 
 void
@@ -156,7 +156,7 @@ isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
 	HMAC_CTX_free(ctx->ctx);
 	ctx->ctx = NULL;
 	memmove(digest, newdigest, len);
-	memset(newdigest, 0, sizeof(newdigest));
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
 }
 
 void
@@ -194,7 +194,7 @@ isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
 	HMAC_CTX_free(ctx->ctx);
 	ctx->ctx = NULL;
 	memmove(digest, newdigest, len);
-	memset(newdigest, 0, sizeof(newdigest));
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
 }
 
 void
@@ -232,7 +232,7 @@ isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
 	HMAC_CTX_free(ctx->ctx);
 	ctx->ctx = NULL;
 	memmove(digest, newdigest, len);
-	memset(newdigest, 0, sizeof(newdigest));
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
 }
 
 #elif PKCS11CRYPTO
@@ -273,8 +273,19 @@ isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
 		{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
 		{ CKA_VALUE, NULL, (CK_ULONG) len }
 	};
-
+#ifdef PK11_PAD_HMAC_KEYS
+	CK_BYTE keypad[ISC_SHA1_DIGESTLENGTH];
+
+	if (len < ISC_SHA1_DIGESTLENGTH) {
+		memset(keypad, 0, ISC_SHA1_DIGESTLENGTH);
+		memmove(keypad, key, len);
+		keyTemplate[5].pValue = keypad;
+		keyTemplate[5].ulValueLen = ISC_SHA1_DIGESTLENGTH;
+	} else
+		DE_CONST(key, keyTemplate[5].pValue);
+#else
 	DE_CONST(key, keyTemplate[5].pValue);
+#endif
 	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
 				       ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
 	ctx->object = CK_INVALID_HANDLE;
@@ -293,7 +304,7 @@ isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) {
 	if (ctx->handle == NULL)
 		return;
 	(void) pkcs_C_SignFinal(ctx->session, garbage, &len);
-	memset(garbage, 0, sizeof(garbage));
+	isc_safe_memwipe(garbage, sizeof(garbage));
 	if (ctx->object != CK_INVALID_HANDLE)
 		(void) pkcs_C_DestroyObject(ctx->session, ctx->object);
 	ctx->object = CK_INVALID_HANDLE;
@@ -326,7 +337,7 @@ isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
 	ctx->object = CK_INVALID_HANDLE;
 	pk11_return_session(ctx);
 	memmove(digest, newdigest, len);
-	memset(newdigest, 0, sizeof(newdigest));
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
 }
 #else
 void
@@ -410,7 +421,7 @@ isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
 	PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
 	pk11_return_session(ctx);
 	memmove(digest, newdigest, len);
-	memset(newdigest, 0, sizeof(newdigest));
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
 }
 #endif
 
@@ -432,8 +443,19 @@ isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
 		{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
 		{ CKA_VALUE, NULL, (CK_ULONG) len }
 	};
-
+#ifdef PK11_PAD_HMAC_KEYS
+	CK_BYTE keypad[ISC_SHA224_DIGESTLENGTH];
+
+	if (len < ISC_SHA224_DIGESTLENGTH) {
+		memset(keypad, 0, ISC_SHA224_DIGESTLENGTH);
+		memmove(keypad, key, len);
+		keyTemplate[5].pValue = keypad;
+		keyTemplate[5].ulValueLen = ISC_SHA224_DIGESTLENGTH;
+	} else
+		DE_CONST(key, keyTemplate[5].pValue);
+#else
 	DE_CONST(key, keyTemplate[5].pValue);
+#endif
 	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
 				       ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
 	ctx->object = CK_INVALID_HANDLE;
@@ -452,7 +474,7 @@ isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) {
 	if (ctx->handle == NULL)
 		return;
 	(void) pkcs_C_SignFinal(ctx->session, garbage, &len);
-	memset(garbage, 0, sizeof(garbage));
+	isc_safe_memwipe(garbage, sizeof(garbage));
 	if (ctx->object != CK_INVALID_HANDLE)
 		(void) pkcs_C_DestroyObject(ctx->session, ctx->object);
 	ctx->object = CK_INVALID_HANDLE;
@@ -485,7 +507,7 @@ isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
 	ctx->object = CK_INVALID_HANDLE;
 	pk11_return_session(ctx);
 	memmove(digest, newdigest, len);
-	memset(newdigest, 0, sizeof(newdigest));
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
 }
 #else
 void
@@ -569,7 +591,7 @@ isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
 	PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
 	pk11_return_session(ctx);
 	memmove(digest, newdigest, len);
-	memset(newdigest, 0, sizeof(newdigest));
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
 }
 #endif
 
@@ -591,8 +613,19 @@ isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
 		{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
 		{ CKA_VALUE, NULL, (CK_ULONG) len }
 	};
-
+#ifdef PK11_PAD_HMAC_KEYS
+	CK_BYTE keypad[ISC_SHA256_DIGESTLENGTH];
+
+	if (len < ISC_SHA256_DIGESTLENGTH) {
+		memset(keypad, 0, ISC_SHA256_DIGESTLENGTH);
+		memmove(keypad, key, len);
+		keyTemplate[5].pValue = keypad;
+		keyTemplate[5].ulValueLen = ISC_SHA256_DIGESTLENGTH;
+	} else
+		DE_CONST(key, keyTemplate[5].pValue);
+#else
 	DE_CONST(key, keyTemplate[5].pValue);
+#endif
 	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
 				       ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
 	ctx->object = CK_INVALID_HANDLE;
@@ -611,7 +644,7 @@ isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) {
 	if (ctx->handle == NULL)
 		return;
 	(void) pkcs_C_SignFinal(ctx->session, garbage, &len);
-	memset(garbage, 0, sizeof(garbage));
+	isc_safe_memwipe(garbage, sizeof(garbage));
 	if (ctx->object != CK_INVALID_HANDLE)
 		(void) pkcs_C_DestroyObject(ctx->session, ctx->object);
 	ctx->object = CK_INVALID_HANDLE;
@@ -644,7 +677,7 @@ isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
 	ctx->object = CK_INVALID_HANDLE;
 	pk11_return_session(ctx);
 	memmove(digest, newdigest, len);
-	memset(newdigest, 0, sizeof(newdigest));
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
 }
 #else
 void
@@ -728,7 +761,7 @@ isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
 	PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
 	pk11_return_session(ctx);
 	memmove(digest, newdigest, len);
-	memset(newdigest, 0, sizeof(newdigest));
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
 }
 #endif
 
@@ -750,8 +783,19 @@ isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
 		{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
 		{ CKA_VALUE, NULL, (CK_ULONG) len }
 	};
-
+#ifdef PK11_PAD_HMAC_KEYS
+	CK_BYTE keypad[ISC_SHA384_DIGESTLENGTH];
+
+	if (len < ISC_SHA384_DIGESTLENGTH) {
+		memset(keypad, 0, ISC_SHA384_DIGESTLENGTH);
+		memmove(keypad, key, len);
+		keyTemplate[5].pValue = keypad;
+		keyTemplate[5].ulValueLen = ISC_SHA384_DIGESTLENGTH;
+	} else
+		DE_CONST(key, keyTemplate[5].pValue);
+#else
 	DE_CONST(key, keyTemplate[5].pValue);
+#endif
 	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
 				       ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
 	ctx->object = CK_INVALID_HANDLE;
@@ -770,7 +814,7 @@ isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) {
 	if (ctx->handle == NULL)
 		return;
 	(void) pkcs_C_SignFinal(ctx->session, garbage, &len);
-	memset(garbage, 0, sizeof(garbage));
+	isc_safe_memwipe(garbage, sizeof(garbage));
 	if (ctx->object != CK_INVALID_HANDLE)
 		(void) pkcs_C_DestroyObject(ctx->session, ctx->object);
 	ctx->object = CK_INVALID_HANDLE;
@@ -803,7 +847,7 @@ isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
 	ctx->object = CK_INVALID_HANDLE;
 	pk11_return_session(ctx);
 	memmove(digest, newdigest, len);
-	memset(newdigest, 0, sizeof(newdigest));
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
 }
 #else
 void
@@ -887,7 +931,7 @@ isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
 	PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
 	pk11_return_session(ctx);
 	memmove(digest, newdigest, len);
-	memset(newdigest, 0, sizeof(newdigest));
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
 }
 #endif
 
@@ -909,8 +953,19 @@ isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
 		{ CKA_SIGN, &truevalue, (CK_ULONG) sizeof(truevalue) },
 		{ CKA_VALUE, NULL, (CK_ULONG) len }
 	};
-
+#ifdef PK11_PAD_HMAC_KEYS
+	CK_BYTE keypad[ISC_SHA512_DIGESTLENGTH];
+
+	if (len < ISC_SHA512_DIGESTLENGTH) {
+		memset(keypad, 0, ISC_SHA512_DIGESTLENGTH);
+		memmove(keypad, key, len);
+		keyTemplate[5].pValue = keypad;
+		keyTemplate[5].ulValueLen = ISC_SHA512_DIGESTLENGTH;
+	} else
+		DE_CONST(key, keyTemplate[5].pValue);
+#else
 	DE_CONST(key, keyTemplate[5].pValue);
+#endif
 	RUNTIME_CHECK(pk11_get_session(ctx, OP_DIGEST, ISC_TRUE, ISC_FALSE,
 				       ISC_FALSE, NULL, 0) == ISC_R_SUCCESS);
 	ctx->object = CK_INVALID_HANDLE;
@@ -929,7 +984,7 @@ isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) {
 	if (ctx->handle == NULL)
 		return;
 	(void) pkcs_C_SignFinal(ctx->session, garbage, &len);
-	memset(garbage, 0, sizeof(garbage));
+	isc_safe_memwipe(garbage, sizeof(garbage));
 	if (ctx->object != CK_INVALID_HANDLE)
 		(void) pkcs_C_DestroyObject(ctx->session, ctx->object);
 	ctx->object = CK_INVALID_HANDLE;
@@ -962,7 +1017,7 @@ isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
 	ctx->object = CK_INVALID_HANDLE;
 	pk11_return_session(ctx);
 	memmove(digest, newdigest, len);
-	memset(newdigest, 0, sizeof(newdigest));
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
 }
 #else
 void
@@ -1046,7 +1101,7 @@ isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
 	PK11_FATALCHECK(pkcs_C_DigestFinal, (ctx->session, newdigest, &psl));
 	pk11_return_session(ctx);
 	memmove(digest, newdigest, len);
-	memset(newdigest, 0, sizeof(newdigest));
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
 }
 #endif
 
@@ -1084,7 +1139,7 @@ isc_hmacsha1_init(isc_hmacsha1_t *ctx, const unsigned char *key,
 void
 isc_hmacsha1_invalidate(isc_hmacsha1_t *ctx) {
 	isc_sha1_invalidate(&ctx->sha1ctx);
-	memset(ctx, 0, sizeof(*ctx));
+	isc_safe_memwipe(ctx, sizeof(*ctx));
 }
 
 /*
@@ -1120,7 +1175,7 @@ isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
 	isc_sha1_final(&ctx->sha1ctx, newdigest);
 	isc_hmacsha1_invalidate(ctx);
 	memmove(digest, newdigest, len);
-	memset(newdigest, 0, sizeof(newdigest));
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
 }
 
 /*
@@ -1151,7 +1206,7 @@ isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
 
 void
 isc_hmacsha224_invalidate(isc_hmacsha224_t *ctx) {
-	memset(ctx, 0, sizeof(*ctx));
+	isc_safe_memwipe(ctx, sizeof(*ctx));
 }
 
 /*
@@ -1186,7 +1241,7 @@ isc_hmacsha224_sign(isc_hmacsha224_t *ctx, unsigned char *digest, size_t len) {
 	isc_sha224_update(&ctx->sha224ctx, newdigest, ISC_SHA224_DIGESTLENGTH);
 	isc_sha224_final(newdigest, &ctx->sha224ctx);
 	memmove(digest, newdigest, len);
-	memset(newdigest, 0, sizeof(newdigest));
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
 }
 
 /*
@@ -1217,7 +1272,7 @@ isc_hmacsha256_init(isc_hmacsha256_t *ctx, const unsigned char *key,
 
 void
 isc_hmacsha256_invalidate(isc_hmacsha256_t *ctx) {
-	memset(ctx, 0, sizeof(*ctx));
+	isc_safe_memwipe(ctx, sizeof(*ctx));
 }
 
 /*
@@ -1252,7 +1307,7 @@ isc_hmacsha256_sign(isc_hmacsha256_t *ctx, unsigned char *digest, size_t len) {
 	isc_sha256_update(&ctx->sha256ctx, newdigest, ISC_SHA256_DIGESTLENGTH);
 	isc_sha256_final(newdigest, &ctx->sha256ctx);
 	memmove(digest, newdigest, len);
-	memset(newdigest, 0, sizeof(newdigest));
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
 }
 
 /*
@@ -1283,7 +1338,7 @@ isc_hmacsha384_init(isc_hmacsha384_t *ctx, const unsigned char *key,
 
 void
 isc_hmacsha384_invalidate(isc_hmacsha384_t *ctx) {
-	memset(ctx, 0, sizeof(*ctx));
+	isc_safe_memwipe(ctx, sizeof(*ctx));
 }
 
 /*
@@ -1318,7 +1373,7 @@ isc_hmacsha384_sign(isc_hmacsha384_t *ctx, unsigned char *digest, size_t len) {
 	isc_sha384_update(&ctx->sha384ctx, newdigest, ISC_SHA384_DIGESTLENGTH);
 	isc_sha384_final(newdigest, &ctx->sha384ctx);
 	memmove(digest, newdigest, len);
-	memset(newdigest, 0, sizeof(newdigest));
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
 }
 
 /*
@@ -1349,7 +1404,7 @@ isc_hmacsha512_init(isc_hmacsha512_t *ctx, const unsigned char *key,
 
 void
 isc_hmacsha512_invalidate(isc_hmacsha512_t *ctx) {
-	memset(ctx, 0, sizeof(*ctx));
+	isc_safe_memwipe(ctx, sizeof(*ctx));
 }
 
 /*
@@ -1384,7 +1439,7 @@ isc_hmacsha512_sign(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len) {
 	isc_sha512_update(&ctx->sha512ctx, newdigest, ISC_SHA512_DIGESTLENGTH);
 	isc_sha512_final(newdigest, &ctx->sha512ctx);
 	memmove(digest, newdigest, len);
-	memset(newdigest, 0, sizeof(newdigest));
+	isc_safe_memwipe(newdigest, sizeof(newdigest));
 }
 #endif /* !ISC_PLATFORM_OPENSSLHASH */
 
@@ -1452,3 +1507,72 @@ isc_hmacsha512_verify(isc_hmacsha512_t *ctx, unsigned char *digest, size_t len)
 	isc_hmacsha512_sign(ctx, newdigest, ISC_SHA512_DIGESTLENGTH);
 	return (isc_safe_memequal(digest, newdigest, len));
 }
+
+/*
+ * Check for SHA-1 support; if it does not work, raise a fatal error.
+ *
+ * Use the first test vector from RFC 2104, with a second round using
+ * a too-short key.
+ *
+ * Standard use is testing 0 and expecting result true.
+ * Testing use is testing 1..4 and expecting result false.
+ */
+isc_boolean_t
+isc_hmacsha1_check(int testing) {
+	isc_hmacsha1_t ctx;
+	unsigned char key[] = { /* 20*0x0b */
+		0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+		0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+		0x0b, 0x0b, 0x0b, 0x0b
+	};
+	unsigned char input[] = { /* "Hi There" */
+		0x48, 0x69, 0x20, 0x54, 0x68, 0x65, 0x72, 0x65
+	};
+	unsigned char expected[] = {
+		0xb6, 0x17, 0x31, 0x86, 0x55, 0x05, 0x72, 0x64,
+		0xe2, 0x8b, 0xc0, 0xb6, 0xfb, 0x37, 0x8c, 0x8e,
+		0xf1, 0x46, 0xbe, 0x00
+	};
+	unsigned char expected2[] = {
+		0xa0, 0x75, 0xe0, 0x5f, 0x7f, 0x17, 0x9d, 0x34,
+		0xb2, 0xab, 0xc5, 0x19, 0x8f, 0x38, 0x62, 0x36,
+		0x42, 0xbd, 0xec, 0xde
+	};
+	isc_boolean_t result;
+
+	/*
+	 * Introduce a fault for testing.
+	 */
+	switch (testing) {
+	case 0:
+	default:
+		break;
+	case 1:
+		key[0] ^= 0x01;
+		break;
+	case 2:
+		input[0] ^= 0x01;
+		break;
+	case 3:
+		expected[0] ^= 0x01;
+		break;
+	case 4:
+		expected2[0] ^= 0x01;
+		break;
+	}
+
+	/*
+	 * These functions do not return anything; any failure will be fatal.
+	 */
+	isc_hmacsha1_init(&ctx, key, 20U);
+	isc_hmacsha1_update(&ctx, input, 8U);
+	result = isc_hmacsha1_verify(&ctx, expected, sizeof(expected));
+	if (!result) {
+		return (result);
+	}
+
+	/* Second round using a byte key */
+	isc_hmacsha1_init(&ctx, key, 1U);
+	isc_hmacsha1_update(&ctx, input, 8U);
+	return (isc_hmacsha1_verify(&ctx, expected2, sizeof(expected2)));
+}
diff --git a/usr.sbin/bind/lib/isc/httpd.c b/usr.sbin/bind/lib/isc/httpd.c
index b9de18cb927..27870ea9a3a 100644
--- a/usr.sbin/bind/lib/isc/httpd.c
+++ b/usr.sbin/bind/lib/isc/httpd.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2008, 2010-2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: httpd.c,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: httpd.c,v 1.2 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
@@ -916,8 +916,10 @@ isc_httpd_response(isc_httpd_t *httpd) {
 			return (result);
 	}
 
-	sprintf(isc_buffer_used(&httpd->headerbuffer), "%s %03u %s\r\n",
-		httpd->protocol, httpd->retcode, httpd->retmsg);
+	snprintf(isc_buffer_used(&httpd->headerbuffer),
+		 (int)isc_buffer_availablelength(&httpd->headerbuffer),
+		 "%s %03u %s\r\n", httpd->protocol, httpd->retcode,
+		 httpd->retmsg);
 	isc_buffer_add(&httpd->headerbuffer, needlen);
 
 	return (ISC_R_SUCCESS);
@@ -942,11 +944,13 @@ isc_httpd_addheader(isc_httpd_t *httpd, const char *name,
 	}
 
 	if (val != NULL)
-		sprintf(isc_buffer_used(&httpd->headerbuffer),
-			"%s: %s\r\n", name, val);
+		snprintf(isc_buffer_used(&httpd->headerbuffer),
+			 isc_buffer_availablelength(&httpd->headerbuffer),
+			 "%s: %s\r\n", name, val);
 	else
-		sprintf(isc_buffer_used(&httpd->headerbuffer),
-			"%s\r\n", name);
+		snprintf(isc_buffer_used(&httpd->headerbuffer),
+			 isc_buffer_availablelength(&httpd->headerbuffer),
+			 "%s\r\n", name);
 
 	isc_buffer_add(&httpd->headerbuffer, needlen);
 
@@ -963,7 +967,8 @@ isc_httpd_endheaders(isc_httpd_t *httpd) {
 			return (result);
 	}
 
-	sprintf(isc_buffer_used(&httpd->headerbuffer), "\r\n");
+	snprintf(isc_buffer_used(&httpd->headerbuffer),
+		 isc_buffer_availablelength(&httpd->headerbuffer), "\r\n");
 	isc_buffer_add(&httpd->headerbuffer, 2);
 
 	return (ISC_R_SUCCESS);
@@ -975,7 +980,7 @@ isc_httpd_addheaderuint(isc_httpd_t *httpd, const char *name, int val) {
 	unsigned int needlen;
 	char buf[sizeof "18446744073709551616"];
 
-	sprintf(buf, "%d", val);
+	snprintf(buf, sizeof(buf), "%d", val);
 
 	needlen = strlen(name); /* name itself */
 	needlen += 2 + strlen(buf); /* :<space> and val */
@@ -987,8 +992,9 @@ isc_httpd_addheaderuint(isc_httpd_t *httpd, const char *name, int val) {
 			return (result);
 	}
 
-	sprintf(isc_buffer_used(&httpd->headerbuffer),
-		"%s: %s\r\n", name, buf);
+	snprintf(isc_buffer_used(&httpd->headerbuffer),
+		 isc_buffer_availablelength(&httpd->headerbuffer),
+		 "%s: %s\r\n", name, buf);
 
 	isc_buffer_add(&httpd->headerbuffer, needlen);
 
diff --git a/usr.sbin/bind/lib/isc/ia64/Makefile.in b/usr.sbin/bind/lib/isc/ia64/Makefile.in
index bd22fcd7ce7..f5e6ae31d38 100644
--- a/usr.sbin/bind/lib/isc/ia64/Makefile.in
+++ b/usr.sbin/bind/lib/isc/ia64/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:26 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:34 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/ia64/include/Makefile.in b/usr.sbin/bind/lib/isc/ia64/include/Makefile.in
index 8185c77d537..26e6c3bd7f5 100644
--- a/usr.sbin/bind/lib/isc/ia64/include/Makefile.in
+++ b/usr.sbin/bind/lib/isc/ia64/include/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:26 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:35 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/ia64/include/isc/Makefile.in b/usr.sbin/bind/lib/isc/ia64/include/isc/Makefile.in
index 246239b2a51..aefa23abcd5 100644
--- a/usr.sbin/bind/lib/isc/ia64/include/isc/Makefile.in
+++ b/usr.sbin/bind/lib/isc/ia64/include/isc/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2007, 2012, 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:26 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:35 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/ia64/include/isc/atomic.h b/usr.sbin/bind/lib/isc/ia64/include/isc/atomic.h
index a1cf3e23582..a5a3fdc61d8 100644
--- a/usr.sbin/bind/lib/isc/ia64/include/isc/atomic.h
+++ b/usr.sbin/bind/lib/isc/ia64/include/isc/atomic.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: atomic.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: atomic.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_ATOMIC_H
 #define ISC_ATOMIC_H 1
diff --git a/usr.sbin/bind/lib/isc/include/Makefile.in b/usr.sbin/bind/lib/isc/include/Makefile.in
index 5557714e89f..6c60787e677 100644
--- a/usr.sbin/bind/lib/isc/include/Makefile.in
+++ b/usr.sbin/bind/lib/isc/include/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2007, 2012, 2014  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:26 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:35 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/include/isc/Makefile.in b/usr.sbin/bind/lib/isc/include/isc/Makefile.in
index cb0f79c9e6c..80f0e078a82 100644
--- a/usr.sbin/bind/lib/isc/include/isc/Makefile.in
+++ b/usr.sbin/bind/lib/isc/include/isc/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004-2009, 2012-2016  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001, 2003  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -30,15 +29,15 @@ HEADERS =	aes.h app.h assertions.h backtrace.h base32.h base64.h \
 		event.h eventclass.h file.h formatcheck.h fsaccess.h \
 		hash.h heap.h hex.h hmacmd5.h hmacsha.h httpd.h \
 		interfaceiter.h @ISC_IPV6_H@ iterated_hash.h json.h \
-		lang.h lex.h lfsr.h lib.h list.h log.h \
+		lang.h lex.h lfsr.h lib.h likely.h list.h log.h \
 		magic.h md5.h mem.h msgcat.h msgs.h mutexblock.h \
 		netaddr.h netscope.h ondestroy.h os.h parseint.h \
 		pool.h portset.h print.h queue.h quota.h \
 		radix.h random.h ratelimiter.h refcount.h regex.h \
 		region.h resource.h result.h resultclass.h rwlock.h \
 		safe.h serial.h sha1.h sha2.h sockaddr.h socket.h \
-		stats.h stdio.h stdlib.h string.h symtab.h \
-	        task.h taskpool.h timer.h tm.h types.h util.h version.h \
+		stats.h stdio.h stdlib.h string.h symtab.h task.h \
+		taskpool.h timer.h tm.h types.h util.h version.h \
 		xml.h
 
 SUBDIRS =
diff --git a/usr.sbin/bind/lib/isc/include/isc/aes.h b/usr.sbin/bind/lib/isc/include/isc/aes.h
index 68de6c3f36c..90948353410 100644
--- a/usr.sbin/bind/lib/isc/include/isc/aes.h
+++ b/usr.sbin/bind/lib/isc/include/isc/aes.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: aes.h,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: aes.h,v 1.2 2019/12/17 01:46:35 sthen Exp $ */
 
 /*! \file isc/aes.h */
 
diff --git a/usr.sbin/bind/lib/isc/include/isc/app.h b/usr.sbin/bind/lib/isc/include/isc/app.h
index 04d1c8ff864..928bbc68401 100644
--- a/usr.sbin/bind/lib/isc/include/isc/app.h
+++ b/usr.sbin/bind/lib/isc/include/isc/app.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2013-2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: app.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: app.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_APP_H
 #define ISC_APP_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/assertions.h b/usr.sbin/bind/lib/isc/include/isc/assertions.h
index 75bd4bc9617..8c8855bc229 100644
--- a/usr.sbin/bind/lib/isc/include/isc/assertions.h
+++ b/usr.sbin/bind/lib/isc/include/isc/assertions.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1997-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -16,7 +15,7 @@
  */
 
 /*
- * $Id: assertions.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $
+ * $Id: assertions.h,v 1.3 2019/12/17 01:46:35 sthen Exp $
  */
 /*! \file isc/assertions.h
  */
@@ -25,6 +24,7 @@
 #define ISC_ASSERTIONS_H 1
 
 #include <isc/lang.h>
+#include <isc/likely.h>
 #include <isc/platform.h>
 
 ISC_LANG_BEGINDECLS
diff --git a/usr.sbin/bind/lib/isc/include/isc/backtrace.h b/usr.sbin/bind/lib/isc/include/isc/backtrace.h
index c9d55dea5df..00c71f8fc73 100644
--- a/usr.sbin/bind/lib/isc/include/isc/backtrace.h
+++ b/usr.sbin/bind/lib/isc/include/isc/backtrace.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: backtrace.h,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: backtrace.h,v 1.2 2019/12/17 01:46:35 sthen Exp $ */
 
 /*! \file isc/backtrace.h
  * \brief provide a back trace of the running process to help debug problems.
diff --git a/usr.sbin/bind/lib/isc/include/isc/base32.h b/usr.sbin/bind/lib/isc/include/isc/base32.h
index 347b8ed40a0..1d70d18afb7 100644
--- a/usr.sbin/bind/lib/isc/include/isc/base32.h
+++ b/usr.sbin/bind/lib/isc/include/isc/base32.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008, 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/isc/include/isc/base64.h b/usr.sbin/bind/lib/isc/include/isc/base64.h
index 01c204a9604..84fd104b65a 100644
--- a/usr.sbin/bind/lib/isc/include/isc/base64.h
+++ b/usr.sbin/bind/lib/isc/include/isc/base64.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: base64.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: base64.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_BASE64_H
 #define ISC_BASE64_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/bind9.h b/usr.sbin/bind/lib/isc/include/isc/bind9.h
index 5ba095aa083..35e6a6c83ef 100644
--- a/usr.sbin/bind/lib/isc/include/isc/bind9.h
+++ b/usr.sbin/bind/lib/isc/include/isc/bind9.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2013  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: bind9.h,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: bind9.h,v 1.2 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_BIND9_H
 #define ISC_BIND9_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/boolean.h b/usr.sbin/bind/lib/isc/include/isc/boolean.h
index 92e0ab02d68..43ee0eadadd 100644
--- a/usr.sbin/bind/lib/isc/include/isc/boolean.h
+++ b/usr.sbin/bind/lib/isc/include/isc/boolean.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: boolean.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: boolean.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_BOOLEAN_H
 #define ISC_BOOLEAN_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/buffer.h b/usr.sbin/bind/lib/isc/include/isc/buffer.h
index ad0f0194c8d..01b015a63c5 100644
--- a/usr.sbin/bind/lib/isc/include/isc/buffer.h
+++ b/usr.sbin/bind/lib/isc/include/isc/buffer.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2010, 2012, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: buffer.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: buffer.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_BUFFER_H
 #define ISC_BUFFER_H 1
@@ -107,6 +106,7 @@
  *** Imports
  ***/
 
+#include <isc/formatcheck.h>
 #include <isc/lang.h>
 #include <isc/magic.h>
 #include <isc/types.h>
@@ -795,7 +795,7 @@ ISC_LANG_ENDDECLS
 	do { \
 		unsigned int _length; \
 		unsigned char *_cp; \
-		_length = strlen(_source); \
+		_length = (unsigned int)strlen(_source); \
 		_cp = isc_buffer_used(_b); \
 		memmove(_cp, (_source), _length); \
 		(_b)->used += (_length); \
diff --git a/usr.sbin/bind/lib/isc/include/isc/bufferlist.h b/usr.sbin/bind/lib/isc/include/isc/bufferlist.h
index ff3345582fb..e5bbee1c285 100644
--- a/usr.sbin/bind/lib/isc/include/isc/bufferlist.h
+++ b/usr.sbin/bind/lib/isc/include/isc/bufferlist.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: bufferlist.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: bufferlist.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_BUFFERLIST_H
 #define ISC_BUFFERLIST_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/commandline.h b/usr.sbin/bind/lib/isc/include/isc/commandline.h
index 785c46f76bf..6e3b35d068a 100644
--- a/usr.sbin/bind/lib/isc/include/isc/commandline.h
+++ b/usr.sbin/bind/lib/isc/include/isc/commandline.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: commandline.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: commandline.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_COMMANDLINE_H
 #define ISC_COMMANDLINE_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/counter.h b/usr.sbin/bind/lib/isc/include/isc/counter.h
index e7ebd253325..aeaff3b21a0 100644
--- a/usr.sbin/bind/lib/isc/include/isc/counter.h
+++ b/usr.sbin/bind/lib/isc/include/isc/counter.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/isc/include/isc/crc64.h b/usr.sbin/bind/lib/isc/include/isc/crc64.h
index 18efb719233..f4672b91b41 100644
--- a/usr.sbin/bind/lib/isc/include/isc/crc64.h
+++ b/usr.sbin/bind/lib/isc/include/isc/crc64.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/isc/include/isc/entropy.h b/usr.sbin/bind/lib/isc/include/isc/entropy.h
index b667c84a549..301ac946ab8 100644
--- a/usr.sbin/bind/lib/isc/include/isc/entropy.h
+++ b/usr.sbin/bind/lib/isc/include/isc/entropy.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: entropy.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: entropy.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_ENTROPY_H
 #define ISC_ENTROPY_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/errno.h b/usr.sbin/bind/lib/isc/include/isc/errno.h
index 92bfb4cdd9d..e12ab91645f 100644
--- a/usr.sbin/bind/lib/isc/include/isc/errno.h
+++ b/usr.sbin/bind/lib/isc/include/isc/errno.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/isc/include/isc/error.h b/usr.sbin/bind/lib/isc/include/isc/error.h
index a82ded0c02a..c270742a767 100644
--- a/usr.sbin/bind/lib/isc/include/isc/error.h
+++ b/usr.sbin/bind/lib/isc/include/isc/error.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: error.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: error.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_ERROR_H
 #define ISC_ERROR_H 1
@@ -26,6 +25,7 @@
 
 #include <isc/formatcheck.h>
 #include <isc/lang.h>
+#include <isc/likely.h>
 #include <isc/platform.h>
 
 ISC_LANG_BEGINDECLS
@@ -51,8 +51,8 @@ isc_error_fatal(const char *, int, const char *, ...)
 ISC_FORMAT_PRINTF(3, 4) ISC_PLATFORM_NORETURN_POST;
 
 /*% runtimecheck error */
-void
-isc_error_runtimecheck(const char *, int, const char *);
+ISC_PLATFORM_NORETURN_PRE void
+isc_error_runtimecheck(const char *, int, const char *) ISC_PLATFORM_NORETURN_POST;
 
 #define ISC_ERROR_RUNTIMECHECK(cond) \
 	((void) (ISC_LIKELY(cond) || \
diff --git a/usr.sbin/bind/lib/isc/include/isc/event.h b/usr.sbin/bind/lib/isc/include/isc/event.h
index cd731ae3776..6c38c630cb4 100644
--- a/usr.sbin/bind/lib/isc/include/isc/event.h
+++ b/usr.sbin/bind/lib/isc/include/isc/event.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2014, 2017  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/isc/include/isc/eventclass.h b/usr.sbin/bind/lib/isc/include/isc/eventclass.h
index a78aabb207a..58f9369f14e 100644
--- a/usr.sbin/bind/lib/isc/include/isc/eventclass.h
+++ b/usr.sbin/bind/lib/isc/include/isc/eventclass.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: eventclass.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: eventclass.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_EVENTCLASS_H
 #define ISC_EVENTCLASS_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/file.h b/usr.sbin/bind/lib/isc/include/isc/file.h
index 86d0bbb8377..00f6c579a83 100644
--- a/usr.sbin/bind/lib/isc/include/isc/file.h
+++ b/usr.sbin/bind/lib/isc/include/isc/file.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2011, 2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: file.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: file.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_FILE_H
 #define ISC_FILE_H 1
@@ -261,7 +260,6 @@ isc_file_progname(const char *filename, char *buf, size_t buflen);
  * \brief Given an operating system specific file name "filename"
  * referring to a program, return the canonical program name.
  *
- *
  * Any directory prefix or executable file name extension (if
  * used on the OS in case) is stripped.  On systems where program
  * names are case insensitive, the name is canonicalized to all
@@ -365,6 +363,12 @@ isc_file_munmap(void *addr, size_t len);
  * this platform, then we simply free the memory.
  */
 
+isc_boolean_t
+isc_file_isdirwritable(const char *path);
+/*%<
+ *	Return true if the path is a directory and is writable
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* ISC_FILE_H */
diff --git a/usr.sbin/bind/lib/isc/include/isc/formatcheck.h b/usr.sbin/bind/lib/isc/include/isc/formatcheck.h
index 2959d0b35ec..805f39b5929 100644
--- a/usr.sbin/bind/lib/isc/include/isc/formatcheck.h
+++ b/usr.sbin/bind/lib/isc/include/isc/formatcheck.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: formatcheck.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: formatcheck.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_FORMATCHECK_H
 #define ISC_FORMATCHECK_H 1
@@ -27,7 +26,7 @@
  *
  * \li fmt is the location of the format string parameter.
  * \li args is the location of the first argument (or 0 for no argument checking).
- * 
+ *
  * Note:
  * \li The first parameter is 1, not 0.
  */
diff --git a/usr.sbin/bind/lib/isc/include/isc/fsaccess.h b/usr.sbin/bind/lib/isc/include/isc/fsaccess.h
index 5a911cb1ac8..d982a632de4 100644
--- a/usr.sbin/bind/lib/isc/include/isc/fsaccess.h
+++ b/usr.sbin/bind/lib/isc/include/isc/fsaccess.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: fsaccess.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: fsaccess.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_FSACCESS_H
 #define ISC_FSACCESS_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/hash.h b/usr.sbin/bind/lib/isc/include/isc/hash.h
index 1f94d6a0933..415dc8042bf 100644
--- a/usr.sbin/bind/lib/isc/include/isc/hash.h
+++ b/usr.sbin/bind/lib/isc/include/isc/hash.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2013-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hash.h,v 1.4 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: hash.h,v 1.5 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_HASH_H
 #define ISC_HASH_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/heap.h b/usr.sbin/bind/lib/isc/include/isc/heap.h
index 3a036a1bc0f..8d7b110449f 100644
--- a/usr.sbin/bind/lib/isc/include/isc/heap.h
+++ b/usr.sbin/bind/lib/isc/include/isc/heap.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1997-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: heap.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: heap.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_HEAP_H
 #define ISC_HEAP_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/hex.h b/usr.sbin/bind/lib/isc/include/isc/hex.h
index b7309b2baac..4ce765cde3a 100644
--- a/usr.sbin/bind/lib/isc/include/isc/hex.h
+++ b/usr.sbin/bind/lib/isc/include/isc/hex.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hex.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: hex.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_HEX_H
 #define ISC_HEX_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/hmacmd5.h b/usr.sbin/bind/lib/isc/include/isc/hmacmd5.h
index 4199040bf71..0e9cd753eb2 100644
--- a/usr.sbin/bind/lib/isc/include/isc/hmacmd5.h
+++ b/usr.sbin/bind/lib/isc/include/isc/hmacmd5.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2014, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hmacmd5.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: hmacmd5.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 /*! \file isc/hmacmd5.h
  * \brief This is the header file for the HMAC-MD5 keyed hash algorithm
@@ -42,7 +41,7 @@
 
 typedef struct {
 	HMAC_CTX *ctx;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 	HMAC_CTX _ctx;
 #endif
 } isc_hmacmd5_t;
@@ -82,6 +81,9 @@ isc_hmacmd5_verify(isc_hmacmd5_t *ctx, unsigned char *digest);
 isc_boolean_t
 isc_hmacmd5_verify2(isc_hmacmd5_t *ctx, unsigned char *digest, size_t len);
 
+isc_boolean_t
+isc_hmacmd5_check(int testing);
+
 ISC_LANG_ENDDECLS
 
 #endif /* !PK11_MD5_DISABLE */
diff --git a/usr.sbin/bind/lib/isc/include/isc/hmacsha.h b/usr.sbin/bind/lib/isc/include/isc/hmacsha.h
index d936be2f350..e434bd6237a 100644
--- a/usr.sbin/bind/lib/isc/include/isc/hmacsha.h
+++ b/usr.sbin/bind/lib/isc/include/isc/hmacsha.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2007, 2009, 2014, 2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hmacsha.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: hmacsha.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 /*! \file isc/hmacsha.h
  * This is the header file for the HMAC-SHA1, HMAC-SHA224, HMAC-SHA256,
@@ -42,7 +42,7 @@
 
 typedef struct {
 	HMAC_CTX *ctx;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 	HMAC_CTX _ctx;
 #endif
 } isc_hmacsha_t;
@@ -109,6 +109,9 @@ isc_hmacsha1_sign(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len);
 isc_boolean_t
 isc_hmacsha1_verify(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len);
 
+isc_boolean_t
+isc_hmacsha1_check(int testing);
+
 
 void
 isc_hmacsha224_init(isc_hmacsha224_t *ctx, const unsigned char *key,
diff --git a/usr.sbin/bind/lib/isc/include/isc/httpd.h b/usr.sbin/bind/lib/isc/include/isc/httpd.h
index b0f3dddb2e0..145627d1dff 100644
--- a/usr.sbin/bind/lib/isc/include/isc/httpd.h
+++ b/usr.sbin/bind/lib/isc/include/isc/httpd.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006-2008, 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: httpd.h,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: httpd.h,v 1.2 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_HTTPD_H
 #define ISC_HTTPD_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/interfaceiter.h b/usr.sbin/bind/lib/isc/include/isc/interfaceiter.h
index bb0978d0039..3e8c643367a 100644
--- a/usr.sbin/bind/lib/isc/include/isc/interfaceiter.h
+++ b/usr.sbin/bind/lib/isc/include/isc/interfaceiter.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: interfaceiter.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: interfaceiter.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_INTERFACEITER_H
 #define ISC_INTERFACEITER_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/ipv6.h b/usr.sbin/bind/lib/isc/include/isc/ipv6.h
index 49da98e30e1..486d930554c 100644
--- a/usr.sbin/bind/lib/isc/include/isc/ipv6.h
+++ b/usr.sbin/bind/lib/isc/include/isc/ipv6.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ipv6.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: ipv6.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_IPV6_H
 #define ISC_IPV6_H 1
@@ -61,11 +60,11 @@
  ***/
 
 struct in6_addr {
-        union {
+	union {
 		isc_uint8_t	_S6_u8[16];
 		isc_uint16_t	_S6_u16[8];
 		isc_uint32_t	_S6_u32[4];
-        } _S6_un;
+	} _S6_un;
 };
 #define s6_addr		_S6_un._S6_u8
 #define s6_addr8	_S6_un._S6_u8
@@ -99,37 +98,37 @@ struct sockaddr_in6 {
  * Unspecified
  */
 #define IN6_IS_ADDR_UNSPECIFIED(a)      \
-        (((a)->s6_addr32[0] == 0) &&    \
-         ((a)->s6_addr32[1] == 0) &&    \
-         ((a)->s6_addr32[2] == 0) &&    \
-         ((a)->s6_addr32[3] == 0))
+	(((a)->s6_addr32[0] == 0) &&    \
+	 ((a)->s6_addr32[1] == 0) &&    \
+	 ((a)->s6_addr32[2] == 0) &&    \
+	 ((a)->s6_addr32[3] == 0))
 
 /*%
  * Loopback
  */
 #define IN6_IS_ADDR_LOOPBACK(a)         \
-        (((a)->s6_addr32[0] == 0) &&    \
-         ((a)->s6_addr32[1] == 0) &&    \
-         ((a)->s6_addr32[2] == 0) &&    \
-         ((a)->s6_addr32[3] == htonl(1)))
+	(((a)->s6_addr32[0] == 0) &&    \
+	 ((a)->s6_addr32[1] == 0) &&    \
+	 ((a)->s6_addr32[2] == 0) &&    \
+	 ((a)->s6_addr32[3] == htonl(1)))
 
 /*%
  * IPv4 compatible
  */
 #define IN6_IS_ADDR_V4COMPAT(a)         \
-        (((a)->s6_addr32[0] == 0) &&    \
-         ((a)->s6_addr32[1] == 0) &&    \
-         ((a)->s6_addr32[2] == 0) &&    \
-         ((a)->s6_addr32[3] != 0) &&    \
-         ((a)->s6_addr32[3] != htonl(1)))
+	(((a)->s6_addr32[0] == 0) &&    \
+	 ((a)->s6_addr32[1] == 0) &&    \
+	 ((a)->s6_addr32[2] == 0) &&    \
+	 ((a)->s6_addr32[3] != 0) &&    \
+	 ((a)->s6_addr32[3] != htonl(1)))
 
 /*%
  * Mapped
  */
 #define IN6_IS_ADDR_V4MAPPED(a)               \
-        (((a)->s6_addr32[0] == 0) &&          \
-         ((a)->s6_addr32[1] == 0) &&          \
-         ((a)->s6_addr32[2] == htonl(0x0000ffff)))
+	(((a)->s6_addr32[0] == 0) &&          \
+	 ((a)->s6_addr32[1] == 0) &&          \
+	 ((a)->s6_addr32[2] == htonl(0x0000ffff)))
 
 /*%
  * Multicast
diff --git a/usr.sbin/bind/lib/isc/include/isc/iterated_hash.h b/usr.sbin/bind/lib/isc/include/isc/iterated_hash.h
index 9f6ed45d9bc..31d7d488b51 100644
--- a/usr.sbin/bind/lib/isc/include/isc/iterated_hash.h
+++ b/usr.sbin/bind/lib/isc/include/isc/iterated_hash.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008, 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: iterated_hash.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: iterated_hash.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_ITERATED_HASH_H
 #define ISC_ITERATED_HASH_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/json.h b/usr.sbin/bind/lib/isc/include/isc/json.h
index 71ea38bfc60..487e174dfe8 100644
--- a/usr.sbin/bind/lib/isc/include/isc/json.h
+++ b/usr.sbin/bind/lib/isc/include/isc/json.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/isc/include/isc/lang.h b/usr.sbin/bind/lib/isc/include/isc/lang.h
index 45864cde391..7e667c47fd9 100644
--- a/usr.sbin/bind/lib/isc/include/isc/lang.h
+++ b/usr.sbin/bind/lib/isc/include/isc/lang.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lang.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: lang.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_LANG_H
 #define ISC_LANG_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/lex.h b/usr.sbin/bind/lib/isc/include/isc/lex.h
index 66659d16f01..cba1a7866ce 100644
--- a/usr.sbin/bind/lib/isc/include/isc/lex.h
+++ b/usr.sbin/bind/lib/isc/include/isc/lex.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008, 2017  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lex.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: lex.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_LEX_H
 #define ISC_LEX_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/lfsr.h b/usr.sbin/bind/lib/isc/include/isc/lfsr.h
index ef57e4a8c09..3ea9f9fc52f 100644
--- a/usr.sbin/bind/lib/isc/include/isc/lfsr.h
+++ b/usr.sbin/bind/lib/isc/include/isc/lfsr.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lfsr.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: lfsr.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_LFSR_H
 #define ISC_LFSR_H 1
@@ -54,7 +53,7 @@ struct isc_lfsr {
 ISC_LANG_BEGINDECLS
 
 
-void 
+void
 isc_lfsr_init(isc_lfsr_t *lfsr, isc_uint32_t state, unsigned int bits,
 		   isc_uint32_t tap, unsigned int count,
 		   isc_lfsrreseed_t reseed, void *arg);
@@ -75,7 +74,7 @@ isc_lfsr_init(isc_lfsr_t *lfsr, isc_uint32_t state, unsigned int bits,
  *\li	tap != 0
  */
 
-void 
+void
 isc_lfsr_generate(isc_lfsr_t *lfsr, void *data, unsigned int count);
 /*%<
  * Returns "count" bytes of data from the LFSR.
@@ -89,7 +88,7 @@ isc_lfsr_generate(isc_lfsr_t *lfsr, void *data, unsigned int count);
  *\li	count > 0.
  */
 
-void 
+void
 isc_lfsr_skip(isc_lfsr_t *lfsr, unsigned int skip);
 /*%<
  * Skip "skip" states.
@@ -99,7 +98,7 @@ isc_lfsr_skip(isc_lfsr_t *lfsr, unsigned int skip);
  *\li	lfsr be valid.
  */
 
-isc_uint32_t 
+isc_uint32_t
 isc_lfsr_generate32(isc_lfsr_t *lfsr1, isc_lfsr_t *lfsr2);
 /*%<
  * Given two LFSRs, use the current state from each to skip entries in the
diff --git a/usr.sbin/bind/lib/isc/include/isc/lib.h b/usr.sbin/bind/lib/isc/include/isc/lib.h
index 2159e6c7a66..9404324624a 100644
--- a/usr.sbin/bind/lib/isc/include/isc/lib.h
+++ b/usr.sbin/bind/lib/isc/include/isc/lib.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: lib.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_LIB_H
 #define ISC_LIB_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/likely.h b/usr.sbin/bind/lib/isc/include/isc/likely.h
new file mode 100644
index 00000000000..bbd9f685d3a
--- /dev/null
+++ b/usr.sbin/bind/lib/isc/include/isc/likely.h
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef ISC_LIKELY_H
+#define ISC_LIKELY_H 1
+
+/*%
+ * Performance
+ */
+#ifdef HAVE_BUILTIN_EXPECT
+#define ISC_LIKELY(x)            __builtin_expect(!!(x), 1)
+#define ISC_UNLIKELY(x)          __builtin_expect(!!(x), 0)
+#else
+#define ISC_LIKELY(x)            (x)
+#define ISC_UNLIKELY(x)          (x)
+#endif
+
+#endif /* ISC_LIKELY_H */
diff --git a/usr.sbin/bind/lib/isc/include/isc/list.h b/usr.sbin/bind/lib/isc/include/isc/list.h
index 6d7ce8ad0c9..33f6d0831f2 100644
--- a/usr.sbin/bind/lib/isc/include/isc/list.h
+++ b/usr.sbin/bind/lib/isc/include/isc/list.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2006, 2007, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1997-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: list.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: list.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_LIST_H
 #define ISC_LIST_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/log.h b/usr.sbin/bind/lib/isc/include/isc/log.h
index 625b93cf8a6..f0ba04dc2ad 100644
--- a/usr.sbin/bind/lib/isc/include/isc/log.h
+++ b/usr.sbin/bind/lib/isc/include/isc/log.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.h,v 1.5 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: log.h,v 1.6 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_LOG_H
 #define ISC_LOG_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/magic.h b/usr.sbin/bind/lib/isc/include/isc/magic.h
index dd3ef55576f..9eb5f904c64 100644
--- a/usr.sbin/bind/lib/isc/include/isc/magic.h
+++ b/usr.sbin/bind/lib/isc/include/isc/magic.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,12 +14,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: magic.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: magic.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_MAGIC_H
 #define ISC_MAGIC_H 1
 
-#include <isc/util.h>
+#include <isc/likely.h>
 
 /*! \file isc/magic.h */
 
diff --git a/usr.sbin/bind/lib/isc/include/isc/md5.h b/usr.sbin/bind/lib/isc/include/isc/md5.h
index 14f07e58dca..d14043d2dea 100644
--- a/usr.sbin/bind/lib/isc/include/isc/md5.h
+++ b/usr.sbin/bind/lib/isc/include/isc/md5.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2010, 2014, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: md5.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: md5.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 /*! \file isc/md5.h
  * \brief This is the header file for the MD5 message-digest algorithm.
@@ -60,7 +59,7 @@
 
 typedef struct {
 	EVP_MD_CTX *ctx;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 	EVP_MD_CTX _ctx;
 #endif
 } isc_md5_t;
@@ -93,6 +92,9 @@ isc_md5_update(isc_md5_t *ctx, const unsigned char *buf, unsigned int len);
 void
 isc_md5_final(isc_md5_t *ctx, unsigned char *digest);
 
+isc_boolean_t
+isc_md5_check(isc_boolean_t testing);
+
 ISC_LANG_ENDDECLS
 
 #endif /* !PK11_MD5_DISABLE */
diff --git a/usr.sbin/bind/lib/isc/include/isc/mem.h b/usr.sbin/bind/lib/isc/include/isc/mem.h
index ede0327129b..bf790265204 100644
--- a/usr.sbin/bind/lib/isc/include/isc/mem.h
+++ b/usr.sbin/bind/lib/isc/include/isc/mem.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2013, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1997-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/isc/include/isc/msgcat.h b/usr.sbin/bind/lib/isc/include/isc/msgcat.h
index d5024878590..e1bac9f372d 100644
--- a/usr.sbin/bind/lib/isc/include/isc/msgcat.h
+++ b/usr.sbin/bind/lib/isc/include/isc/msgcat.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: msgcat.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: msgcat.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_MSGCAT_H
 #define ISC_MSGCAT_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/msgs.h b/usr.sbin/bind/lib/isc/include/isc/msgs.h
index 04087ef07f2..84b5bdc3d80 100644
--- a/usr.sbin/bind/lib/isc/include/isc/msgs.h
+++ b/usr.sbin/bind/lib/isc/include/isc/msgs.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: msgs.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: msgs.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_MSGS_H
 #define ISC_MSGS_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/mutexblock.h b/usr.sbin/bind/lib/isc/include/isc/mutexblock.h
index 4c704aee9a7..4976abc45c9 100644
--- a/usr.sbin/bind/lib/isc/include/isc/mutexblock.h
+++ b/usr.sbin/bind/lib/isc/include/isc/mutexblock.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mutexblock.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: mutexblock.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_MUTEXBLOCK_H
 #define ISC_MUTEXBLOCK_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/netaddr.h b/usr.sbin/bind/lib/isc/include/isc/netaddr.h
index 0b7b3095db0..94e8b76f01b 100644
--- a/usr.sbin/bind/lib/isc/include/isc/netaddr.h
+++ b/usr.sbin/bind/lib/isc/include/isc/netaddr.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netaddr.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: netaddr.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_NETADDR_H
 #define ISC_NETADDR_H 1
@@ -181,6 +180,12 @@ isc_netaddr_prefixok(const isc_netaddr_t *na, unsigned int prefixlen);
  *	ISC_R_FAILURE		extra bits.
  */
 
+isc_boolean_t
+isc_netaddr_isloopback(const isc_netaddr_t *na);
+/*
+ * Test whether the netaddr 'na' is a loopback IPv4 or IPv6 address (in
+ * 127.0.0.0/8 or ::1).
+ */
 ISC_LANG_ENDDECLS
 
 #endif /* ISC_NETADDR_H */
diff --git a/usr.sbin/bind/lib/isc/include/isc/netscope.h b/usr.sbin/bind/lib/isc/include/isc/netscope.h
index c6ab9d6ee6e..ae9ceb88f83 100644
--- a/usr.sbin/bind/lib/isc/include/isc/netscope.h
+++ b/usr.sbin/bind/lib/isc/include/isc/netscope.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netscope.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: netscope.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_NETSCOPE_H
 #define ISC_NETSCOPE_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/ondestroy.h b/usr.sbin/bind/lib/isc/include/isc/ondestroy.h
index 3d07cfe31ad..35d05256cd6 100644
--- a/usr.sbin/bind/lib/isc/include/isc/ondestroy.h
+++ b/usr.sbin/bind/lib/isc/include/isc/ondestroy.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ondestroy.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: ondestroy.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_ONDESTROY_H
 #define ISC_ONDESTROY_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/os.h b/usr.sbin/bind/lib/isc/include/isc/os.h
index 06afdb13c60..2de61cba7aa 100644
--- a/usr.sbin/bind/lib/isc/include/isc/os.h
+++ b/usr.sbin/bind/lib/isc/include/isc/os.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: os.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_OS_H
 #define ISC_OS_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/parseint.h b/usr.sbin/bind/lib/isc/include/isc/parseint.h
index a63887f776e..e2290c18646 100644
--- a/usr.sbin/bind/lib/isc/include/isc/parseint.h
+++ b/usr.sbin/bind/lib/isc/include/isc/parseint.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001, 2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: parseint.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: parseint.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_PARSEINT_H
 #define ISC_PARSEINT_H 1
@@ -43,7 +42,7 @@ isc_result_t
 isc_parse_uint8(isc_uint8_t *uip, const char *string, int base);
 /*%<
  * Parse the null-terminated string 'string' containing a base 'base'
- * integer, storing the result in '*uip'.  
+ * integer, storing the result in '*uip'.
  * The base is interpreted
  * as in strtoul().  Unlike strtoul(), leading whitespace, minus or
  * plus signs are not accepted, and all errors (including overflow)
diff --git a/usr.sbin/bind/lib/isc/include/isc/platform.h.in b/usr.sbin/bind/lib/isc/include/isc/platform.h.in
index 69b49891b6c..1cf7e456564 100644
--- a/usr.sbin/bind/lib/isc/include/isc/platform.h.in
+++ b/usr.sbin/bind/lib/isc/include/isc/platform.h.in
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2010, 2013-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -311,6 +310,12 @@
 @ISC_PLATFORM_HAVECMPXCHG@
 
 /*
+ * If <stdatomic.h> is available on this architecture,
+ * ISC_PLATFORM_HAVESTDATOMIC will be defined.
+ */
+@ISC_PLATFORM_HAVESTDATOMIC@
+
+/*
  * Define if gcc ASM extension is available
  */
 @ISC_PLATFORM_USEGCCASM@
diff --git a/usr.sbin/bind/lib/isc/include/isc/pool.h b/usr.sbin/bind/lib/isc/include/isc/pool.h
index 7b33c37bb79..c03f486efdf 100644
--- a/usr.sbin/bind/lib/isc/include/isc/pool.h
+++ b/usr.sbin/bind/lib/isc/include/isc/pool.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/isc/include/isc/portset.h b/usr.sbin/bind/lib/isc/include/isc/portset.h
index 69f2bdfc0f3..b3d2b9dbf68 100644
--- a/usr.sbin/bind/lib/isc/include/isc/portset.h
+++ b/usr.sbin/bind/lib/isc/include/isc/portset.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: portset.h,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: portset.h,v 1.2 2019/12/17 01:46:35 sthen Exp $ */
 
 /*! \file isc/portset.h
  * \brief Transport Protocol Port Manipulation Module
diff --git a/usr.sbin/bind/lib/isc/include/isc/print.h b/usr.sbin/bind/lib/isc/include/isc/print.h
index d7fca7442d5..45d33ff7ebc 100644
--- a/usr.sbin/bind/lib/isc/include/isc/print.h
+++ b/usr.sbin/bind/lib/isc/include/isc/print.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/isc/include/isc/queue.h b/usr.sbin/bind/lib/isc/include/isc/queue.h
index 0d5dc53d7b7..52bcdb62716 100644
--- a/usr.sbin/bind/lib/isc/include/isc/queue.h
+++ b/usr.sbin/bind/lib/isc/include/isc/queue.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2013  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: queue.h,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: queue.h,v 1.2 2019/12/17 01:46:35 sthen Exp $ */
 
 /*
  * This is a generic implementation of a two-lock concurrent queue.
diff --git a/usr.sbin/bind/lib/isc/include/isc/quota.h b/usr.sbin/bind/lib/isc/include/isc/quota.h
index 362f535d92e..f7be2d2d79a 100644
--- a/usr.sbin/bind/lib/isc/include/isc/quota.h
+++ b/usr.sbin/bind/lib/isc/include/isc/quota.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: quota.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: quota.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_QUOTA_H
 #define ISC_QUOTA_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/radix.h b/usr.sbin/bind/lib/isc/include/isc/radix.h
index 0fd3158e909..f3c2677b685 100644
--- a/usr.sbin/bind/lib/isc/include/isc/radix.h
+++ b/usr.sbin/bind/lib/isc/include/isc/radix.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007, 2008, 2013, 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: radix.h,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: radix.h,v 1.2 2019/12/17 01:46:35 sthen Exp $ */
 
 /*
  * This source was adapted from MRT's RCS Ids:
diff --git a/usr.sbin/bind/lib/isc/include/isc/random.h b/usr.sbin/bind/lib/isc/include/isc/random.h
index 2e2d69796f3..1dfe59d9970 100644
--- a/usr.sbin/bind/lib/isc/include/isc/random.h
+++ b/usr.sbin/bind/lib/isc/include/isc/random.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: random.h,v 1.3 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: random.h,v 1.4 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_RANDOM_H
 #define ISC_RANDOM_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/ratelimiter.h b/usr.sbin/bind/lib/isc/include/isc/ratelimiter.h
index cb5a0a508d1..3ae7c8417a8 100644
--- a/usr.sbin/bind/lib/isc/include/isc/ratelimiter.h
+++ b/usr.sbin/bind/lib/isc/include/isc/ratelimiter.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ratelimiter.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: ratelimiter.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_RATELIMITER_H
 #define ISC_RATELIMITER_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/refcount.h b/usr.sbin/bind/lib/isc/include/isc/refcount.h
index 87d4c1dfff2..016db6529e8 100644
--- a/usr.sbin/bind/lib/isc/include/isc/refcount.h
+++ b/usr.sbin/bind/lib/isc/include/isc/refcount.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,17 +14,22 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: refcount.h,v 1.5 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: refcount.h,v 1.6 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_REFCOUNT_H
 #define ISC_REFCOUNT_H 1
 
+#include <isc/assertions.h>
 #include <isc/atomic.h>
+#include <isc/error.h>
 #include <isc/lang.h>
 #include <isc/mutex.h>
 #include <isc/platform.h>
 #include <isc/types.h>
-#include <isc/util.h>
+
+#if defined(ISC_PLATFORM_HAVESTDATOMIC)
+#include <stdatomic.h>
+#endif
 
 /*! \file isc/refcount.h
  * \brief Implements a locked reference counter.
@@ -95,16 +99,64 @@ ISC_LANG_BEGINDECLS
  * Sample implementations
  */
 #ifdef ISC_PLATFORM_USETHREADS
-#ifdef ISC_PLATFORM_HAVEXADD
-
+#if (defined(ISC_PLATFORM_HAVESTDATOMIC) && defined(ATOMIC_INT_LOCK_FREE)) || defined(ISC_PLATFORM_HAVEXADD)
 #define ISC_REFCOUNT_HAVEATOMIC 1
+#if (defined(ISC_PLATFORM_HAVESTDATOMIC) && defined(ATOMIC_INT_LOCK_FREE))
+#define ISC_REFCOUNT_HAVESTDATOMIC 1
+#endif
 
 typedef struct isc_refcount {
+#if defined(ISC_REFCOUNT_HAVESTDATOMIC)
+	atomic_int_fast32_t refs;
+#else
 	isc_int32_t refs;
+#endif
 } isc_refcount_t;
 
-#define isc_refcount_destroy(rp) REQUIRE((rp)->refs == 0)
-#define isc_refcount_current(rp) ((unsigned int)((rp)->refs))
+#if defined(ISC_REFCOUNT_HAVESTDATOMIC)
+
+#define isc_refcount_current(rp)					\
+	((unsigned int)(atomic_load_explicit(&(rp)->refs,		\
+					     memory_order_relaxed)))
+#define isc_refcount_destroy(rp) ISC_REQUIRE(isc_refcount_current(rp) == 0)
+
+#define isc_refcount_increment0(rp, tp)				\
+	do {							\
+		unsigned int *_tmp = (unsigned int *)(tp);	\
+		isc_int32_t prev;				\
+		prev = atomic_fetch_add_explicit		\
+			(&(rp)->refs, 1, memory_order_relaxed); \
+		if (_tmp != NULL)				\
+			*_tmp = prev + 1;			\
+	} while (0)
+
+#define isc_refcount_increment(rp, tp)				\
+	do {							\
+		unsigned int *_tmp = (unsigned int *)(tp);	\
+		isc_int32_t prev;				\
+		prev = atomic_fetch_add_explicit		\
+			(&(rp)->refs, 1, memory_order_relaxed); \
+		ISC_REQUIRE(prev > 0);				\
+		if (_tmp != NULL)				\
+			*_tmp = prev + 1;			\
+	} while (0)
+
+#define isc_refcount_decrement(rp, tp)				\
+	do {							\
+		unsigned int *_tmp = (unsigned int *)(tp);	\
+		isc_int32_t prev;				\
+		prev = atomic_fetch_sub_explicit		\
+			(&(rp)->refs, 1, memory_order_relaxed); \
+		ISC_REQUIRE(prev > 0);				\
+		if (_tmp != NULL)				\
+			*_tmp = prev - 1;			\
+	} while (0)
+
+#else /* ISC_REFCOUNT_HAVESTDATOMIC */
+
+#define isc_refcount_current(rp)				\
+	((unsigned int)(isc_atomic_xadd(&(rp)->refs, 0)))
+#define isc_refcount_destroy(rp) ISC_REQUIRE(isc_refcount_current(rp) == 0)
 
 #define isc_refcount_increment0(rp, tp)				\
 	do {							\
@@ -120,7 +172,7 @@ typedef struct isc_refcount {
 		unsigned int *_tmp = (unsigned int *)(tp);	\
 		isc_int32_t prev;				\
 		prev = isc_atomic_xadd(&(rp)->refs, 1);		\
-		REQUIRE(prev > 0);				\
+		ISC_REQUIRE(prev > 0);				\
 		if (_tmp != NULL)				\
 			*_tmp = prev + 1;			\
 	} while (0)
@@ -130,11 +182,13 @@ typedef struct isc_refcount {
 		unsigned int *_tmp = (unsigned int *)(tp);	\
 		isc_int32_t prev;				\
 		prev = isc_atomic_xadd(&(rp)->refs, -1);	\
-		REQUIRE(prev > 0);				\
+		ISC_REQUIRE(prev > 0);				\
 		if (_tmp != NULL)				\
 			*_tmp = prev - 1;			\
 	} while (0)
 
+#endif /* ISC_REFCOUNT_HAVESTDATOMIC */
+
 #else  /* ISC_PLATFORM_HAVEXADD */
 
 typedef struct isc_refcount {
@@ -143,56 +197,73 @@ typedef struct isc_refcount {
 } isc_refcount_t;
 
 /*% Destroys a reference counter. */
-#define isc_refcount_destroy(rp)			\
-	do {						\
-		REQUIRE((rp)->refs == 0);		\
-		DESTROYLOCK(&(rp)->lock);		\
+#define isc_refcount_destroy(rp)					\
+	do {								\
+		isc_result_t _result;					\
+		ISC_REQUIRE((rp)->refs == 0);				\
+		_result = isc_mutex_destroy(&(rp)->lock);		\
+		ISC_ERROR_RUNTIMECHECK(_result == ISC_R_SUCCESS);	\
 	} while (0)
 
 #define isc_refcount_current(rp) ((unsigned int)((rp)->refs))
 
-/*% Increments the reference count, returning the new value in targetp if it's not NULL. */
-#define isc_refcount_increment0(rp, tp)				\
-	do {							\
-		unsigned int *_tmp = (unsigned int *)(tp);	\
-		LOCK(&(rp)->lock);				\
-		++((rp)->refs);					\
-		if (_tmp != NULL)				\
-			*_tmp = ((rp)->refs);			\
-		UNLOCK(&(rp)->lock);				\
+/*%
+ * Increments the reference count, returning the new value in
+ * 'tp' if it's not NULL.
+ */
+#define isc_refcount_increment0(rp, tp)					\
+	do {								\
+		isc_result_t _result;					\
+		unsigned int *_tmp = (unsigned int *)(tp);		\
+		_result = isc_mutex_lock(&(rp)->lock);			\
+		ISC_ERROR_RUNTIMECHECK(_result == ISC_R_SUCCESS);	\
+		++((rp)->refs);						\
+		if (_tmp != NULL)					\
+			*_tmp = ((rp)->refs);				\
+		_result = isc_mutex_unlock(&(rp)->lock);		\
+		ISC_ERROR_RUNTIMECHECK(_result == ISC_R_SUCCESS);	\
 	} while (0)
 
-#define isc_refcount_increment(rp, tp)				\
-	do {							\
-		unsigned int *_tmp = (unsigned int *)(tp);	\
-		LOCK(&(rp)->lock);				\
-		REQUIRE((rp)->refs > 0);			\
-		++((rp)->refs);					\
-		if (_tmp != NULL)				\
-			*_tmp = ((rp)->refs);			\
-		UNLOCK(&(rp)->lock);				\
+#define isc_refcount_increment(rp, tp)					\
+	do {								\
+		isc_result_t _result;					\
+		unsigned int *_tmp = (unsigned int *)(tp);		\
+		_result = isc_mutex_lock(&(rp)->lock);			\
+		ISC_ERROR_RUNTIMECHECK(_result == ISC_R_SUCCESS);	\
+		ISC_REQUIRE((rp)->refs > 0);				\
+		++((rp)->refs);						\
+		if (_tmp != NULL)					\
+			*_tmp = ((rp)->refs);				\
+		_result = isc_mutex_unlock(&(rp)->lock);		\
+		ISC_ERROR_RUNTIMECHECK(_result == ISC_R_SUCCESS);	\
 	} while (0)
 
-/*% Decrements the reference count,  returning the new value in targetp if it's not NULL. */
-#define isc_refcount_decrement(rp, tp)				\
-	do {							\
-		unsigned int *_tmp = (unsigned int *)(tp);	\
-		LOCK(&(rp)->lock);				\
-		REQUIRE((rp)->refs > 0);			\
-		--((rp)->refs);					\
-		if (_tmp != NULL)				\
-			*_tmp = ((rp)->refs);			\
-		UNLOCK(&(rp)->lock);				\
+/*%
+ * Decrements the reference count, returning the new value in 'tp'
+ * if it's not NULL.
+ */
+#define isc_refcount_decrement(rp, tp)					\
+	do {								\
+		isc_result_t _result;					\
+		unsigned int *_tmp = (unsigned int *)(tp);		\
+		_result = isc_mutex_lock(&(rp)->lock);			\
+		ISC_ERROR_RUNTIMECHECK(_result == ISC_R_SUCCESS);	\
+		ISC_REQUIRE((rp)->refs > 0);				\
+		--((rp)->refs);						\
+		if (_tmp != NULL)					\
+			*_tmp = ((rp)->refs);				\
+		_result = isc_mutex_unlock(&(rp)->lock);		\
+		ISC_ERROR_RUNTIMECHECK(_result == ISC_R_SUCCESS);	\
 	} while (0)
 
-#endif /* ISC_PLATFORM_HAVEXADD */
+#endif /* (defined(ISC_PLATFORM_HAVESTDATOMIC) && defined(ATOMIC_INT_LOCK_FREE)) || defined(ISC_PLATFORM_HAVEXADD) */
 #else  /* ISC_PLATFORM_USETHREADS */
 
 typedef struct isc_refcount {
 	int refs;
 } isc_refcount_t;
 
-#define isc_refcount_destroy(rp) REQUIRE((rp)->refs == 0)
+#define isc_refcount_destroy(rp) ISC_REQUIRE((rp)->refs == 0)
 #define isc_refcount_current(rp) ((unsigned int)((rp)->refs))
 
 #define isc_refcount_increment0(rp, tp)					\
@@ -207,7 +278,7 @@ typedef struct isc_refcount {
 	do {								\
 		unsigned int *_tmp = (unsigned int *)(tp);		\
 		int _n;							\
-		REQUIRE((rp)->refs > 0);				\
+		ISC_REQUIRE((rp)->refs > 0);				\
 		_n = ++(rp)->refs;					\
 		if (_tmp != NULL)					\
 			*_tmp = _n;					\
@@ -217,7 +288,7 @@ typedef struct isc_refcount {
 	do {								\
 		unsigned int *_tmp = (unsigned int *)(tp);		\
 		int _n;							\
-		REQUIRE((rp)->refs > 0);				\
+		ISC_REQUIRE((rp)->refs > 0);				\
 		_n = --(rp)->refs;					\
 		if (_tmp != NULL)					\
 			*_tmp = _n;					\
diff --git a/usr.sbin/bind/lib/isc/include/isc/regex.h b/usr.sbin/bind/lib/isc/include/isc/regex.h
index 3cf6aa4c686..3feb93379ef 100644
--- a/usr.sbin/bind/lib/isc/include/isc/regex.h
+++ b/usr.sbin/bind/lib/isc/include/isc/regex.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/isc/include/isc/region.h b/usr.sbin/bind/lib/isc/include/isc/region.h
index dcdfd84fa8c..b3b61821872 100644
--- a/usr.sbin/bind/lib/isc/include/isc/region.h
+++ b/usr.sbin/bind/lib/isc/include/isc/region.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: region.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: region.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_REGION_H
 #define ISC_REGION_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/resource.h b/usr.sbin/bind/lib/isc/include/isc/resource.h
index a87afa5451c..57f38fe32cd 100644
--- a/usr.sbin/bind/lib/isc/include/isc/resource.h
+++ b/usr.sbin/bind/lib/isc/include/isc/resource.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resource.h,v 1.3 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: resource.h,v 1.4 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_RESOURCE_H
 #define ISC_RESOURCE_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/result.h b/usr.sbin/bind/lib/isc/include/isc/result.h
index 00f8955212f..00b00f07cf0 100644
--- a/usr.sbin/bind/lib/isc/include/isc/result.h
+++ b/usr.sbin/bind/lib/isc/include/isc/result.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.h,v 1.3 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: result.h,v 1.4 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_RESULT_H
 #define ISC_RESULT_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/resultclass.h b/usr.sbin/bind/lib/isc/include/isc/resultclass.h
index 0c6920bdd23..d2c6b49fcdc 100644
--- a/usr.sbin/bind/lib/isc/include/isc/resultclass.h
+++ b/usr.sbin/bind/lib/isc/include/isc/resultclass.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resultclass.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: resultclass.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_RESULTCLASS_H
 #define ISC_RESULTCLASS_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/rwlock.h b/usr.sbin/bind/lib/isc/include/isc/rwlock.h
index 1b5d6fcbd1b..5f3778df05d 100644
--- a/usr.sbin/bind/lib/isc/include/isc/rwlock.h
+++ b/usr.sbin/bind/lib/isc/include/isc/rwlock.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rwlock.h,v 1.5 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: rwlock.h,v 1.6 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_RWLOCK_H
 #define ISC_RWLOCK_H 1
@@ -27,6 +26,11 @@
 #include <isc/platform.h>
 #include <isc/types.h>
 
+#if defined(ISC_PLATFORM_HAVESTDATOMIC)
+#include <stdint.h>
+#include <stdatomic.h>
+#endif
+
 ISC_LANG_BEGINDECLS
 
 typedef enum {
@@ -36,8 +40,11 @@ typedef enum {
 } isc_rwlocktype_t;
 
 #ifdef ISC_PLATFORM_USETHREADS
-#if defined(ISC_PLATFORM_HAVEXADD) && defined(ISC_PLATFORM_HAVECMPXCHG)
+#if (defined(ISC_PLATFORM_HAVESTDATOMIC) && defined(ATOMIC_INT_LOCK_FREE)) || (defined(ISC_PLATFORM_HAVEXADD) && defined(ISC_PLATFORM_HAVECMPXCHG))
 #define ISC_RWLOCK_USEATOMIC 1
+#if (defined(ISC_PLATFORM_HAVESTDATOMIC) && defined(ATOMIC_INT_LOCK_FREE))
+#define ISC_RWLOCK_USESTDATOMIC 1
+#endif
 #endif
 
 struct isc_rwlock {
@@ -45,7 +52,7 @@ struct isc_rwlock {
 	unsigned int		magic;
 	isc_mutex_t		lock;
 
-#if defined(ISC_PLATFORM_HAVEXADD) && defined(ISC_PLATFORM_HAVECMPXCHG)
+#if defined(ISC_RWLOCK_USEATOMIC)
 	/*
 	 * When some atomic instructions with hardware assistance are
 	 * available, rwlock will use those so that concurrent readers do not
@@ -60,9 +67,15 @@ struct isc_rwlock {
 	 */
 
 	/* Read or modified atomically. */
+#if defined(ISC_RWLOCK_USESTDATOMIC)
+	atomic_int_fast32_t	write_requests;
+	atomic_int_fast32_t	write_completions;
+	atomic_int_fast32_t	cnt_and_flag;
+#else
 	isc_int32_t		write_requests;
 	isc_int32_t		write_completions;
 	isc_int32_t		cnt_and_flag;
+#endif
 
 	/* Locked by lock. */
 	isc_condition_t		readable;
@@ -75,7 +88,7 @@ struct isc_rwlock {
 	/* Unlocked. */
 	unsigned int		write_quota;
 
-#else  /* ISC_PLATFORM_HAVEXADD && ISC_PLATFORM_HAVECMPXCHG */
+#else  /* ISC_RWLOCK_USEATOMIC */
 
 	/*%< Locked by lock. */
 	isc_condition_t		readable;
@@ -91,13 +104,13 @@ struct isc_rwlock {
 	 * when the quota is reached and it is time to switch.
 	 */
 	unsigned int		granted;
-	
+
 	unsigned int		readers_waiting;
 	unsigned int		writers_waiting;
 	unsigned int		read_quota;
 	unsigned int		write_quota;
 	isc_rwlocktype_t	original;
-#endif  /* ISC_PLATFORM_HAVEXADD && ISC_PLATFORM_HAVECMPXCHG */
+#endif  /* ISC_RWLOCK_USEATOMIC */
 };
 #else /* ISC_PLATFORM_USETHREADS */
 struct isc_rwlock {
diff --git a/usr.sbin/bind/lib/isc/include/isc/safe.h b/usr.sbin/bind/lib/isc/include/isc/safe.h
index 0815c0001a6..d765d2602b5 100644
--- a/usr.sbin/bind/lib/isc/include/isc/safe.h
+++ b/usr.sbin/bind/lib/isc/include/isc/safe.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: safe.h,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: safe.h,v 1.2 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_SAFE_H
 #define ISC_SAFE_H 1
@@ -22,6 +22,7 @@
 /*! \file isc/safe.h */
 
 #include <isc/types.h>
+#include <stdlib.h>
 
 ISC_LANG_BEGINDECLS
 
@@ -39,6 +40,18 @@ isc_safe_memcompare(const void *b1, const void *b2, size_t len);
  * Clone of libc memcmp() which is safe to differential timing attacks.
  */
 
+void
+isc_safe_memwipe(void *ptr, size_t len);
+/*%<
+ * Clear the memory of length `len` pointed to by `ptr`.
+ *
+ * Some crypto code calls memset() on stack allocated buffers just
+ * before return so that they are wiped. Such memset() calls can be
+ * optimized away by the compiler. We provide this external non-inline C
+ * function to perform the memset operation so that the compiler cannot
+ * infer about what the function does and optimize the call away.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* ISC_SAFE_H */
diff --git a/usr.sbin/bind/lib/isc/include/isc/serial.h b/usr.sbin/bind/lib/isc/include/isc/serial.h
index b7544518e67..65e8dd72faf 100644
--- a/usr.sbin/bind/lib/isc/include/isc/serial.h
+++ b/usr.sbin/bind/lib/isc/include/isc/serial.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: serial.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: serial.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_SERIAL_H
 #define ISC_SERIAL_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/sha1.h b/usr.sbin/bind/lib/isc/include/isc/sha1.h
index 43e7b874c1c..85733207064 100644
--- a/usr.sbin/bind/lib/isc/include/isc/sha1.h
+++ b/usr.sbin/bind/lib/isc/include/isc/sha1.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2014, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,7 +17,7 @@
 #ifndef ISC_SHA1_H
 #define ISC_SHA1_H 1
 
-/* $Id: sha1.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: sha1.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 /*	$NetBSD: sha1.h,v 1.2 1998/05/29 22:55:44 thorpej Exp $	*/
 
@@ -41,7 +40,7 @@
 
 typedef struct {
 	EVP_MD_CTX *ctx;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 	EVP_MD_CTX _ctx;
 #endif
 } isc_sha1_t;
@@ -74,6 +73,9 @@ isc_sha1_update(isc_sha1_t *ctx, const unsigned char *data, unsigned int len);
 void
 isc_sha1_final(isc_sha1_t *ctx, unsigned char *digest);
 
+isc_boolean_t
+isc_sha1_check(isc_boolean_t testing);
+
 ISC_LANG_ENDDECLS
 
 #endif /* ISC_SHA1_H */
diff --git a/usr.sbin/bind/lib/isc/include/isc/sha2.h b/usr.sbin/bind/lib/isc/include/isc/sha2.h
index b26f7e8872d..f0db15433d0 100644
--- a/usr.sbin/bind/lib/isc/include/isc/sha2.h
+++ b/usr.sbin/bind/lib/isc/include/isc/sha2.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2007, 2009, 2014, 2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sha2.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: sha2.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 /*	$FreeBSD: src/sys/crypto/sha2/sha2.h,v 1.1.2.1 2001/07/03 11:01:36 ume Exp $	*/
 /*	$KAME: sha2.h,v 1.3 2001/03/12 08:27:48 itojun Exp $	*/
@@ -78,13 +78,17 @@
 
 /*** SHA-256/384/512 Context Structures *******************************/
 
-#ifdef ISC_PLATFORM_OPENSSLHASH
+#if defined(ISC_PLATFORM_OPENSSLHASH)
 #include <openssl/opensslv.h>
 #include <openssl/evp.h>
+#endif
+
+#if defined(ISC_PLATFORM_OPENSSLHASH) && !defined(LIBRESSL_VERSION_NUMBER)
+
 
 typedef struct {
 	EVP_MD_CTX *ctx;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 	EVP_MD_CTX _ctx;
 #endif
 } isc_sha2_t;
diff --git a/usr.sbin/bind/lib/isc/include/isc/sockaddr.h b/usr.sbin/bind/lib/isc/include/isc/sockaddr.h
index 42c49cc6533..724acaebb9e 100644
--- a/usr.sbin/bind/lib/isc/include/isc/sockaddr.h
+++ b/usr.sbin/bind/lib/isc/include/isc/sockaddr.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2012, 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sockaddr.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: sockaddr.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_SOCKADDR_H
 #define ISC_SOCKADDR_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/socket.h b/usr.sbin/bind/lib/isc/include/isc/socket.h
index 6d17653b0e0..5cfc93b42b0 100644
--- a/usr.sbin/bind/lib/isc/include/isc/socket.h
+++ b/usr.sbin/bind/lib/isc/include/isc/socket.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2011-2014, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.h,v 1.6 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: socket.h,v 1.7 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_SOCKET_H
 #define ISC_SOCKET_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/stats.h b/usr.sbin/bind/lib/isc/include/isc/stats.h
index 1627f3766fc..7e2fa71015f 100644
--- a/usr.sbin/bind/lib/isc/include/isc/stats.h
+++ b/usr.sbin/bind/lib/isc/include/isc/stats.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stats.h,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: stats.h,v 1.2 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_STATS_H
 #define ISC_STATS_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/stdio.h b/usr.sbin/bind/lib/isc/include/isc/stdio.h
index 5cc0e1f6024..9ccd1980e1c 100644
--- a/usr.sbin/bind/lib/isc/include/isc/stdio.h
+++ b/usr.sbin/bind/lib/isc/include/isc/stdio.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stdio.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: stdio.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_STDIO_H
 #define ISC_STDIO_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/stdlib.h b/usr.sbin/bind/lib/isc/include/isc/stdlib.h
index ffa4b6d5281..8d875a27280 100644
--- a/usr.sbin/bind/lib/isc/include/isc/stdlib.h
+++ b/usr.sbin/bind/lib/isc/include/isc/stdlib.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stdlib.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: stdlib.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_STDLIB_H
 #define ISC_STDLIB_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/string.h b/usr.sbin/bind/lib/isc/include/isc/string.h
index 538bf3fe654..66375cf624d 100644
--- a/usr.sbin/bind/lib/isc/include/isc/string.h
+++ b/usr.sbin/bind/lib/isc/include/isc/string.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: string.h,v 1.5 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: string.h,v 1.6 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_STRING_H
 #define ISC_STRING_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/symtab.h b/usr.sbin/bind/lib/isc/include/isc/symtab.h
index 93608a29afd..274e878e518 100644
--- a/usr.sbin/bind/lib/isc/include/isc/symtab.h
+++ b/usr.sbin/bind/lib/isc/include/isc/symtab.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1996-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: symtab.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: symtab.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_SYMTAB_H
 #define ISC_SYMTAB_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/task.h b/usr.sbin/bind/lib/isc/include/isc/task.h
index e63415c907d..b85f2c85d3e 100644
--- a/usr.sbin/bind/lib/isc/include/isc/task.h
+++ b/usr.sbin/bind/lib/isc/include/isc/task.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009-2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: task.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: task.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_TASK_H
 #define ISC_TASK_H 1
@@ -467,7 +466,7 @@ isc_task_onshutdown(isc_task_t *task, isc_taskaction_t action,
  *
  *\li	#ISC_R_SUCCESS
  *\li	#ISC_R_NOMEMORY
- *\li	#ISC_R_TASKSHUTTINGDOWN			Task is shutting down.
+ *\li	#ISC_R_SHUTTINGDOWN			Task is shutting down.
  */
 
 void
diff --git a/usr.sbin/bind/lib/isc/include/isc/taskpool.h b/usr.sbin/bind/lib/isc/include/isc/taskpool.h
index e5045e086d8..1b8e2b1b2cd 100644
--- a/usr.sbin/bind/lib/isc/include/isc/taskpool.h
+++ b/usr.sbin/bind/lib/isc/include/isc/taskpool.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: taskpool.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: taskpool.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_TASKPOOL_H
 #define ISC_TASKPOOL_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/timer.h b/usr.sbin/bind/lib/isc/include/isc/timer.h
index c7873d53c7f..bf71bcb8616 100644
--- a/usr.sbin/bind/lib/isc/include/isc/timer.h
+++ b/usr.sbin/bind/lib/isc/include/isc/timer.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2012-2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer.h,v 1.3 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: timer.h,v 1.4 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_TIMER_H
 #define ISC_TIMER_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/tm.h b/usr.sbin/bind/lib/isc/include/isc/tm.h
index 44b81480e45..8543fc34229 100644
--- a/usr.sbin/bind/lib/isc/include/isc/tm.h
+++ b/usr.sbin/bind/lib/isc/include/isc/tm.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/isc/include/isc/types.h b/usr.sbin/bind/lib/isc/include/isc/types.h
index 002269cc333..dfeddc24a13 100644
--- a/usr.sbin/bind/lib/isc/include/isc/types.h
+++ b/usr.sbin/bind/lib/isc/include/isc/types.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2012-2014, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.5 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: types.h,v 1.6 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_TYPES_H
 #define ISC_TYPES_H 1
diff --git a/usr.sbin/bind/lib/isc/include/isc/util.h b/usr.sbin/bind/lib/isc/include/isc/util.h
index 2d1e3e5759e..d9639de7326 100644
--- a/usr.sbin/bind/lib/isc/include/isc/util.h
+++ b/usr.sbin/bind/lib/isc/include/isc/util.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2010-2012, 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: util.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: util.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_UTIL_H
 #define ISC_UTIL_H 1
@@ -209,13 +208,7 @@
 /*%
  * Performance
  */
-#ifdef HAVE_BUILTIN_EXPECT
-#define ISC_LIKELY(x)            __builtin_expect(!!(x), 1)
-#define ISC_UNLIKELY(x)          __builtin_expect(!!(x), 0)
-#else
-#define ISC_LIKELY(x)            (x)
-#define ISC_UNLIKELY(x)          (x)
-#endif
+#include <isc/likely.h>
 
 /*
  * Assertions
diff --git a/usr.sbin/bind/lib/isc/include/isc/version.h b/usr.sbin/bind/lib/isc/include/isc/version.h
index c5269e43941..2e7132d0857 100644
--- a/usr.sbin/bind/lib/isc/include/isc/version.h
+++ b/usr.sbin/bind/lib/isc/include/isc/version.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: version.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 /*! \file isc/version.h */
 
diff --git a/usr.sbin/bind/lib/isc/include/isc/xml.h b/usr.sbin/bind/lib/isc/include/isc/xml.h
index 7ad387b1955..9be4e154708 100644
--- a/usr.sbin/bind/lib/isc/include/isc/xml.h
+++ b/usr.sbin/bind/lib/isc/include/isc/xml.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: xml.h,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: xml.h,v 1.2 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_XML_H
 #define ISC_XML_H 1
diff --git a/usr.sbin/bind/lib/isc/include/pk11/Makefile.in b/usr.sbin/bind/lib/isc/include/pk11/Makefile.in
index d110b207d9c..1789378b006 100644
--- a/usr.sbin/bind/lib/isc/include/pk11/Makefile.in
+++ b/usr.sbin/bind/lib/isc/include/pk11/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2014-2016  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/isc/include/pk11/README.site b/usr.sbin/bind/lib/isc/include/pk11/README.site
index 3207c83eb80..6c49891c358 100644
--- a/usr.sbin/bind/lib/isc/include/pk11/README.site
+++ b/usr.sbin/bind/lib/isc/include/pk11/README.site
@@ -1,4 +1,5 @@
-Copyright (C) 2016, 2017  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
 See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
 
 How to use site.h for the PKCS#11 provider of your HSM
diff --git a/usr.sbin/bind/lib/isc/include/pk11/constants.h b/usr.sbin/bind/lib/isc/include/pk11/constants.h
index 5a8c28b7a4c..c741d35f464 100644
--- a/usr.sbin/bind/lib/isc/include/pk11/constants.h
+++ b/usr.sbin/bind/lib/isc/include/pk11/constants.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: constants.h,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: constants.h,v 1.2 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef PK11_CONSTANTS_H
 #define PK11_CONSTANTS_H 1
@@ -31,6 +31,12 @@ static CK_BYTE pk11_ecc_prime256v1[] = {
 static CK_BYTE pk11_ecc_secp384r1[] = {
 	0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22
 };
+static CK_BYTE pk11_ecc_ed25519[] = {
+	0x06, 0x03, 0x2b, 0x65, 0x70
+};
+static CK_BYTE pk11_ecc_ed448[] = {
+	0x06, 0x03, 0x2b, 0x65, 0x71
+};
 #endif
 
 #ifdef WANT_DH_PRIMES
diff --git a/usr.sbin/bind/lib/isc/include/pk11/internal.h b/usr.sbin/bind/lib/isc/include/pk11/internal.h
index 609b7511335..09175fba45b 100644
--- a/usr.sbin/bind/lib/isc/include/pk11/internal.h
+++ b/usr.sbin/bind/lib/isc/include/pk11/internal.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: internal.h,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: internal.h,v 1.2 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef PK11_INTERNAL_H
 #define PK11_INTERNAL_H 1
diff --git a/usr.sbin/bind/lib/isc/include/pk11/pk11.h b/usr.sbin/bind/lib/isc/include/pk11/pk11.h
index 750e7d12f61..c8d826ca998 100644
--- a/usr.sbin/bind/lib/isc/include/pk11/pk11.h
+++ b/usr.sbin/bind/lib/isc/include/pk11/pk11.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014, 2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/isc/include/pk11/result.h b/usr.sbin/bind/lib/isc/include/pk11/result.h
index f624140812a..bcfaae27b43 100644
--- a/usr.sbin/bind/lib/isc/include/pk11/result.h
+++ b/usr.sbin/bind/lib/isc/include/pk11/result.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/isc/include/pk11/site.h b/usr.sbin/bind/lib/isc/include/pk11/site.h
index 8d5ac945a3d..4bdb3541d76 100644
--- a/usr.sbin/bind/lib/isc/include/pk11/site.h
+++ b/usr.sbin/bind/lib/isc/include/pk11/site.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016, 2017  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -31,6 +31,9 @@
  *
  *\li PK11_<algorithm>_DISABLE:
  *	Same as SKIP, and disable support for the algorithm.
+ *
+ *\li PK11_PAD_HMAC_KEYS:
+ *	Extend HMAC keys shorter than digest length.
  */
 
 /* current implemented flags are:
@@ -46,6 +49,7 @@ PK11_SHA512_HMAC_REPLACE
 PK11_MD5_DISABLE
 PK11_DSA_DISABLE
 PK11_DH_DISABLE
+PK11_PAD_HMAC_KEYS
 */
 
 /*
@@ -74,8 +78,11 @@ PK11_DH_DISABLE
 #endif
 
 #if PK11_FLAVOR == PK11_SOFTHSMV1_FLAVOR
-#define PK11_DH_DISABLE
-#define PK11_DSA_DISABLE
+#define PK11_PAD_HMAC_KEYS
+#endif
+
+#if PK11_FLAVOR == PK11_SOFTHSMV2_FLAVOR
+/* SoftHSMv2 was updated to enforce minimal key sizes... argh! */
 #define PK11_MD5_HMAC_REPLACE
 #define PK11_SHA_1_HMAC_REPLACE
 #define PK11_SHA224_HMAC_REPLACE
@@ -84,9 +91,6 @@ PK11_DH_DISABLE
 #define PK11_SHA512_HMAC_REPLACE
 #endif
 
-#if PK11_FLAVOR == PK11_SOFTHSMV2_FLAVOR
-#endif
-
 #if PK11_FLAVOR == PK11_CRYPTECH_FLAVOR
 #define PK11_DH_DISABLE
 #define PK11_DSA_DISABLE
diff --git a/usr.sbin/bind/lib/isc/include/pkcs11/Makefile.in b/usr.sbin/bind/lib/isc/include/pkcs11/Makefile.in
index 274f3194b37..2736257ea6a 100644
--- a/usr.sbin/bind/lib/isc/include/pkcs11/Makefile.in
+++ b/usr.sbin/bind/lib/isc/include/pkcs11/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2014-2016  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1 2019/12/16 16:31:36 deraadt Exp $
+# $Id: Makefile.in,v 1.2 2019/12/17 01:46:35 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -25,7 +25,7 @@ VERSION=@BIND9_VERSION@
 # machine generated.  The latter are handled specially in the
 # install target below.
 #
-HEADERS =	pkcs11f.h pkcs11.h pkcs11t.h
+HEADERS =	pkcs11f.h pkcs11.h pkcs11t.h eddsa.h
 SUBDIRS =
 TARGETS =
 
diff --git a/usr.sbin/bind/lib/isc/include/pkcs11/eddsa.h b/usr.sbin/bind/lib/isc/include/pkcs11/eddsa.h
new file mode 100644
index 00000000000..c67e4223101
--- /dev/null
+++ b/usr.sbin/bind/lib/isc/include/pkcs11/eddsa.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef _EDDSA_H_
+#define _EDDSA_H_ 1
+
+#ifndef CKK_EDDSA
+#ifdef PK11_SOFTHSMV2_FLAVOR
+#define CKK_EDDSA               0x00008003UL
+#endif
+#endif
+
+#ifndef CKM_EDDSA_KEY_PAIR_GEN
+#ifdef PK11_SOFTHSMV2_FLAVOR
+#define CKM_EDDSA_KEY_PAIR_GEN         0x00009040UL
+#endif
+#endif
+
+#ifndef CKM_EDDSA
+#ifdef PK11_SOFTHSMV2_FLAVOR
+#define CKM_EDDSA                      0x00009041UL
+#endif
+#endif
+
+#endif /* _EDDSA_H_ */
diff --git a/usr.sbin/bind/lib/isc/inet_aton.c b/usr.sbin/bind/lib/isc/inet_aton.c
index c3d6bf675d2..b5afe01ed26 100644
--- a/usr.sbin/bind/lib/isc/inet_aton.c
+++ b/usr.sbin/bind/lib/isc/inet_aton.c
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2005, 2007, 2008, 2012-2014  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1996-2001  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -67,7 +66,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static char sccsid[] = "@(#)inet_addr.c	8.1 (Berkeley) 6/17/93";
-static char rcsid[] = "$Id: inet_aton.c,v 1.6 2019/12/16 16:16:26 deraadt Exp $";
+static char rcsid[] = "$Id: inet_aton.c,v 1.7 2019/12/17 01:46:34 sthen Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
@@ -91,8 +90,8 @@ isc_net_aton(const char *cp, struct in_addr *addr) {
 	int base;
 	ptrdiff_t n;
 	unsigned char c;
-	isc_uint8_t parts[4];
-	isc_uint8_t *pp = parts;
+	isc_uint32_t parts[4];
+	isc_uint32_t *pp = parts;
 	int digit;
 
 	c = *cp;
@@ -144,7 +143,7 @@ isc_net_aton(const char *cp, struct in_addr *addr) {
 			 */
 			if (pp >= parts + 3 || val > 0xffU)
 				return (0);
-			*pp++ = (isc_uint8_t)val;
+			*pp++ = val;
 			c = *++cp;
 		} else
 			break;
diff --git a/usr.sbin/bind/lib/isc/inet_ntop.c b/usr.sbin/bind/lib/isc/inet_ntop.c
index 670c38bc976..58a032009a8 100644
--- a/usr.sbin/bind/lib/isc/inet_ntop.c
+++ b/usr.sbin/bind/lib/isc/inet_ntop.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1996-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -19,7 +18,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static char rcsid[] =
-	"$Id: inet_ntop.c,v 1.6 2019/12/16 16:16:26 deraadt Exp $";
+	"$Id: inet_ntop.c,v 1.7 2019/12/17 01:46:34 sthen Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
@@ -30,6 +29,8 @@ static char rcsid[] =
 
 #include <isc/net.h>
 #include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
 
 #define NS_INT16SZ	 2
 #define NS_IN6ADDRSZ	16
@@ -89,13 +90,15 @@ inet_ntop4(const unsigned char *src, char *dst, size_t size)
 {
 	static const char *fmt = "%u.%u.%u.%u";
 	char tmp[sizeof("255.255.255.255")];
+	int n;
 
-	if ((size_t)sprintf(tmp, fmt, src[0], src[1], src[2], src[3]) >= size)
-	{
+
+	n = snprintf(tmp, sizeof(tmp), fmt, src[0], src[1], src[2], src[3]);
+	if (n < 0 || (size_t)n >= size) {
 		errno = ENOSPC;
 		return (NULL);
 	}
-	strcpy(dst, tmp);
+	strlcpy(dst, tmp, size);
 
 	return (dst);
 }
@@ -131,7 +134,9 @@ inet_ntop6(const unsigned char *src, char *dst, size_t size)
 	for (i = 0; i < NS_IN6ADDRSZ; i++)
 		words[i / 2] |= (src[i] << ((1 - (i % 2)) << 3));
 	best.base = -1;
+	best.len = 0;	/* silence compiler */
 	cur.base = -1;
+	cur.len = 0;	/* silence compiler */
 	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
 		if (words[i] == 0) {
 			if (cur.base == -1)
@@ -178,7 +183,8 @@ inet_ntop6(const unsigned char *src, char *dst, size_t size)
 			tp += strlen(tp);
 			break;
 		}
-		tp += sprintf(tp, "%x", words[i]);
+		INSIST((size_t)(tp - tmp) < sizeof(tmp));
+		tp += snprintf(tp, sizeof(tmp) - (tp - tmp), "%x", words[i]);
 	}
 	/* Was it a trailing run of 0x00's? */
 	if (best.base != -1 && (best.base + best.len) ==
@@ -193,7 +199,7 @@ inet_ntop6(const unsigned char *src, char *dst, size_t size)
 		errno = ENOSPC;
 		return (NULL);
 	}
-	strcpy(dst, tmp);
+	strlcpy(dst, tmp, size);
 	return (dst);
 }
 #endif /* AF_INET6 */
diff --git a/usr.sbin/bind/lib/isc/inet_pton.c b/usr.sbin/bind/lib/isc/inet_pton.c
index 0fb069eaf37..d43485c9646 100644
--- a/usr.sbin/bind/lib/isc/inet_pton.c
+++ b/usr.sbin/bind/lib/isc/inet_pton.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2013, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1996-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -19,7 +18,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static char rcsid[] =
-	"$Id: inet_pton.c,v 1.6 2019/12/16 16:16:26 deraadt Exp $";
+	"$Id: inet_pton.c,v 1.7 2019/12/17 01:46:34 sthen Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
@@ -91,14 +90,14 @@ inet_pton4(const char *src, unsigned char *dst) {
 		const char *pch;
 
 		if ((pch = strchr(digits, ch)) != NULL) {
-			unsigned int new = *tp * 10;
+			unsigned int byte = *tp * 10;
 
-			new += (int)(pch - digits);
+			byte += (int)(pch - digits);
 			if (saw_digit && *tp == 0)
 				return (0);
-			if (new > 255)
+			if (byte > 255)
 				return (0);
-			*tp = new;
+			*tp = byte;
 			if (!saw_digit) {
 				if (++octets > 4)
 					return (0);
diff --git a/usr.sbin/bind/lib/isc/iterated_hash.c b/usr.sbin/bind/lib/isc/iterated_hash.c
index 0d764f7644a..242dc647cb9 100644
--- a/usr.sbin/bind/lib/isc/iterated_hash.c
+++ b/usr.sbin/bind/lib/isc/iterated_hash.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2006, 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: iterated_hash.c,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: iterated_hash.c,v 1.2 2019/12/17 01:46:34 sthen Exp $ */
 
 #include "config.h"
 
diff --git a/usr.sbin/bind/lib/isc/lex.c b/usr.sbin/bind/lib/isc/lex.c
index 00d02c278fa..c6627cf83a8 100644
--- a/usr.sbin/bind/lib/isc/lex.c
+++ b/usr.sbin/bind/lib/isc/lex.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2013-2015, 2017  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lex.c,v 1.7 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: lex.c,v 1.8 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
@@ -71,17 +70,17 @@ struct isc_lex {
 
 static inline isc_result_t
 grow_data(isc_lex_t *lex, size_t *remainingp, char **currp, char **prevp) {
-	char *new;
+	char *tmp;
 
-	new = isc_mem_get(lex->mctx, lex->max_token * 2 + 1);
-	if (new == NULL)
+	tmp = isc_mem_get(lex->mctx, lex->max_token * 2 + 1);
+	if (tmp == NULL)
 		return (ISC_R_NOMEMORY);
-	memmove(new, lex->data, lex->max_token + 1);
-	*currp = new + (*currp - lex->data);
+	memmove(tmp, lex->data, lex->max_token + 1);
+	*currp = tmp + (*currp - lex->data);
 	if (*prevp != NULL)
-		*prevp = new + (*prevp - lex->data);
+		*prevp = tmp + (*prevp - lex->data);
 	isc_mem_put(lex->mctx, lex->data, lex->max_token + 1);
-	lex->data = new;
+	lex->data = tmp;
 	*remainingp += lex->max_token;
 	lex->max_token *= 2;
 	return (ISC_R_SUCCESS);
diff --git a/usr.sbin/bind/lib/isc/lfsr.c b/usr.sbin/bind/lib/isc/lfsr.c
index 62c6cbb673d..27b5454c4e3 100644
--- a/usr.sbin/bind/lib/isc/lfsr.c
+++ b/usr.sbin/bind/lib/isc/lfsr.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lfsr.c,v 1.7 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: lfsr.c,v 1.8 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isc/lib.c b/usr.sbin/bind/lib/isc/lib.c
index f1ff5e6aa62..3180dbc1d38 100644
--- a/usr.sbin/bind/lib/isc/lib.c
+++ b/usr.sbin/bind/lib/isc/lib.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2013-2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.c,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: lib.c,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isc/log.c b/usr.sbin/bind/lib/isc/log.c
index eb1f9f612a6..da8be20b293 100644
--- a/usr.sbin/bind/lib/isc/log.c
+++ b/usr.sbin/bind/lib/isc/log.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2011-2014, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.c,v 1.10 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: log.c,v 1.11 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file
  * \author  Principal Authors: DCL */
@@ -1227,7 +1226,7 @@ static isc_result_t
 roll_log(isc_logchannel_t *channel) {
 	int i, n, greatest;
 	char current[PATH_MAX + 1];
-	char new[PATH_MAX + 1];
+	char newpath[PATH_MAX + 1];
 	const char *path;
 	isc_result_t result;
 
@@ -1247,10 +1246,9 @@ roll_log(isc_logchannel_t *channel) {
 		 */
 		for (greatest = 0; greatest < INT_MAX; greatest++) {
 			n = snprintf(current, sizeof(current),
-				     "%s.%u", path, greatest) ;
-			if (n >= (int)sizeof(current) || n < 0)
-				break;
-			if (!isc_file_exists(current))
+				     "%s.%u", path, (unsigned)greatest) ;
+			if (n >= (int)sizeof(current) || n < 0 ||
+			    !isc_file_exists(current))
 				break;
 		}
 	} else {
@@ -1272,16 +1270,20 @@ roll_log(isc_logchannel_t *channel) {
 
 	for (i = greatest; i > 0; i--) {
 		result = ISC_R_SUCCESS;
-		n = snprintf(current, sizeof(current), "%s.%u", path, i - 1);
-		if (n >= (int)sizeof(current) || n < 0)
+		n = snprintf(current, sizeof(current), "%s.%u", path,
+			     (unsigned)(i - 1));
+		if (n >= (int)sizeof(current) || n < 0) {
 			result = ISC_R_NOSPACE;
+		}
 		if (result == ISC_R_SUCCESS) {
-			n = snprintf(new, sizeof(new), "%s.%u", path, i);
-			if (n >= (int)sizeof(new) || n < 0)
+			n = snprintf(newpath, sizeof(newpath), "%s.%u",
+				     path, (unsigned)i);
+			if (n >= (int)sizeof(newpath) || n < 0) {
 				result = ISC_R_NOSPACE;
+			}
 		}
 		if (result == ISC_R_SUCCESS)
-			result = isc_file_rename(current, new);
+			result = isc_file_rename(current, newpath);
 		if (result != ISC_R_SUCCESS &&
 		    result != ISC_R_FILENOTFOUND)
 			syslog(LOG_ERR,
@@ -1291,11 +1293,11 @@ roll_log(isc_logchannel_t *channel) {
 	}
 
 	if (FILE_VERSIONS(channel) != 0) {
-		n = snprintf(new, sizeof(new), "%s.0", path);
-		if (n >= (int)sizeof(new) || n < 0)
+		n = snprintf(newpath, sizeof(newpath), "%s.0", path);
+		if (n >= (int)sizeof(newpath) || n < 0)
 			result = ISC_R_NOSPACE;
 		else
-			result = isc_file_rename(path, new);
+			result = isc_file_rename(path, newpath);
 		if (result != ISC_R_SUCCESS &&
 		    result != ISC_R_FILENOTFOUND)
 			syslog(LOG_ERR,
@@ -1542,9 +1544,10 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 			 * Check for duplicates.
 			 */
 			if (write_once) {
-				isc_logmessage_t *message, *new;
+				isc_logmessage_t *message, *next;
 				isc_time_t oldest;
 				isc_interval_t interval;
+				size_t size;
 
 				isc_interval_set(&interval,
 						 lcfg->duplicate_interval, 0);
@@ -1555,7 +1558,8 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 				 * range.
 				 */
 				TIME_NOW(&oldest);
-				if (isc_time_subtract(&oldest, &interval, &oldest)
+				if (isc_time_subtract(&oldest, &interval,
+						      &oldest)
 				    != ISC_R_SUCCESS)
 					/*
 					 * Can't effectively do the checking
@@ -1563,7 +1567,7 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 					 */
 					message = NULL;
 				else
-					message =ISC_LIST_HEAD(lctx->messages);
+					message = ISC_LIST_HEAD(lctx->messages);
 
 				while (message != NULL) {
 					if (isc_time_compare(&message->time,
@@ -1580,8 +1584,8 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 						 * message to spring back into
 						 * existence.
 						 */
-						new = ISC_LIST_NEXT(message,
-								    link);
+						next = ISC_LIST_NEXT(message,
+								     link);
 
 						ISC_LIST_UNLINK(lctx->messages,
 								message, link);
@@ -1591,7 +1595,7 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 							sizeof(*message) + 1 +
 							strlen(message->text));
 
-						message = new;
+						message = next;
 						continue;
 					}
 
@@ -1617,22 +1621,24 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 				 * It wasn't in the duplicate interval,
 				 * so add it to the message list.
 				 */
-				new = isc_mem_get(lctx->mctx,
-						  sizeof(isc_logmessage_t) +
-						  strlen(lctx->buffer) + 1);
-				if (new != NULL) {
+				size = sizeof(isc_logmessage_t) +
+				       strlen(lctx->buffer) + 1;
+				message = isc_mem_get(lctx->mctx, size);
+				if (message != NULL) {
 					/*
 					 * Put the text immediately after
 					 * the struct.  The strcpy is safe.
 					 */
-					new->text = (char *)(new + 1);
-					strcpy(new->text, lctx->buffer);
+					message->text = (char *)(message + 1);
+					size -= sizeof(isc_logmessage_t);
+					strlcpy(message->text, lctx->buffer,
+						size);
 
-					TIME_NOW(&new->time);
+					TIME_NOW(&message->time);
 
-					ISC_LINK_INIT(new, link);
+					ISC_LINK_INIT(message, link);
 					ISC_LIST_APPEND(lctx->messages,
-							new, link);
+							message, link);
 				}
 			}
 		}
diff --git a/usr.sbin/bind/lib/isc/md5.c b/usr.sbin/bind/lib/isc/md5.c
index ee731b17a7d..e5af8977661 100644
--- a/usr.sbin/bind/lib/isc/md5.c
+++ b/usr.sbin/bind/lib/isc/md5.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: md5.c,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: md5.c,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file
  * This code implements the MD5 message-digest algorithm.
@@ -43,6 +42,7 @@
 #include <isc/assertions.h>
 #include <isc/md5.h>
 #include <isc/platform.h>
+#include <isc/safe.h>
 #include <isc/string.h>
 #include <isc/types.h>
 
@@ -54,7 +54,7 @@
 #include <isc/util.h>
 
 #ifdef ISC_PLATFORM_OPENSSLHASH
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 #define EVP_MD_CTX_new() &(ctx->_ctx)
 #define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr)
 #endif
@@ -63,7 +63,9 @@ void
 isc_md5_init(isc_md5_t *ctx) {
 	ctx->ctx = EVP_MD_CTX_new();
 	RUNTIME_CHECK(ctx->ctx != NULL);
-	RUNTIME_CHECK(EVP_DigestInit(ctx->ctx, EVP_md5()) == 1);
+	if (EVP_DigestInit(ctx->ctx, EVP_md5()) != 1) {
+		FATAL_ERROR(__FILE__, __LINE__, "Cannot initialize MD5.");
+	}
 }
 
 void
@@ -108,7 +110,7 @@ isc_md5_invalidate(isc_md5_t *ctx) {
 	if (ctx->handle == NULL)
 		return;
 	(void) pkcs_C_DigestFinal(ctx->session, garbage, &len);
-	memset(garbage, 0, sizeof(garbage));
+	isc_safe_memwipe(garbage, sizeof(garbage));
 	pk11_return_session(ctx);
 }
 
@@ -163,7 +165,7 @@ isc_md5_init(isc_md5_t *ctx) {
 
 void
 isc_md5_invalidate(isc_md5_t *ctx) {
-	memset(ctx, 0, sizeof(isc_md5_t));
+	isc_safe_memwipe(ctx, sizeof(*ctx));
 }
 
 /*@{*/
@@ -339,10 +341,50 @@ isc_md5_final(isc_md5_t *ctx, unsigned char *digest) {
 
 	byteSwap(ctx->buf, 4);
 	memmove(digest, ctx->buf, 16);
-	memset(ctx, 0, sizeof(isc_md5_t));	/* In case it's sensitive */
+	isc_safe_memwipe(ctx, sizeof(*ctx));	/* In case it's sensitive */
 }
 #endif
 
+/*
+ * Check for MD5 support; if it does not work, raise a fatal error.
+ *
+ * Use "a" as the test vector.
+ *
+ * Standard use is testing false and result true.
+ * Testing use is testing true and result false;
+ */
+isc_boolean_t
+isc_md5_check(isc_boolean_t testing) {
+	isc_md5_t ctx;
+	unsigned char input = 'a';
+	unsigned char digest[ISC_MD5_DIGESTLENGTH];
+	unsigned char expected[] = {
+		0x0c, 0xc1, 0x75, 0xb9, 0xc0, 0xf1, 0xb6, 0xa8,
+		0x31, 0xc3, 0x99, 0xe2, 0x69, 0x77, 0x26, 0x61
+	};
+
+	INSIST(sizeof(expected) == ISC_MD5_DIGESTLENGTH);
+
+	/*
+	 * Introduce a fault for testing.
+	 */
+	if (testing) {
+		input ^= 0x01;
+	}
+
+	/*
+	 * These functions do not return anything; any failure will be fatal.
+	 */
+	isc_md5_init(&ctx);
+	isc_md5_update(&ctx, &input, 1U);
+	isc_md5_final(&ctx, digest);
+
+	/*
+	 * Must return true in standard case, should return false for testing.
+	 */
+	return (ISC_TF(memcmp(digest, expected, ISC_MD5_DIGESTLENGTH) == 0));
+}
+
 #else /* !PK11_MD5_DISABLE */
 #ifdef WIN32
 /* Make the Visual Studio linker happy */
@@ -352,5 +394,6 @@ void isc_md5_final() { INSIST(0); }
 void isc_md5_init() { INSIST(0); }
 void isc_md5_invalidate() { INSIST(0); }
 void isc_md5_update() { INSIST(0); }
+void isc_md5_check() { INSIST(0); }
 #endif
 #endif /* PK11_MD5_DISABLE */
diff --git a/usr.sbin/bind/lib/isc/mem.c b/usr.sbin/bind/lib/isc/mem.c
index e190d452d14..5f64f59eaf6 100644
--- a/usr.sbin/bind/lib/isc/mem.c
+++ b/usr.sbin/bind/lib/isc/mem.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2010, 2012-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1997-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -515,7 +514,7 @@ quantize(size_t size) {
 
 static inline isc_boolean_t
 more_basic_blocks(isc__mem_t *ctx) {
-	void *new;
+	void *tmp;
 	unsigned char *curr, *next;
 	unsigned char *first, *last;
 	unsigned char **table;
@@ -551,16 +550,16 @@ more_basic_blocks(isc__mem_t *ctx) {
 		ctx->basic_table_size = table_size;
 	}
 
-	new = (ctx->memalloc)(ctx->arg, NUM_BASIC_BLOCKS * ctx->mem_target);
-	if (new == NULL) {
+	tmp = (ctx->memalloc)(ctx->arg, NUM_BASIC_BLOCKS * ctx->mem_target);
+	if (tmp == NULL) {
 		ctx->memalloc_failures++;
 		return (ISC_FALSE);
 	}
 	ctx->total += increment;
-	ctx->basic_table[ctx->basic_table_count] = new;
+	ctx->basic_table[ctx->basic_table_count] = tmp;
 	ctx->basic_table_count++;
 
-	curr = new;
+	curr = tmp;
 	next = curr + ctx->mem_target;
 	for (i = 0; i < (NUM_BASIC_BLOCKS - 1); i++) {
 		((element *)curr)->next = (element *)next;
@@ -572,13 +571,13 @@ more_basic_blocks(isc__mem_t *ctx) {
 	 * array.
 	 */
 	((element *)curr)->next = NULL;
-	first = new;
+	first = tmp;
 	last = first + NUM_BASIC_BLOCKS * ctx->mem_target - 1;
 	if (first < ctx->lowest || ctx->lowest == NULL)
 		ctx->lowest = first;
 	if (last > ctx->highest)
 		ctx->highest = last;
-	ctx->basic_blocks = new;
+	ctx->basic_blocks = tmp;
 
 	return (ISC_TRUE);
 }
@@ -587,7 +586,7 @@ static inline isc_boolean_t
 more_frags(isc__mem_t *ctx, size_t new_size) {
 	int i, frags;
 	size_t total_size;
-	void *new;
+	void *tmp;
 	unsigned char *curr, *next;
 
 	/*!
@@ -608,7 +607,7 @@ more_frags(isc__mem_t *ctx, size_t new_size) {
 	}
 
 	total_size = ctx->mem_target;
-	new = ctx->basic_blocks;
+	tmp = ctx->basic_blocks;
 	ctx->basic_blocks = ctx->basic_blocks->next;
 	frags = (int)(total_size / new_size);
 	ctx->stats[new_size].blocks++;
@@ -617,7 +616,7 @@ more_frags(isc__mem_t *ctx, size_t new_size) {
 	 * Set up a linked-list of blocks of size
 	 * "new_size".
 	 */
-	curr = new;
+	curr = tmp;
 	next = curr + new_size;
 	total_size -= new_size;
 	for (i = 0; i < (frags - 1); i++) {
@@ -640,7 +639,7 @@ more_frags(isc__mem_t *ctx, size_t new_size) {
 	 * array.
 	 */
 	((element *)curr)->next = NULL;
-	ctx->freelists[new_size] = new;
+	ctx->freelists[new_size] = tmp;
 
 	return (ISC_TRUE);
 }
@@ -1650,12 +1649,12 @@ isc___mem_strdup(isc_mem_t *mctx0, const char *s FLARG) {
 	REQUIRE(VALID_CONTEXT(mctx));
 	REQUIRE(s != NULL);
 
-	len = strlen(s);
+	len = strlen(s) + 1;
 
-	ns = isc__mem_allocate((isc_mem_t *)mctx, len + 1 FLARG_PASS);
+	ns = isc__mem_allocate((isc_mem_t *)mctx, len FLARG_PASS);
 
 	if (ns != NULL)
-		strncpy(ns, s, len + 1);
+		strlcpy(ns, s, len);
 
 	return (ns);
 }
@@ -1806,8 +1805,7 @@ isc_mem_setname(isc_mem_t *ctx0, const char *name, void *tag) {
 	REQUIRE(VALID_CONTEXT(ctx));
 
 	LOCK(&ctx->lock);
-	memset(ctx->name, 0, sizeof(ctx->name));
-	strncpy(ctx->name, name, sizeof(ctx->name) - 1);
+	strlcpy(ctx->name, name, sizeof(ctx->name));
 	ctx->tag = tag;
 	UNLOCK(&ctx->lock);
 }
@@ -1892,8 +1890,7 @@ isc__mempool_setname(isc_mempool_t *mpctx0, const char *name) {
 	if (mpctx->lock != NULL)
 		LOCK(mpctx->lock);
 
-	strncpy(mpctx->name, name, sizeof(mpctx->name) - 1);
-	mpctx->name[sizeof(mpctx->name) - 1] = '\0';
+	strlcpy(mpctx->name, name, sizeof(mpctx->name));
 
 	if (mpctx->lock != NULL)
 		UNLOCK(mpctx->lock);
@@ -2327,14 +2324,12 @@ isc_mem_references(isc_mem_t *ctx0) {
 	return (references);
 }
 
-#if defined(HAVE_LIBXML2) || defined(HAVE_JSON)
 typedef struct summarystat {
 	isc_uint64_t	total;
 	isc_uint64_t	inuse;
 	isc_uint64_t	blocksize;
 	isc_uint64_t	contextsize;
 } summarystat_t;
-#endif
 
 #ifdef HAVE_LIBXML2
 #define TRY0(a) do { xmlrc = (a); if (xmlrc < 0) goto error; } while(0)
@@ -2541,7 +2536,7 @@ json_renderctx(isc__mem_t *ctx, summarystat_t *summary, json_object *array) {
 	ctxobj = json_object_new_object();
 	CHECKMEM(ctxobj);
 
-	sprintf(buf, "%p", ctx);
+	snprintf(buf, sizeof(buf), "%p", ctx);
 	obj = json_object_new_string(buf);
 	CHECKMEM(obj);
 	json_object_object_add(ctxobj, "id", obj);
diff --git a/usr.sbin/bind/lib/isc/mips/Makefile.in b/usr.sbin/bind/lib/isc/mips/Makefile.in
index bd22fcd7ce7..5831ff61b35 100644
--- a/usr.sbin/bind/lib/isc/mips/Makefile.in
+++ b/usr.sbin/bind/lib/isc/mips/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:26 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:35 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/mips/include/Makefile.in b/usr.sbin/bind/lib/isc/mips/include/Makefile.in
index 8185c77d537..26e6c3bd7f5 100644
--- a/usr.sbin/bind/lib/isc/mips/include/Makefile.in
+++ b/usr.sbin/bind/lib/isc/mips/include/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:26 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:35 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/mips/include/isc/Makefile.in b/usr.sbin/bind/lib/isc/mips/include/isc/Makefile.in
index 246239b2a51..aefa23abcd5 100644
--- a/usr.sbin/bind/lib/isc/mips/include/isc/Makefile.in
+++ b/usr.sbin/bind/lib/isc/mips/include/isc/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2007, 2012, 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:26 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:35 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/mips/include/isc/atomic.h b/usr.sbin/bind/lib/isc/mips/include/isc/atomic.h
index c6b5e8efd5a..2434791efc0 100644
--- a/usr.sbin/bind/lib/isc/mips/include/isc/atomic.h
+++ b/usr.sbin/bind/lib/isc/mips/include/isc/atomic.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005, 2007, 2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: atomic.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: atomic.h,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 #ifndef ISC_ATOMIC_H
 #define ISC_ATOMIC_H 1
diff --git a/usr.sbin/bind/lib/isc/mutexblock.c b/usr.sbin/bind/lib/isc/mutexblock.c
index 6e9df3d2c5b..781bdcf9a6a 100644
--- a/usr.sbin/bind/lib/isc/mutexblock.c
+++ b/usr.sbin/bind/lib/isc/mutexblock.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mutexblock.c,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: mutexblock.c,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isc/netaddr.c b/usr.sbin/bind/lib/isc/netaddr.c
index 9f4d49eec21..d3e27df0dca 100644
--- a/usr.sbin/bind/lib/isc/netaddr.c
+++ b/usr.sbin/bind/lib/isc/netaddr.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2010-2012, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netaddr.c,v 1.3 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: netaddr.c,v 1.4 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
@@ -306,7 +305,7 @@ isc_netaddr_frompath(isc_netaddr_t *netaddr, const char *path) {
 
 	memset(netaddr, 0, sizeof(*netaddr));
 	netaddr->family = AF_UNIX;
-	strcpy(netaddr->type.un, path);
+	strlcpy(netaddr->type.un, path, sizeof(netaddr->type.un));
 	netaddr->zone = 0;
 	return (ISC_R_SUCCESS);
 #else
@@ -448,3 +447,16 @@ isc_netaddr_fromv4mapped(isc_netaddr_t *t, const isc_netaddr_t *s) {
 	memmove(&t->type.in, (char *)&src->type.in6 + 12, 4);
 	return;
 }
+
+isc_boolean_t
+isc_netaddr_isloopback(const isc_netaddr_t *na) {
+	switch (na->family) {
+	case AF_INET:
+		return (ISC_TF((ntohl(na->type.in.s_addr) & 0xff000000U) ==
+			       0x7f000000U));
+	case AF_INET6:
+		return (IN6_IS_ADDR_LOOPBACK(&na->type.in6));
+	default:
+		return (ISC_FALSE);
+	}
+}
diff --git a/usr.sbin/bind/lib/isc/netscope.c b/usr.sbin/bind/lib/isc/netscope.c
index ac27f2caf11..31513c48fe2 100644
--- a/usr.sbin/bind/lib/isc/netscope.c
+++ b/usr.sbin/bind/lib/isc/netscope.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -19,7 +18,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static char rcsid[] =
-	"$Id: netscope.c,v 1.2 2019/12/16 16:16:26 deraadt Exp $";
+	"$Id: netscope.c,v 1.3 2019/12/17 01:46:34 sthen Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
@@ -34,8 +33,8 @@ isc_netscope_pton(int af, char *scopename, void *addr, isc_uint32_t *zoneid) {
 	char *ep;
 #ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX
 	unsigned int ifid;
-#endif
 	struct in6_addr *in6;
+#endif
 	isc_uint32_t zone;
 	isc_uint64_t llz;
 
@@ -43,8 +42,6 @@ isc_netscope_pton(int af, char *scopename, void *addr, isc_uint32_t *zoneid) {
 	if (af != AF_INET6)
 		return (ISC_R_FAILURE);
 
-	in6 = (struct in6_addr *)addr;
-
 	/*
 	 * Basically, "names" are more stable than numeric IDs in terms of
 	 * renumbering, and are more preferred.  However, since there is no
@@ -54,6 +51,7 @@ isc_netscope_pton(int af, char *scopename, void *addr, isc_uint32_t *zoneid) {
 	 * interfaces and links.
 	 */
 #ifdef ISC_PLATFORM_HAVEIFNAMETOINDEX
+	in6 = (struct in6_addr *)addr;
 	if (IN6_IS_ADDR_LINKLOCAL(in6) &&
 	    (ifid = if_nametoindex((const char *)scopename)) != 0)
 		zone = (isc_uint32_t)ifid;
diff --git a/usr.sbin/bind/lib/isc/nls/Makefile.in b/usr.sbin/bind/lib/isc/nls/Makefile.in
index 1564b163d58..2db746fb91a 100644
--- a/usr.sbin/bind/lib/isc/nls/Makefile.in
+++ b/usr.sbin/bind/lib/isc/nls/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1999-2001  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:26 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:35 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/nls/msgcat.c b/usr.sbin/bind/lib/isc/nls/msgcat.c
index e02f60039f7..73e58f78101 100644
--- a/usr.sbin/bind/lib/isc/nls/msgcat.c
+++ b/usr.sbin/bind/lib/isc/nls/msgcat.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: msgcat.c,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: msgcat.c,v 1.3 2019/12/17 01:46:35 sthen Exp $ */
 
 /*! \file msgcat.c
  *
diff --git a/usr.sbin/bind/lib/isc/noatomic/Makefile.in b/usr.sbin/bind/lib/isc/noatomic/Makefile.in
index 290e63ad20c..fbb45ceca23 100644
--- a/usr.sbin/bind/lib/isc/noatomic/Makefile.in
+++ b/usr.sbin/bind/lib/isc/noatomic/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:27 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:36 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/noatomic/include/Makefile.in b/usr.sbin/bind/lib/isc/noatomic/include/Makefile.in
index 7cc58696665..01fdc099eef 100644
--- a/usr.sbin/bind/lib/isc/noatomic/include/Makefile.in
+++ b/usr.sbin/bind/lib/isc/noatomic/include/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:27 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:36 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/noatomic/include/isc/Makefile.in b/usr.sbin/bind/lib/isc/noatomic/include/isc/Makefile.in
index ff6bf924113..dcdcb942fd4 100644
--- a/usr.sbin/bind/lib/isc/noatomic/include/isc/Makefile.in
+++ b/usr.sbin/bind/lib/isc/noatomic/include/isc/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2007, 2012, 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:27 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:36 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/noatomic/include/isc/atomic.h b/usr.sbin/bind/lib/isc/noatomic/include/isc/atomic.h
index 2fe5e6f4fca..5804285062e 100644
--- a/usr.sbin/bind/lib/isc/noatomic/include/isc/atomic.h
+++ b/usr.sbin/bind/lib/isc/noatomic/include/isc/atomic.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: atomic.h,v 1.2 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: atomic.h,v 1.3 2019/12/17 01:46:36 sthen Exp $ */
 
 #ifndef ISC_ATOMIC_H
 #define ISC_ATOMIC_H 1
diff --git a/usr.sbin/bind/lib/isc/nothreads/Makefile.in b/usr.sbin/bind/lib/isc/nothreads/Makefile.in
index 3dd1fc2790b..2c50acb7f83 100644
--- a/usr.sbin/bind/lib/isc/nothreads/Makefile.in
+++ b/usr.sbin/bind/lib/isc/nothreads/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2007, 2009, 2010, 2012, 2013  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:27 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:36 sthen Exp $
 
 top_srcdir =	@top_srcdir@
 srcdir =	@srcdir@
diff --git a/usr.sbin/bind/lib/isc/nothreads/condition.c b/usr.sbin/bind/lib/isc/nothreads/condition.c
index d865bf40759..de3f7a05bf8 100644
--- a/usr.sbin/bind/lib/isc/nothreads/condition.c
+++ b/usr.sbin/bind/lib/isc/nothreads/condition.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: condition.c,v 1.2 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: condition.c,v 1.3 2019/12/17 01:46:36 sthen Exp $ */
 
 #include <config.h>
 
diff --git a/usr.sbin/bind/lib/isc/nothreads/include/Makefile.in b/usr.sbin/bind/lib/isc/nothreads/include/Makefile.in
index 267726289d7..01fdc099eef 100644
--- a/usr.sbin/bind/lib/isc/nothreads/include/Makefile.in
+++ b/usr.sbin/bind/lib/isc/nothreads/include/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:27 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:36 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/nothreads/include/isc/Makefile.in b/usr.sbin/bind/lib/isc/nothreads/include/isc/Makefile.in
index 61a917018b3..8900f7dcb04 100644
--- a/usr.sbin/bind/lib/isc/nothreads/include/isc/Makefile.in
+++ b/usr.sbin/bind/lib/isc/nothreads/include/isc/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2007, 2012, 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:27 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:36 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/nothreads/include/isc/condition.h b/usr.sbin/bind/lib/isc/nothreads/include/isc/condition.h
index 44c8ffcaa7d..86b0b880b8d 100644
--- a/usr.sbin/bind/lib/isc/nothreads/include/isc/condition.h
+++ b/usr.sbin/bind/lib/isc/nothreads/include/isc/condition.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: condition.h,v 1.2 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: condition.h,v 1.3 2019/12/17 01:46:36 sthen Exp $ */
 
 /*
  * This provides a limited subset of the isc_condition_t
diff --git a/usr.sbin/bind/lib/isc/nothreads/include/isc/mutex.h b/usr.sbin/bind/lib/isc/nothreads/include/isc/mutex.h
index 7b18e0fdabe..41ce1613424 100644
--- a/usr.sbin/bind/lib/isc/nothreads/include/isc/mutex.h
+++ b/usr.sbin/bind/lib/isc/nothreads/include/isc/mutex.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/isc/nothreads/include/isc/once.h b/usr.sbin/bind/lib/isc/nothreads/include/isc/once.h
index 13c7877e420..4bae083818a 100644
--- a/usr.sbin/bind/lib/isc/nothreads/include/isc/once.h
+++ b/usr.sbin/bind/lib/isc/nothreads/include/isc/once.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: once.h,v 1.2 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: once.h,v 1.3 2019/12/17 01:46:36 sthen Exp $ */
 
 #ifndef ISC_ONCE_H
 #define ISC_ONCE_H 1
diff --git a/usr.sbin/bind/lib/isc/nothreads/include/isc/thread.h b/usr.sbin/bind/lib/isc/nothreads/include/isc/thread.h
index 2650fd5dc2a..fc3e6dfda88 100644
--- a/usr.sbin/bind/lib/isc/nothreads/include/isc/thread.h
+++ b/usr.sbin/bind/lib/isc/nothreads/include/isc/thread.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: thread.h,v 1.2 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: thread.h,v 1.3 2019/12/17 01:46:36 sthen Exp $ */
 
 #ifndef ISC_THREAD_H
 #define ISC_THREAD_H 1
@@ -25,9 +24,20 @@
 
 ISC_LANG_BEGINDECLS
 
+/* Placeholder types (they are not accessed) */
+
+typedef void * isc_thread_t;
+typedef void * isc_threadresult_t;
+typedef void * isc_threadarg_t;
+typedef void * isc_threadfunc_t;
+typedef void * isc_thread_key_t;
+
 void
 isc_thread_setconcurrency(unsigned int level);
 
+void
+isc_thread_setname(isc_thread_t thread, const char *name);
+
 #define isc_thread_self() ((unsigned long)0)
 #define isc_thread_yield() ((void)0)
 
diff --git a/usr.sbin/bind/lib/isc/nothreads/mutex.c b/usr.sbin/bind/lib/isc/nothreads/mutex.c
index 4f6854c6503..794ab0ce0af 100644
--- a/usr.sbin/bind/lib/isc/nothreads/mutex.c
+++ b/usr.sbin/bind/lib/isc/nothreads/mutex.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mutex.c,v 1.2 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: mutex.c,v 1.3 2019/12/17 01:46:36 sthen Exp $ */
 
 #include <config.h>
 
diff --git a/usr.sbin/bind/lib/isc/nothreads/thread.c b/usr.sbin/bind/lib/isc/nothreads/thread.c
index c47d5fbc37d..a9e6eaa6994 100644
--- a/usr.sbin/bind/lib/isc/nothreads/thread.c
+++ b/usr.sbin/bind/lib/isc/nothreads/thread.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: thread.c,v 1.2 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: thread.c,v 1.3 2019/12/17 01:46:36 sthen Exp $ */
 
 #include <config.h>
 
@@ -26,3 +25,8 @@ void
 isc_thread_setconcurrency(unsigned int level) {
 	UNUSED(level);
 }
+
+void isc_thread_setname(isc_thread_t thread, const char *name) {
+	UNUSED(thread);
+	UNUSED(name);
+}
diff --git a/usr.sbin/bind/lib/isc/ondestroy.c b/usr.sbin/bind/lib/isc/ondestroy.c
index a75b2779656..d31187eac92 100644
--- a/usr.sbin/bind/lib/isc/ondestroy.c
+++ b/usr.sbin/bind/lib/isc/ondestroy.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ondestroy.c,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: ondestroy.c,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isc/parseint.c b/usr.sbin/bind/lib/isc/parseint.c
index d6635802d6a..7c57dd4f259 100644
--- a/usr.sbin/bind/lib/isc/parseint.c
+++ b/usr.sbin/bind/lib/isc/parseint.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: parseint.c,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: parseint.c,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isc/pk11.c b/usr.sbin/bind/lib/isc/pk11.c
index 424bfb93b42..85c8484a548 100644
--- a/usr.sbin/bind/lib/isc/pk11.c
+++ b/usr.sbin/bind/lib/isc/pk11.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2017  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -26,6 +26,7 @@
 #include <isc/platform.h>
 #include <isc/print.h>
 #include <isc/stdio.h>
+#include <isc/string.h>
 #include <isc/thread.h>
 #include <isc/util.h>
 
@@ -38,6 +39,7 @@
 
 #include <pkcs11/cryptoki.h>
 #include <pkcs11/pkcs11.h>
+#include <pkcs11/eddsa.h>
 
 /* was 32 octets, Petr Spacek suggested 1024, SoftHSMv2 uses 256... */
 #ifndef PINLEN
@@ -415,9 +417,13 @@ pk11_get_session(pk11_context_t *ctx, pk11_optype_t optype,
 	/* Override the token's PIN */
 	if (logon && pin != NULL && *pin != '\0') {
 		if (strlen(pin) > PINLEN)
-			return ISC_R_RANGE;
-		memset(token->pin, 0, PINLEN + 1);
-		strncpy(token->pin, pin, PINLEN);
+			return (ISC_R_RANGE);
+		/*
+		 * We want to zero out the old pin before
+		 * overwriting with a new one.
+		 */
+		memset(token->pin, 0, sizeof(token->pin));
+		strlcpy(token->pin, pin, sizeof(token->pin));
 	}
 
 	freelist = &token->sessions;
@@ -879,12 +885,33 @@ scan_slots(void) {
 			PK11_TRACEM(CKM_GOSTR3410_WITH_GOSTR3411);
 		}
 		if (bad)
-			goto try_aes;
+			goto try_eddsa;
 		token->operations |= 1 << OP_GOST;
 		if (best_gost_token == NULL)
 			best_gost_token = token;
 
+	try_eddsa:
+#if defined(CKM_EDDSA_KEY_PAIR_GEN) && defined(CKM_EDDSA) && defined(CKK_EDDSA)
+		bad = ISC_FALSE;
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_EDDSA_KEY_PAIR_GEN,
+					     &mechInfo);
+		if ((rv != CKR_OK) ||
+		    ((mechInfo.flags & CKF_GENERATE_KEY_PAIR) == 0)) {
+			bad = ISC_TRUE;
+			PK11_TRACEM(CKM_EDDSA_KEY_PAIR_GEN);
+		}
+		rv = pkcs_C_GetMechanismInfo(slot, CKM_EDDSA, &mechInfo);
+		if ((rv != CKR_OK) ||
+		    ((mechInfo.flags & CKF_SIGN) == 0) ||
+		    ((mechInfo.flags & CKF_VERIFY) == 0)) {
+			bad = ISC_TRUE;
+			PK11_TRACEM(CKM_EDDSA);
+		}
+		if (bad)
+			goto try_aes;
+
 	try_aes:
+#endif
 		bad = ISC_FALSE;
 		rv = pkcs_C_GetMechanismInfo(slot, CKM_AES_ECB, &mechInfo);
 		if ((rv != CKR_OK) || ((mechInfo.flags & CKF_ENCRYPT) == 0)) {
diff --git a/usr.sbin/bind/lib/isc/pk11_result.c b/usr.sbin/bind/lib/isc/pk11_result.c
index 0ada75306d2..449782287bc 100644
--- a/usr.sbin/bind/lib/isc/pk11_result.c
+++ b/usr.sbin/bind/lib/isc/pk11_result.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/isc/pool.c b/usr.sbin/bind/lib/isc/pool.c
index 9bed3f843d9..a8b1578318d 100644
--- a/usr.sbin/bind/lib/isc/pool.c
+++ b/usr.sbin/bind/lib/isc/pool.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: pool.c,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: pool.c,v 1.2 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isc/portset.c b/usr.sbin/bind/lib/isc/portset.c
index b9122c0fcc4..0cd1564e4e4 100644
--- a/usr.sbin/bind/lib/isc/portset.c
+++ b/usr.sbin/bind/lib/isc/portset.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: portset.c,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: portset.c,v 1.2 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isc/powerpc/Makefile.in b/usr.sbin/bind/lib/isc/powerpc/Makefile.in
index 290e63ad20c..fbb45ceca23 100644
--- a/usr.sbin/bind/lib/isc/powerpc/Makefile.in
+++ b/usr.sbin/bind/lib/isc/powerpc/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:27 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:36 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/powerpc/include/Makefile.in b/usr.sbin/bind/lib/isc/powerpc/include/Makefile.in
index 7cc58696665..01fdc099eef 100644
--- a/usr.sbin/bind/lib/isc/powerpc/include/Makefile.in
+++ b/usr.sbin/bind/lib/isc/powerpc/include/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:27 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:36 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/powerpc/include/isc/Makefile.in b/usr.sbin/bind/lib/isc/powerpc/include/isc/Makefile.in
index ff6bf924113..dcdcb942fd4 100644
--- a/usr.sbin/bind/lib/isc/powerpc/include/isc/Makefile.in
+++ b/usr.sbin/bind/lib/isc/powerpc/include/isc/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2007, 2012, 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:27 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:36 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/powerpc/include/isc/atomic.h b/usr.sbin/bind/lib/isc/powerpc/include/isc/atomic.h
index 1c3521ba183..986b9fb7abb 100644
--- a/usr.sbin/bind/lib/isc/powerpc/include/isc/atomic.h
+++ b/usr.sbin/bind/lib/isc/powerpc/include/isc/atomic.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005, 2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: atomic.h,v 1.2 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: atomic.h,v 1.3 2019/12/17 01:46:36 sthen Exp $ */
 
 #ifndef ISC_ATOMIC_H
 #define ISC_ATOMIC_H 1
@@ -78,7 +78,7 @@ static inline int
 #else
 static int
 #endif
-isc_atomic_cmpxchg(atomic_p p, int old, int new) {
+isc_atomic_cmpxchg(atomic_p p, int old, int replacement) {
 	int orig = old;
 
 #ifdef __GNUC__
@@ -86,7 +86,7 @@ isc_atomic_cmpxchg(atomic_p p, int old, int new) {
 #else
 	 __isync();
 #endif
-	if (compare_and_swap(p, &orig, new))
+	if (compare_and_swap(p, &orig, replacement))
 		orig = old;
 
 #ifdef __GNUC__
diff --git a/usr.sbin/bind/lib/isc/print.c b/usr.sbin/bind/lib/isc/print.c
index 706acd4cf75..85ca9c96631 100644
--- a/usr.sbin/bind/lib/isc/print.c
+++ b/usr.sbin/bind/lib/isc/print.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2010, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -639,7 +638,7 @@ isc__print_printf(void (*emit)(char, void *), void *arg,
 #else
 			assert("long doubles are not supported" == NULL);
 #endif
-			/*FALLTHROUGH*/
+			/* FALLTHROUGH */
 		case 'e':
 		case 'E':
 		case 'f':
@@ -691,7 +690,7 @@ isc__print_printf(void (*emit)(char, void *), void *arg,
 						pad--;
 					}
 				cp = buf;
-				while (*cp != ' ')
+				while (*cp != '\0')
 					emit(*cp++, arg);
 				while (pad > 0) {
 					emit(' ', arg);
diff --git a/usr.sbin/bind/lib/isc/pthreads/Makefile.in b/usr.sbin/bind/lib/isc/pthreads/Makefile.in
index 2bc09059525..3fd5fa63283 100644
--- a/usr.sbin/bind/lib/isc/pthreads/Makefile.in
+++ b/usr.sbin/bind/lib/isc/pthreads/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2007, 2009, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:27 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:36 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/pthreads/condition.c b/usr.sbin/bind/lib/isc/pthreads/condition.c
index 8114aaf475f..fea79415fc7 100644
--- a/usr.sbin/bind/lib/isc/pthreads/condition.c
+++ b/usr.sbin/bind/lib/isc/pthreads/condition.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: condition.c,v 1.2 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: condition.c,v 1.3 2019/12/17 01:46:36 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isc/pthreads/include/Makefile.in b/usr.sbin/bind/lib/isc/pthreads/include/Makefile.in
index 0408e2ffb77..01fdc099eef 100644
--- a/usr.sbin/bind/lib/isc/pthreads/include/Makefile.in
+++ b/usr.sbin/bind/lib/isc/pthreads/include/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:27 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:36 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/pthreads/include/isc/Makefile.in b/usr.sbin/bind/lib/isc/pthreads/include/isc/Makefile.in
index 39b094de571..8900f7dcb04 100644
--- a/usr.sbin/bind/lib/isc/pthreads/include/isc/Makefile.in
+++ b/usr.sbin/bind/lib/isc/pthreads/include/isc/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2007, 2012, 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:27 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:36 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/pthreads/include/isc/condition.h b/usr.sbin/bind/lib/isc/pthreads/include/isc/condition.h
index 9c6be8dfb9a..8f25c4d9628 100644
--- a/usr.sbin/bind/lib/isc/pthreads/include/isc/condition.h
+++ b/usr.sbin/bind/lib/isc/pthreads/include/isc/condition.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: condition.h,v 1.2 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: condition.h,v 1.3 2019/12/17 01:46:36 sthen Exp $ */
 
 #ifndef ISC_CONDITION_H
 #define ISC_CONDITION_H 1
diff --git a/usr.sbin/bind/lib/isc/pthreads/include/isc/mutex.h b/usr.sbin/bind/lib/isc/pthreads/include/isc/mutex.h
index 4241347bb20..e56c43c1d06 100644
--- a/usr.sbin/bind/lib/isc/pthreads/include/isc/mutex.h
+++ b/usr.sbin/bind/lib/isc/pthreads/include/isc/mutex.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mutex.h,v 1.2 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: mutex.h,v 1.3 2019/12/17 01:46:36 sthen Exp $ */
 
 #ifndef ISC_MUTEX_H
 #define ISC_MUTEX_H 1
@@ -72,7 +71,7 @@ typedef pthread_mutex_t	isc_mutex_t;
 #else
 #if ISC_MUTEX_DEBUG && defined(PTHREAD_MUTEX_ERRORCHECK)
 #define isc_mutex_init(mp) \
-        isc_mutex_init_errcheck((mp))
+	isc_mutex_init_errcheck((mp))
 #else
 #define isc_mutex_init(mp) \
 	isc__mutex_init((mp), __FILE__, __LINE__)
diff --git a/usr.sbin/bind/lib/isc/pthreads/include/isc/once.h b/usr.sbin/bind/lib/isc/pthreads/include/isc/once.h
index f617856405e..295c3abe814 100644
--- a/usr.sbin/bind/lib/isc/pthreads/include/isc/once.h
+++ b/usr.sbin/bind/lib/isc/pthreads/include/isc/once.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: once.h,v 1.2 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: once.h,v 1.3 2019/12/17 01:46:36 sthen Exp $ */
 
 #ifndef ISC_ONCE_H
 #define ISC_ONCE_H 1
diff --git a/usr.sbin/bind/lib/isc/pthreads/include/isc/thread.h b/usr.sbin/bind/lib/isc/pthreads/include/isc/thread.h
index b25f398ad21..7fe56e52d2b 100644
--- a/usr.sbin/bind/lib/isc/pthreads/include/isc/thread.h
+++ b/usr.sbin/bind/lib/isc/pthreads/include/isc/thread.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: thread.h,v 1.2 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: thread.h,v 1.3 2019/12/17 01:46:36 sthen Exp $ */
 
 #ifndef ISC_THREAD_H
 #define ISC_THREAD_H 1
@@ -24,6 +23,10 @@
 
 #include <pthread.h>
 
+#if defined(HAVE_PTHREAD_NP_H)
+#include <pthread_np.h>
+#endif
+
 #include <isc/lang.h>
 #include <isc/result.h>
 
@@ -44,6 +47,9 @@ isc_thread_setconcurrency(unsigned int level);
 void
 isc_thread_yield(void);
 
+void
+isc_thread_setname(isc_thread_t thread, const char *name);
+
 /* XXX We could do fancier error handling... */
 
 #define isc_thread_join(t, rp) \
diff --git a/usr.sbin/bind/lib/isc/pthreads/mutex.c b/usr.sbin/bind/lib/isc/pthreads/mutex.c
index 8f8444daceb..5e17208d8f8 100644
--- a/usr.sbin/bind/lib/isc/pthreads/mutex.c
+++ b/usr.sbin/bind/lib/isc/pthreads/mutex.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008, 2011, 2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mutex.c,v 1.2 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: mutex.c,v 1.3 2019/12/17 01:46:36 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isc/pthreads/thread.c b/usr.sbin/bind/lib/isc/pthreads/thread.c
index 7a2a9f396d6..2c5dea766c5 100644
--- a/usr.sbin/bind/lib/isc/pthreads/thread.c
+++ b/usr.sbin/bind/lib/isc/pthreads/thread.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: thread.c,v 1.6 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: thread.c,v 1.7 2019/12/17 01:46:36 sthen Exp $ */
 
 /*! \file */
 
@@ -37,7 +36,10 @@ isc_thread_create(isc_threadfunc_t func, isc_threadarg_t arg,
 		  isc_thread_t *thread)
 {
 	pthread_attr_t attr;
+#if defined(HAVE_PTHREAD_ATTR_GETSTACKSIZE) && \
+    defined(HAVE_PTHREAD_ATTR_SETSTACKSIZE)
 	size_t stacksize;
+#endif
 	int ret;
 
 	pthread_attr_init(&attr);
@@ -80,6 +82,22 @@ isc_thread_setconcurrency(unsigned int level) {
 }
 
 void
+isc_thread_setname(isc_thread_t thread, const char *name) {
+#if defined(HAVE_PTHREAD_SETNAME_NP) && defined(_GNU_SOURCE)
+	/*
+	 * macOS has pthread_setname_np but only works on the
+	 * current thread so it's not used here
+	*/
+	(void)pthread_setname_np(thread, name);
+#elif defined(HAVE_PTHREAD_SET_NAME_NP)
+	(void)pthread_set_name_np(thread, name);
+#else
+	UNUSED(thread);
+	UNUSED(name);
+#endif
+}
+
+void
 isc_thread_yield(void) {
 #if defined(HAVE_SCHED_YIELD)
 	sched_yield();
diff --git a/usr.sbin/bind/lib/isc/quota.c b/usr.sbin/bind/lib/isc/quota.c
index 4e4a5a1b8fa..9e09071a6ea 100644
--- a/usr.sbin/bind/lib/isc/quota.c
+++ b/usr.sbin/bind/lib/isc/quota.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: quota.c,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: quota.c,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isc/radix.c b/usr.sbin/bind/lib/isc/radix.c
index 8df7b60491e..9eaa6bcaf83 100644
--- a/usr.sbin/bind/lib/isc/radix.c
+++ b/usr.sbin/bind/lib/isc/radix.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2007-2009, 2011-2014, 2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: radix.c,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: radix.c,v 1.2 2019/12/17 01:46:34 sthen Exp $ */
 
 /*
  * This source was adapted from MRT's RCS Ids:
diff --git a/usr.sbin/bind/lib/isc/random.c b/usr.sbin/bind/lib/isc/random.c
index 1199c5eb766..888fa1da1da 100644
--- a/usr.sbin/bind/lib/isc/random.c
+++ b/usr.sbin/bind/lib/isc/random.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2013, 2014, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: random.c,v 1.10 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: random.c,v 1.11 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
@@ -99,7 +98,8 @@ isc_random_get(isc_uint32_t *val)
 	 */
 #if RAND_MAX >= 0xfffff
 	/* We have at least 20 bits.  Use lower 16 excluding lower most 4 */
-	*val = ((rand() >> 4) & 0xffff) | ((rand() << 12) & 0xffff0000);
+	*val = ((((unsigned int)rand()) & 0xffff0) >> 4) |
+	       ((((unsigned int)rand()) & 0xffff0) << 12);
 #elif RAND_MAX >= 0x7fff
 	/* We have at least 15 bits.  Use lower 10/11 excluding lower most 4 */
 	*val = ((rand() >> 4) & 0x000007ff) | ((rand() << 7) & 0x003ff800) |
diff --git a/usr.sbin/bind/lib/isc/ratelimiter.c b/usr.sbin/bind/lib/isc/ratelimiter.c
index 3f0e64b6967..f151f6af461 100644
--- a/usr.sbin/bind/lib/isc/ratelimiter.c
+++ b/usr.sbin/bind/lib/isc/ratelimiter.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012, 2014, 2015, 2017  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/isc/refcount.c b/usr.sbin/bind/lib/isc/refcount.c
index d0147ad3406..71f7dc5c9f0 100644
--- a/usr.sbin/bind/lib/isc/refcount.c
+++ b/usr.sbin/bind/lib/isc/refcount.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: refcount.c,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: refcount.c,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 #include <config.h>
 
@@ -23,13 +23,14 @@
 #include <isc/mutex.h>
 #include <isc/refcount.h>
 #include <isc/result.h>
+#include <isc/util.h>
 
 isc_result_t
 isc_refcount_init(isc_refcount_t *ref, unsigned int n) {
 	REQUIRE(ref != NULL);
 
 	ref->refs = n;
-#if defined(ISC_PLATFORM_USETHREADS) && !defined(ISC_PLATFORM_HAVEXADD)
+#if defined(ISC_PLATFORM_USETHREADS) && !defined(ISC_REFCOUNT_HAVEATOMIC)
 	return (isc_mutex_init(&ref->lock));
 #else
 	return (ISC_R_SUCCESS);
diff --git a/usr.sbin/bind/lib/isc/regex.c b/usr.sbin/bind/lib/isc/regex.c
index a1e76c75918..f4fc006173e 100644
--- a/usr.sbin/bind/lib/isc/regex.c
+++ b/usr.sbin/bind/lib/isc/regex.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013-2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/isc/region.c b/usr.sbin/bind/lib/isc/region.c
index 06c2f33b1d3..2e9a4e7bef3 100644
--- a/usr.sbin/bind/lib/isc/region.c
+++ b/usr.sbin/bind/lib/isc/region.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: region.c,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: region.c,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
@@ -34,7 +33,7 @@ isc_region_compare(isc_region_t *r1, isc_region_t *r2) {
 
 	REQUIRE(r1 != NULL);
 	REQUIRE(r2 != NULL);
-	       
+
 	l = (r1->length < r2->length) ? r1->length : r2->length;
 
 	if ((result = memcmp(r1->base, r2->base, l)) != 0)
diff --git a/usr.sbin/bind/lib/isc/result.c b/usr.sbin/bind/lib/isc/result.c
index e6fa92db345..01369809756 100644
--- a/usr.sbin/bind/lib/isc/result.c
+++ b/usr.sbin/bind/lib/isc/result.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008, 2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.c,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: result.c,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isc/rwlock.c b/usr.sbin/bind/lib/isc/rwlock.c
index 0a2dc3fb1af..cc60c3f0e78 100644
--- a/usr.sbin/bind/lib/isc/rwlock.c
+++ b/usr.sbin/bind/lib/isc/rwlock.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2011, 2012, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rwlock.c,v 1.6 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: rwlock.c,v 1.7 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
@@ -85,7 +84,7 @@ isc_rwlock_init(isc_rwlock_t *rwl, unsigned int read_quota,
 	 */
 	rwl->magic = 0;
 
-#if defined(ISC_PLATFORM_HAVEXADD) && defined(ISC_PLATFORM_HAVECMPXCHG)
+#if defined(ISC_RWLOCK_USEATOMIC)
 	rwl->write_requests = 0;
 	rwl->write_completions = 0;
 	rwl->cnt_and_flag = 0;
@@ -154,7 +153,7 @@ void
 isc_rwlock_destroy(isc_rwlock_t *rwl) {
 	REQUIRE(VALID_RWLOCK(rwl));
 
-#if defined(ISC_PLATFORM_HAVEXADD) && defined(ISC_PLATFORM_HAVECMPXCHG)
+#if defined(ISC_RWLOCK_USEATOMIC)
 	REQUIRE(rwl->write_requests == rwl->write_completions &&
 		rwl->cnt_and_flag == 0 && rwl->readers_waiting == 0);
 #else
@@ -171,7 +170,7 @@ isc_rwlock_destroy(isc_rwlock_t *rwl) {
 	DESTROYLOCK(&rwl->lock);
 }
 
-#if defined(ISC_PLATFORM_HAVEXADD) && defined(ISC_PLATFORM_HAVECMPXCHG)
+#if defined(ISC_RWLOCK_USEATOMIC)
 
 /*
  * When some architecture-dependent atomic operations are available,
@@ -261,7 +260,13 @@ isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
 			UNLOCK(&rwl->lock);
 		}
 
+#if defined(ISC_RWLOCK_USESTDATOMIC)
+		cntflag = atomic_fetch_add_explicit(&rwl->cnt_and_flag,
+						    READER_INCR,
+						    memory_order_relaxed);
+#else
 		cntflag = isc_atomic_xadd(&rwl->cnt_and_flag, READER_INCR);
+#endif
 		POST(cntflag);
 		while (1) {
 			if ((rwl->cnt_and_flag & WRITER_ACTIVE) == 0)
@@ -311,7 +316,12 @@ isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
 		isc_int32_t prev_writer;
 
 		/* enter the waiting queue, and wait for our turn */
+#if defined(ISC_RWLOCK_USESTDATOMIC)
+		prev_writer = atomic_fetch_add_explicit(&rwl->write_requests, 1,
+							memory_order_relaxed);
+#else
 		prev_writer = isc_atomic_xadd(&rwl->write_requests, 1);
+#endif
 		while (rwl->write_completions != prev_writer) {
 			LOCK(&rwl->lock);
 			if (rwl->write_completions != prev_writer) {
@@ -324,9 +334,18 @@ isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
 		}
 
 		while (1) {
-			cntflag = isc_atomic_cmpxchg(&rwl->cnt_and_flag, 0,
-						     WRITER_ACTIVE);
-			if (cntflag == 0)
+#if defined(ISC_RWLOCK_USESTDATOMIC)
+			int_fast32_t cntflag2 = 0;
+			atomic_compare_exchange_strong_explicit
+				(&rwl->cnt_and_flag, &cntflag2, WRITER_ACTIVE,
+				 memory_order_relaxed, memory_order_relaxed);
+#else
+			isc_int32_t cntflag2;
+			cntflag2 = isc_atomic_cmpxchg(&rwl->cnt_and_flag, 0,
+						      WRITER_ACTIVE);
+#endif
+
+			if (cntflag2 == 0)
 				break;
 
 			/* Another active reader or writer is working. */
@@ -365,14 +384,26 @@ isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
 			return (ISC_R_LOCKBUSY);
 
 		/* Otherwise, be ready for reading. */
+#if defined(ISC_RWLOCK_USESTDATOMIC)
+		cntflag = atomic_fetch_add_explicit(&rwl->cnt_and_flag,
+						    READER_INCR,
+						    memory_order_relaxed);
+#else
 		cntflag = isc_atomic_xadd(&rwl->cnt_and_flag, READER_INCR);
+#endif
 		if ((cntflag & WRITER_ACTIVE) != 0) {
 			/*
 			 * A writer is working.  We lose, and cancel the read
 			 * request.
 			 */
+#if defined(ISC_RWLOCK_USESTDATOMIC)
+			cntflag = atomic_fetch_sub_explicit
+				(&rwl->cnt_and_flag, READER_INCR,
+				 memory_order_relaxed);
+#else
 			cntflag = isc_atomic_xadd(&rwl->cnt_and_flag,
 						  -READER_INCR);
+#endif
 			/*
 			 * If no other readers are waiting and we've suspended
 			 * new writers in this short period, wake them up.
@@ -388,16 +419,29 @@ isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
 		}
 	} else {
 		/* Try locking without entering the waiting queue. */
+#if defined(ISC_RWLOCK_USESTDATOMIC)
+		int_fast32_t zero = 0;
+		if (!atomic_compare_exchange_strong_explicit
+		    (&rwl->cnt_and_flag, &zero, WRITER_ACTIVE,
+		     memory_order_relaxed, memory_order_relaxed))
+			return (ISC_R_LOCKBUSY);
+#else
 		cntflag = isc_atomic_cmpxchg(&rwl->cnt_and_flag, 0,
 					     WRITER_ACTIVE);
 		if (cntflag != 0)
 			return (ISC_R_LOCKBUSY);
+#endif
 
 		/*
 		 * XXXJT: jump into the queue, possibly breaking the writer
 		 * order.
 		 */
+#if defined(ISC_RWLOCK_USESTDATOMIC)
+		atomic_fetch_sub_explicit(&rwl->write_completions, 1,
+					  memory_order_relaxed);
+#else
 		(void)isc_atomic_xadd(&rwl->write_completions, -1);
+#endif
 
 		rwl->write_granted++;
 	}
@@ -412,31 +456,60 @@ isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
 
 isc_result_t
 isc_rwlock_tryupgrade(isc_rwlock_t *rwl) {
-	isc_int32_t prevcnt;
-
 	REQUIRE(VALID_RWLOCK(rwl));
 
-	/* Try to acquire write access. */
-	prevcnt = isc_atomic_cmpxchg(&rwl->cnt_and_flag,
-				     READER_INCR, WRITER_ACTIVE);
-	/*
-	 * There must have been no writer, and there must have been at least
-	 * one reader.
-	 */
-	INSIST((prevcnt & WRITER_ACTIVE) == 0 &&
-	       (prevcnt & ~WRITER_ACTIVE) != 0);
+#if defined(ISC_RWLOCK_USESTDATOMIC)
+	{
+		int_fast32_t reader_incr = READER_INCR;
 
-	if (prevcnt == READER_INCR) {
+		/* Try to acquire write access. */
+		atomic_compare_exchange_strong_explicit
+			(&rwl->cnt_and_flag, &reader_incr, WRITER_ACTIVE,
+			 memory_order_relaxed, memory_order_relaxed);
 		/*
-		 * We are the only reader and have been upgraded.
-		 * Now jump into the head of the writer waiting queue.
+		 * There must have been no writer, and there must have
+		 * been at least one reader.
 		 */
-		(void)isc_atomic_xadd(&rwl->write_completions, -1);
-	} else
-		return (ISC_R_LOCKBUSY);
+		INSIST((reader_incr & WRITER_ACTIVE) == 0 &&
+		       (reader_incr & ~WRITER_ACTIVE) != 0);
 
-	return (ISC_R_SUCCESS);
+		if (reader_incr == READER_INCR) {
+			/*
+			 * We are the only reader and have been upgraded.
+			 * Now jump into the head of the writer waiting queue.
+			 */
+			atomic_fetch_sub_explicit(&rwl->write_completions, 1,
+						  memory_order_relaxed);
+		} else
+			return (ISC_R_LOCKBUSY);
 
+	}
+#else
+	{
+		isc_int32_t prevcnt;
+
+		/* Try to acquire write access. */
+		prevcnt = isc_atomic_cmpxchg(&rwl->cnt_and_flag,
+					     READER_INCR, WRITER_ACTIVE);
+		/*
+		 * There must have been no writer, and there must have
+		 * been at least one reader.
+		 */
+		INSIST((prevcnt & WRITER_ACTIVE) == 0 &&
+		       (prevcnt & ~WRITER_ACTIVE) != 0);
+
+		if (prevcnt == READER_INCR) {
+			/*
+			 * We are the only reader and have been upgraded.
+			 * Now jump into the head of the writer waiting queue.
+			 */
+			(void)isc_atomic_xadd(&rwl->write_completions, -1);
+		} else
+			return (ISC_R_LOCKBUSY);
+	}
+#endif
+
+	return (ISC_R_SUCCESS);
 }
 
 void
@@ -445,14 +518,33 @@ isc_rwlock_downgrade(isc_rwlock_t *rwl) {
 
 	REQUIRE(VALID_RWLOCK(rwl));
 
-	/* Become an active reader. */
-	prev_readers = isc_atomic_xadd(&rwl->cnt_and_flag, READER_INCR);
-	/* We must have been a writer. */
-	INSIST((prev_readers & WRITER_ACTIVE) != 0);
+#if defined(ISC_RWLOCK_USESTDATOMIC)
+	{
+		/* Become an active reader. */
+		prev_readers = atomic_fetch_add_explicit(&rwl->cnt_and_flag,
+							 READER_INCR,
+							 memory_order_relaxed);
+		/* We must have been a writer. */
+		INSIST((prev_readers & WRITER_ACTIVE) != 0);
+
+		/* Complete write */
+		atomic_fetch_sub_explicit(&rwl->cnt_and_flag, WRITER_ACTIVE,
+					  memory_order_relaxed);
+		atomic_fetch_add_explicit(&rwl->write_completions, 1,
+					  memory_order_relaxed);
+	}
+#else
+	{
+		/* Become an active reader. */
+		prev_readers = isc_atomic_xadd(&rwl->cnt_and_flag, READER_INCR);
+		/* We must have been a writer. */
+		INSIST((prev_readers & WRITER_ACTIVE) != 0);
 
-	/* Complete write */
-	(void)isc_atomic_xadd(&rwl->cnt_and_flag, -WRITER_ACTIVE);
-	(void)isc_atomic_xadd(&rwl->write_completions, 1);
+		/* Complete write */
+		(void)isc_atomic_xadd(&rwl->cnt_and_flag, -WRITER_ACTIVE);
+		(void)isc_atomic_xadd(&rwl->write_completions, 1);
+	}
+#endif
 
 	/* Resume other readers */
 	LOCK(&rwl->lock);
@@ -473,8 +565,13 @@ isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
 #endif
 
 	if (type == isc_rwlocktype_read) {
+#if defined(ISC_RWLOCK_USESTDATOMIC)
+		prev_cnt = atomic_fetch_sub_explicit(&rwl->cnt_and_flag,
+						     READER_INCR,
+						     memory_order_relaxed);
+#else
 		prev_cnt = isc_atomic_xadd(&rwl->cnt_and_flag, -READER_INCR);
-
+#endif
 		/*
 		 * If we're the last reader and any writers are waiting, wake
 		 * them up.  We need to wake up all of them to ensure the
@@ -493,8 +590,15 @@ isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
 		 * Reset the flag, and (implicitly) tell other writers
 		 * we are done.
 		 */
+#if defined(ISC_RWLOCK_USESTDATOMIC)
+		atomic_fetch_sub_explicit(&rwl->cnt_and_flag, WRITER_ACTIVE,
+					  memory_order_relaxed);
+		atomic_fetch_add_explicit(&rwl->write_completions, 1,
+					  memory_order_relaxed);
+#else
 		(void)isc_atomic_xadd(&rwl->cnt_and_flag, -WRITER_ACTIVE);
 		(void)isc_atomic_xadd(&rwl->write_completions, 1);
+#endif
 
 		if (rwl->write_granted >= rwl->write_quota ||
 		    rwl->write_requests == rwl->write_completions ||
@@ -532,7 +636,7 @@ isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
 	return (ISC_R_SUCCESS);
 }
 
-#else /* ISC_PLATFORM_HAVEXADD && ISC_PLATFORM_HAVECMPXCHG */
+#else /* ISC_RWLOCK_USEATOMIC */
 
 static isc_result_t
 doit(isc_rwlock_t *rwl, isc_rwlocktype_t type, isc_boolean_t nonblock) {
@@ -719,7 +823,7 @@ isc_rwlock_unlock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
 	return (ISC_R_SUCCESS);
 }
 
-#endif /* ISC_PLATFORM_HAVEXADD && ISC_PLATFORM_HAVECMPXCHG */
+#endif /* ISC_RWLOCK_USEATOMIC */
 #else /* ISC_PLATFORM_USETHREADS */
 
 isc_result_t
diff --git a/usr.sbin/bind/lib/isc/safe.c b/usr.sbin/bind/lib/isc/safe.c
index 8ac4a5b9193..92f41c29862 100644
--- a/usr.sbin/bind/lib/isc/safe.c
+++ b/usr.sbin/bind/lib/isc/safe.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -19,8 +19,13 @@
 #include <config.h>
 
 #include <isc/safe.h>
+#include <isc/string.h>
 #include <isc/util.h>
 
+#ifdef WIN32
+#include <windows.h>
+#endif
+
 #ifdef _MSC_VER
 #pragma optimize("", off)
 #endif
@@ -65,3 +70,17 @@ isc_safe_memcompare(const void *b1, const void *b2, size_t len) {
 
 	return (res);
 }
+
+void
+isc_safe_memwipe(void *ptr, size_t len) {
+	if (ISC_UNLIKELY(ptr == NULL || len == 0))
+		return;
+
+#ifdef WIN32
+	SecureZeroMemory(ptr, len);
+#elif HAVE_EXPLICIT_BZERO
+	explicit_bzero(ptr, len);
+#else
+	memset(ptr, 0, len);
+#endif
+}
diff --git a/usr.sbin/bind/lib/isc/serial.c b/usr.sbin/bind/lib/isc/serial.c
index ca950c13feb..67379190d9b 100644
--- a/usr.sbin/bind/lib/isc/serial.c
+++ b/usr.sbin/bind/lib/isc/serial.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: serial.c,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: serial.c,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isc/sha1.c b/usr.sbin/bind/lib/isc/sha1.c
index 490aefe1ee2..26eaca095d8 100644
--- a/usr.sbin/bind/lib/isc/sha1.c
+++ b/usr.sbin/bind/lib/isc/sha1.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2011, 2012, 2014, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,10 +14,10 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sha1.c,v 1.5 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: sha1.c,v 1.6 2019/12/17 01:46:34 sthen Exp $ */
 
 /*	$NetBSD: sha1.c,v 1.5 2000/01/22 22:19:14 mycroft Exp $	*/
-/*	$OpenBSD: sha1.c,v 1.5 2019/12/16 16:16:26 deraadt Exp $	*/
+/*	$OpenBSD: sha1.c,v 1.6 2019/12/17 01:46:34 sthen Exp $	*/
 
 /*! \file
  * SHA-1 in C
@@ -39,6 +38,7 @@
 
 #include <isc/assertions.h>
 #include <isc/platform.h>
+#include <isc/safe.h>
 #include <isc/sha1.h>
 #include <isc/string.h>
 #include <isc/types.h>
@@ -50,7 +50,7 @@
 #endif
 
 #ifdef ISC_PLATFORM_OPENSSLHASH
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 #define EVP_MD_CTX_new() &(context->_ctx)
 #define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr)
 #endif
@@ -62,7 +62,9 @@ isc_sha1_init(isc_sha1_t *context)
 
 	context->ctx = EVP_MD_CTX_new();
 	RUNTIME_CHECK(context->ctx != NULL);
-	RUNTIME_CHECK(EVP_DigestInit(context->ctx, EVP_sha1()) == 1);
+	if (EVP_DigestInit(context->ctx, EVP_sha1()) != 1) {
+		FATAL_ERROR(__FILE__, __LINE__, "Cannot initialize SHA1.");
+	}
 }
 
 void
@@ -115,7 +117,7 @@ isc_sha1_invalidate(isc_sha1_t *ctx) {
 	if (ctx->handle == NULL)
 		return;
 	(void) pkcs_C_DigestFinal(ctx->session, garbage, &len);
-	memset(garbage, 0, sizeof(garbage));
+	isc_safe_memwipe(garbage, sizeof(garbage));
 	pk11_return_session(ctx);
 }
 
@@ -343,7 +345,7 @@ isc_sha1_init(isc_sha1_t *context)
 
 void
 isc_sha1_invalidate(isc_sha1_t *context) {
-	memset(context, 0, sizeof(isc_sha1_t));
+	isc_safe_memwipe(context, sizeof(*context));
 }
 
 /*!
@@ -411,6 +413,47 @@ isc_sha1_final(isc_sha1_t *context, unsigned char *digest) {
 				  >> ((3 - (i & 3)) * 8)) & 255);
 	}
 
-	memset(context, 0, sizeof(isc_sha1_t));
+	isc_safe_memwipe(context, sizeof(*context));
 }
 #endif
+
+/*
+ * Check for SHA-1 support; if it does not work, raise a fatal error.
+ *
+ * Use "a" as the test vector.
+ *
+ * Standard use is testing false and result true.
+ * Testing use is testing true and result false;
+ */
+isc_boolean_t
+isc_sha1_check(isc_boolean_t testing) {
+	isc_sha1_t ctx;
+	unsigned char input = 'a';
+	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
+	unsigned char expected[] = {
+		0x86, 0xf7, 0xe4, 0x37, 0xfa, 0xa5, 0xa7, 0xfc,
+		0xe1, 0x5d, 0x1d, 0xdc, 0xb9, 0xea, 0xea, 0xea,
+		0x37, 0x76, 0x67, 0xb8
+	};
+
+	INSIST(sizeof(expected) == ISC_SHA1_DIGESTLENGTH);
+
+	/*
+	 * Introduce a fault for testing.
+	 */
+	if (testing) {
+		input ^= 0x01;
+	}
+
+	/*
+	 * These functions do not return anything; any failure will be fatal.
+	 */
+	isc_sha1_init(&ctx);
+	isc_sha1_update(&ctx, &input, 1U);
+	isc_sha1_final(&ctx, digest);
+
+	/*
+	 * Must return true in standard case, should return false for testing.
+	 */
+	return (ISC_TF(memcmp(digest, expected, ISC_SHA1_DIGESTLENGTH) == 0));
+}
diff --git a/usr.sbin/bind/lib/isc/sha2.c b/usr.sbin/bind/lib/isc/sha2.c
index 602b2c2b01b..db74bf9432a 100644
--- a/usr.sbin/bind/lib/isc/sha2.c
+++ b/usr.sbin/bind/lib/isc/sha2.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005-2007, 2009, 2011, 2012, 2014, 2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sha2.c,v 1.3 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: sha2.c,v 1.4 2019/12/17 01:46:34 sthen Exp $ */
 
 /*	$FreeBSD: src/sys/crypto/sha2/sha2.c,v 1.2.2.2 2002/03/05 08:36:47 ume Exp $	*/
 /*	$KAME: sha2.c,v 1.8 2001/11/08 01:07:52 itojun Exp $	*/
@@ -59,6 +59,7 @@
 
 #include <isc/assertions.h>
 #include <isc/platform.h>
+#include <isc/safe.h>
 #include <isc/sha2.h>
 #include <isc/string.h>
 #include <isc/util.h>
@@ -68,7 +69,7 @@
 #include <pk11/pk11.h>
 #endif
 
-#ifdef ISC_PLATFORM_OPENSSLHASH
+#if defined(ISC_PLATFORM_OPENSSLHASH) && !defined(LIBRESSL_VERSION_NUMBER)
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 #define EVP_MD_CTX_new() &(context->_ctx)
 #define EVP_MD_CTX_free(ptr) EVP_MD_CTX_cleanup(ptr)
@@ -82,7 +83,9 @@ isc_sha224_init(isc_sha224_t *context) {
 	}
 	context->ctx = EVP_MD_CTX_new();
 	RUNTIME_CHECK(context->ctx != NULL);
-	RUNTIME_CHECK(EVP_DigestInit(context->ctx, EVP_sha224()) == 1);
+	if (EVP_DigestInit(context->ctx, EVP_sha224()) != 1) {
+		FATAL_ERROR(__FILE__, __LINE__, "Cannot initialize SHA224.");
+	}
 }
 
 void
@@ -128,7 +131,9 @@ isc_sha256_init(isc_sha256_t *context) {
 	}
 	context->ctx = EVP_MD_CTX_new();
 	RUNTIME_CHECK(context->ctx != NULL);
-	RUNTIME_CHECK(EVP_DigestInit(context->ctx, EVP_sha256()) == 1);
+	if (EVP_DigestInit(context->ctx, EVP_sha256()) != 1) {
+		FATAL_ERROR(__FILE__, __LINE__, "Cannot initialize SHA256.");
+	}
 }
 
 void
@@ -174,7 +179,9 @@ isc_sha512_init(isc_sha512_t *context) {
 	}
 	context->ctx = EVP_MD_CTX_new();
 	RUNTIME_CHECK(context->ctx != NULL);
-	RUNTIME_CHECK(EVP_DigestInit(context->ctx, EVP_sha512()) == 1);
+	if (EVP_DigestInit(context->ctx, EVP_sha512()) != 1) {
+		FATAL_ERROR(__FILE__, __LINE__, "Cannot initialize SHA512.");
+	}
 }
 
 void
@@ -218,7 +225,9 @@ isc_sha384_init(isc_sha384_t *context) {
 	}
 	context->ctx = EVP_MD_CTX_new();
 	RUNTIME_CHECK(context->ctx != NULL);
-	RUNTIME_CHECK(EVP_DigestInit(context->ctx, EVP_sha384()) == 1);
+	if (EVP_DigestInit(context->ctx, EVP_sha384()) != 1) {
+		FATAL_ERROR(__FILE__, __LINE__, "Cannot initialize SHA384.");
+	}
 }
 
 void
@@ -280,7 +289,7 @@ isc_sha224_invalidate(isc_sha224_t *context) {
 	if (context->handle == NULL)
 		return;
 	(void) pkcs_C_DigestFinal(context->session, garbage, &len);
-	memset(garbage, 0, sizeof(garbage));
+	isc_safe_memwipe(garbage, sizeof(garbage));
 	pk11_return_session(context);
 }
 
@@ -320,7 +329,7 @@ isc_sha224_final(isc_uint8_t digest[], isc_sha224_t *context) {
 		CK_BYTE garbage[ISC_SHA224_DIGESTLENGTH];
 
 		(void) pkcs_C_DigestFinal(context->session, garbage, &len);
-		memset(garbage, 0, sizeof(garbage));
+		isc_safe_memwipe(garbage, sizeof(garbage));
 	}
 	pk11_return_session(context);
 }
@@ -346,7 +355,7 @@ isc_sha256_invalidate(isc_sha256_t *context) {
 	if (context->handle == NULL)
 		return;
 	(void) pkcs_C_DigestFinal(context->session, garbage, &len);
-	memset(garbage, 0, sizeof(garbage));
+	isc_safe_memwipe(garbage, sizeof(garbage));
 	pk11_return_session(context);
 }
 
@@ -386,7 +395,7 @@ isc_sha256_final(isc_uint8_t digest[], isc_sha256_t *context) {
 		CK_BYTE garbage[ISC_SHA256_DIGESTLENGTH];
 
 		(void) pkcs_C_DigestFinal(context->session, garbage, &len);
-		memset(garbage, 0, sizeof(garbage));
+		isc_safe_memwipe(garbage, sizeof(garbage));
 	}
 	pk11_return_session(context);
 }
@@ -412,7 +421,7 @@ isc_sha512_invalidate(isc_sha512_t *context) {
 	if (context->handle == NULL)
 		return;
 	(void) pkcs_C_DigestFinal(context->session, garbage, &len);
-	memset(garbage, 0, sizeof(garbage));
+	isc_safe_memwipe(garbage, sizeof(garbage));
 	pk11_return_session(context);
 }
 
@@ -452,7 +461,7 @@ isc_sha512_final(isc_uint8_t digest[], isc_sha512_t *context) {
 		CK_BYTE garbage[ISC_SHA512_DIGESTLENGTH];
 
 		(void) pkcs_C_DigestFinal(context->session, garbage, &len);
-		memset(garbage, 0, sizeof(garbage));
+		isc_safe_memwipe(garbage, sizeof(garbage));
 	}
 	pk11_return_session(context);
 }
@@ -478,7 +487,7 @@ isc_sha384_invalidate(isc_sha384_t *context) {
 	if (context->handle == NULL)
 		return;
 	(void) pkcs_C_DigestFinal(context->session, garbage, &len);
-	memset(garbage, 0, sizeof(garbage));
+	isc_safe_memwipe(garbage, sizeof(garbage));
 	pk11_return_session(context);
 }
 
@@ -518,7 +527,7 @@ isc_sha384_final(isc_uint8_t digest[], isc_sha384_t *context) {
 		CK_BYTE garbage[ISC_SHA384_DIGESTLENGTH];
 
 		(void) pkcs_C_DigestFinal(context->session, garbage, &len);
-		memset(garbage, 0, sizeof(garbage));
+		isc_safe_memwipe(garbage, sizeof(garbage));
 	}
 	pk11_return_session(context);
 }
@@ -872,7 +881,7 @@ isc_sha224_init(isc_sha224_t *context) {
 
 void
 isc_sha224_invalidate(isc_sha224_t *context) {
-	memset(context, 0, sizeof(isc_sha224_t));
+	isc_safe_memwipe(context, sizeof(*context));
 }
 
 void
@@ -885,7 +894,7 @@ isc_sha224_final(isc_uint8_t digest[], isc_sha224_t *context) {
 	isc_uint8_t sha256_digest[ISC_SHA256_DIGESTLENGTH];
 	isc_sha256_final(sha256_digest, (isc_sha256_t *)context);
 	memmove(digest, sha256_digest, ISC_SHA224_DIGESTLENGTH);
-	memset(sha256_digest, 0, ISC_SHA256_DIGESTLENGTH);
+	isc_safe_memwipe(sha256_digest, sizeof(sha256_digest));
 }
 
 /*** SHA-256: *********************************************************/
@@ -902,7 +911,7 @@ isc_sha256_init(isc_sha256_t *context) {
 
 void
 isc_sha256_invalidate(isc_sha256_t *context) {
-	memset(context, 0, sizeof(isc_sha256_t));
+	isc_safe_memwipe(context, sizeof(*context));
 }
 
 #ifdef ISC_SHA2_UNROLL_TRANSFORM
@@ -1209,7 +1218,7 @@ isc_sha256_final(isc_uint8_t digest[], isc_sha256_t *context) {
 	}
 
 	/* Clean up state data: */
-	memset(context, 0, sizeof(*context));
+	isc_safe_memwipe(context, sizeof(*context));
 	usedspace = 0;
 	POST(usedspace);
 }
@@ -1228,7 +1237,7 @@ isc_sha512_init(isc_sha512_t *context) {
 
 void
 isc_sha512_invalidate(isc_sha512_t *context) {
-	memset(context, 0, sizeof(isc_sha512_t));
+	isc_safe_memwipe(context, sizeof(*context));
 }
 
 #ifdef ISC_SHA2_UNROLL_TRANSFORM
@@ -1533,7 +1542,7 @@ void isc_sha512_final(isc_uint8_t digest[], isc_sha512_t *context) {
 	}
 
 	/* Zero out state data */
-	memset(context, 0, sizeof(*context));
+	isc_safe_memwipe(context, sizeof(*context));
 }
 
 
@@ -1551,7 +1560,7 @@ isc_sha384_init(isc_sha384_t *context) {
 
 void
 isc_sha384_invalidate(isc_sha384_t *context) {
-	memset(context, 0, sizeof(isc_sha384_t));
+	isc_safe_memwipe(context, sizeof(*context));
 }
 
 void
@@ -1586,7 +1595,7 @@ isc_sha384_final(isc_uint8_t digest[], isc_sha384_t *context) {
 	}
 
 	/* Zero out state data */
-	memset(context, 0, sizeof(*context));
+	isc_safe_memwipe(context, sizeof(*context));
 }
 #endif /* !ISC_PLATFORM_OPENSSLHASH */
 
@@ -1614,15 +1623,15 @@ isc_sha224_end(isc_sha224_t *context, char buffer[]) {
 		}
 		*buffer = (char)0;
 	} else {
-#ifdef ISC_PLATFORM_OPENSSLHASH
+#if defined(ISC_PLATFORM_OPENSSLHASH) && !defined(LIBRESSL_VERSION_NUMBER)
 		EVP_MD_CTX_reset(context->ctx);
 #elif PKCS11CRYPTO
 		pk11_return_session(context);
 #else
-		memset(context, 0, sizeof(*context));
+		isc_safe_memwipe(context, sizeof(*context));
 #endif
 	}
-	memset(digest, 0, ISC_SHA224_DIGESTLENGTH);
+	isc_safe_memwipe(digest, sizeof(digest));
 	return buffer;
 }
 
@@ -1655,15 +1664,15 @@ isc_sha256_end(isc_sha256_t *context, char buffer[]) {
 		}
 		*buffer = (char)0;
 	} else {
-#ifdef ISC_PLATFORM_OPENSSLHASH
+#if defined(ISC_PLATFORM_OPENSSLHASH) && !defined(LIBRESSL_VERSION_NUMBER)
 		EVP_MD_CTX_reset(context->ctx);
 #elif PKCS11CRYPTO
 		pk11_return_session(context);
 #else
-		memset(context, 0, sizeof(*context));
+		isc_safe_memwipe(context, sizeof(*context));
 #endif
 	}
-	memset(digest, 0, ISC_SHA256_DIGESTLENGTH);
+	isc_safe_memwipe(digest, sizeof(digest));
 	return buffer;
 }
 
@@ -1696,15 +1705,15 @@ isc_sha512_end(isc_sha512_t *context, char buffer[]) {
 		}
 		*buffer = (char)0;
 	} else {
-#ifdef ISC_PLATFORM_OPENSSLHASH
+#if defined(ISC_PLATFORM_OPENSSLHASH) && !defined(LIBRESSL_VERSION_NUMBER)
 		EVP_MD_CTX_reset(context->ctx);
 #elif PKCS11CRYPTO
 		pk11_return_session(context);
 #else
-		memset(context, 0, sizeof(*context));
+		isc_safe_memwipe(context, sizeof(*context));
 #endif
 	}
-	memset(digest, 0, ISC_SHA512_DIGESTLENGTH);
+	isc_safe_memwipe(digest, sizeof(digest));
 	return buffer;
 }
 
@@ -1737,15 +1746,15 @@ isc_sha384_end(isc_sha384_t *context, char buffer[]) {
 		}
 		*buffer = (char)0;
 	} else {
-#ifdef ISC_PLATFORM_OPENSSLHASH
+#if defined(ISC_PLATFORM_OPENSSLHASH) && !defined(LIBRESSL_VERSION_NUMBER)
 		EVP_MD_CTX_reset(context->ctx);
 #elif PKCS11CRYPTO
 		pk11_return_session(context);
 #else
-		memset(context, 0, sizeof(*context));
+		isc_safe_memwipe(context, sizeof(*context));
 #endif
 	}
-	memset(digest, 0, ISC_SHA384_DIGESTLENGTH);
+	isc_safe_memwipe(digest, sizeof(digest));
 	return buffer;
 }
 
diff --git a/usr.sbin/bind/lib/isc/sockaddr.c b/usr.sbin/bind/lib/isc/sockaddr.c
index 4a9531f51e8..5c4e761b51c 100644
--- a/usr.sbin/bind/lib/isc/sockaddr.c
+++ b/usr.sbin/bind/lib/isc/sockaddr.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2010-2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sockaddr.c,v 1.8 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: sockaddr.c,v 1.9 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
@@ -502,7 +501,8 @@ isc_sockaddr_frompath(isc_sockaddr_t *sockaddr, const char *path) {
 	sockaddr->type.sunix.sun_len =
 			(unsigned char)sizeof(sockaddr->type.sunix);
 #endif
-	strcpy(sockaddr->type.sunix.sun_path, path);
+	strlcpy(sockaddr->type.sunix.sun_path, path,
+		sizeof(sockaddr->type.sunix.sun_path));
 	return (ISC_R_SUCCESS);
 #else
 	UNUSED(sockaddr);
diff --git a/usr.sbin/bind/lib/isc/socket_api.c b/usr.sbin/bind/lib/isc/socket_api.c
index 0dcf8ba719f..f7c475b436f 100644
--- a/usr.sbin/bind/lib/isc/socket_api.c
+++ b/usr.sbin/bind/lib/isc/socket_api.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2011-2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket_api.c,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: socket_api.c,v 1.2 2019/12/17 01:46:34 sthen Exp $ */
 
 #include <config.h>
 
diff --git a/usr.sbin/bind/lib/isc/sparc64/Makefile.in b/usr.sbin/bind/lib/isc/sparc64/Makefile.in
index 290e63ad20c..fbb45ceca23 100644
--- a/usr.sbin/bind/lib/isc/sparc64/Makefile.in
+++ b/usr.sbin/bind/lib/isc/sparc64/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:27 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:36 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/sparc64/include/Makefile.in b/usr.sbin/bind/lib/isc/sparc64/include/Makefile.in
index 7cc58696665..01fdc099eef 100644
--- a/usr.sbin/bind/lib/isc/sparc64/include/Makefile.in
+++ b/usr.sbin/bind/lib/isc/sparc64/include/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:27 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:36 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/sparc64/include/isc/Makefile.in b/usr.sbin/bind/lib/isc/sparc64/include/isc/Makefile.in
index bdbcfc94fdf..4219b9ae09f 100644
--- a/usr.sbin/bind/lib/isc/sparc64/include/isc/Makefile.in
+++ b/usr.sbin/bind/lib/isc/sparc64/include/isc/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2007, 2012, 2015  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:27 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:36 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/sparc64/include/isc/atomic.h b/usr.sbin/bind/lib/isc/sparc64/include/isc/atomic.h
index dbcea3ed4a0..92ecf87a08e 100644
--- a/usr.sbin/bind/lib/isc/sparc64/include/isc/atomic.h
+++ b/usr.sbin/bind/lib/isc/sparc64/include/isc/atomic.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005, 2007, 2013  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: atomic.h,v 1.2 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: atomic.h,v 1.3 2019/12/17 01:46:36 sthen Exp $ */
 
 /*
  * This code was written based on FreeBSD's kernel source whose copyright
diff --git a/usr.sbin/bind/lib/isc/stats.c b/usr.sbin/bind/lib/isc/stats.c
index 82e57a1ccf2..fee6a2c7b24 100644
--- a/usr.sbin/bind/lib/isc/stats.c
+++ b/usr.sbin/bind/lib/isc/stats.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2012-2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stats.c,v 1.1 2019/12/16 16:31:35 deraadt Exp $ */
+/* $Id: stats.c,v 1.2 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
@@ -32,6 +32,10 @@
 #include <isc/stats.h>
 #include <isc/util.h>
 
+#if defined(ISC_PLATFORM_HAVESTDATOMIC)
+#include <stdatomic.h>
+#endif
+
 #define ISC_STATS_MAGIC			ISC_MAGIC('S', 't', 'a', 't')
 #define ISC_STATS_VALID(x)		ISC_MAGIC_VALID(x, ISC_STATS_MAGIC)
 
@@ -40,8 +44,12 @@
  * increment and store operations, just to make
  * the later macros simpler
  */
-#if defined(ISC_PLATFORM_HAVEXADDQ) && defined(ISC_PLATFORM_HAVEATOMICSTOREQ)
+#if (defined(ISC_PLATFORM_HAVESTDATOMIC) && defined(ATOMIC_LONG_LOCK_FREE)) || \
+	(defined(ISC_PLATFORM_HAVEXADDQ) && defined(ISC_PLATFORM_HAVEATOMICSTOREQ))
 #define ISC_STATS_HAVEATOMICQ 1
+#if (defined(ISC_PLATFORM_HAVESTDATOMIC) && defined(ATOMIC_LONG_LOCK_FREE))
+#define ISC_STATS_HAVESTDATOMICQ 1
+#endif
 #else
 #define ISC_STATS_HAVEATOMICQ 0
 #endif
@@ -69,20 +77,32 @@
  * Otherwise, just rely on standard 64-bit data types
  * and operations
  */
-#if !ISC_STATS_HAVEATOMICQ && defined(ISC_PLATFORM_HAVEXADD)
+#if !ISC_STATS_HAVEATOMICQ && ((defined(ISC_PLATFORM_HAVESTDATOMIC) && defined(ATOMIC_INT_LOCK_FREE)) || defined(ISC_PLATFORM_HAVEXADD))
 #define ISC_STATS_USEMULTIFIELDS 1
+#if (defined(ISC_PLATFORM_HAVESTDATOMIC) && defined(ATOMIC_INT_LOCK_FREE))
+#define ISC_STATS_HAVESTDATOMIC 1
+#endif
 #else
 #define ISC_STATS_USEMULTIFIELDS 0
 #endif
 
 #if ISC_STATS_USEMULTIFIELDS
 typedef struct {
+#if defined(ISC_STATS_HAVESTDATOMIC)
+	atomic_int_fast32_t hi;
+	atomic_int_fast32_t lo;
+#else
 	isc_uint32_t hi;
 	isc_uint32_t lo;
+#endif
 } isc_stat_t;
 #else
+#if defined(ISC_STATS_HAVESTDATOMICQ)
+typedef atomic_int_fast64_t isc_stat_t;
+#else
 typedef isc_uint64_t isc_stat_t;
 #endif
+#endif
 
 struct isc_stats {
 	/*% Unlocked */
@@ -240,7 +260,12 @@ incrementcounter(isc_stats_t *stats, int counter) {
 #endif
 
 #if ISC_STATS_USEMULTIFIELDS
+#if defined(ISC_STATS_HAVESTDATOMIC)
+	prev = atomic_fetch_add_explicit(&stats->counters[counter].lo, 1,
+					 memory_order_relaxed);
+#else
 	prev = isc_atomic_xadd((isc_int32_t *)&stats->counters[counter].lo, 1);
+#endif
 	/*
 	 * If the lower 32-bit field overflows, increment the higher field.
 	 * Note that it's *theoretically* possible that the lower field
@@ -249,11 +274,22 @@ incrementcounter(isc_stats_t *stats, int counter) {
 	 * isc_stats_copy() is called where the whole process is protected
 	 * by the write (exclusive) lock.
 	 */
-	if (prev == (isc_int32_t)0xffffffff)
+	if (prev == (isc_int32_t)0xffffffff) {
+#if defined(ISC_STATS_HAVESTDATOMIC)
+		atomic_fetch_add_explicit(&stats->counters[counter].hi, 1,
+					  memory_order_relaxed);
+#else
 		isc_atomic_xadd((isc_int32_t *)&stats->counters[counter].hi, 1);
+#endif
+	}
 #elif ISC_STATS_HAVEATOMICQ
 	UNUSED(prev);
+#if defined(ISC_STATS_HAVESTDATOMICQ)
+	atomic_fetch_add_explicit(&stats->counters[counter], 1,
+				  memory_order_relaxed);
+#else
 	isc_atomic_xaddq((isc_int64_t *)&stats->counters[counter], 1);
+#endif
 #else
 	UNUSED(prev);
 	stats->counters[counter]++;
@@ -273,13 +309,29 @@ decrementcounter(isc_stats_t *stats, int counter) {
 #endif
 
 #if ISC_STATS_USEMULTIFIELDS
+#if defined(ISC_STATS_HAVESTDATOMIC)
+	prev = atomic_fetch_sub_explicit(&stats->counters[counter].lo, 1,
+					 memory_order_relaxed);
+#else
 	prev = isc_atomic_xadd((isc_int32_t *)&stats->counters[counter].lo, -1);
-	if (prev == 0)
+#endif
+	if (prev == 0) {
+#if defined(ISC_STATS_HAVESTDATOMIC)
+		atomic_fetch_sub_explicit(&stats->counters[counter].hi, 1,
+					  memory_order_relaxed);
+#else
 		isc_atomic_xadd((isc_int32_t *)&stats->counters[counter].hi,
 				-1);
+#endif
+	}
 #elif ISC_STATS_HAVEATOMICQ
 	UNUSED(prev);
+#if defined(ISC_STATS_HAVESTDATOMICQ)
+	atomic_fetch_sub_explicit(&stats->counters[counter], 1,
+				  memory_order_relaxed);
+#else
 	isc_atomic_xaddq((isc_int64_t *)&stats->counters[counter], -1);
+#endif
 #else
 	UNUSED(prev);
 	stats->counters[counter]--;
@@ -308,9 +360,15 @@ copy_counters(isc_stats_t *stats) {
 			(isc_uint64_t)(stats->counters[i].hi) << 32 |
 			stats->counters[i].lo;
 #elif ISC_STATS_HAVEATOMICQ
+#if defined(ISC_STATS_HAVESTDATOMICQ)
+		stats->copiedcounters[i] =
+			atomic_load_explicit(&stats->counters[i],
+					     memory_order_relaxed);
+#else
 		/* use xaddq(..., 0) as an atomic load */
 		stats->copiedcounters[i] =
 			(isc_uint64_t)isc_atomic_xaddq((isc_int64_t *)&stats->counters[i], 0);
+#endif
 #else
 		stats->copiedcounters[i] = stats->counters[i];
 #endif
@@ -381,7 +439,12 @@ isc_stats_set(isc_stats_t *stats, isc_uint64_t val,
 	stats->counters[counter].hi = (isc_uint32_t)((val >> 32) & 0xffffffff);
 	stats->counters[counter].lo = (isc_uint32_t)(val & 0xffffffff);
 #elif ISC_STATS_HAVEATOMICQ
+#if defined(ISC_STATS_HAVESTDATOMICQ)
+	atomic_store_explicit(&stats->counters[counter], val,
+			      memory_order_relaxed);
+#else
 	isc_atomic_storeq((isc_int64_t *)&stats->counters[counter], val);
+#endif
 #else
 	stats->counters[counter] = val;
 #endif
@@ -390,4 +453,3 @@ isc_stats_set(isc_stats_t *stats, isc_uint64_t val,
 	isc_rwlock_unlock(&stats->counterlock, isc_rwlocktype_write);
 #endif
 }
-
diff --git a/usr.sbin/bind/lib/isc/string.c b/usr.sbin/bind/lib/isc/string.c
index 04a25943734..7d498cbe514 100644
--- a/usr.sbin/bind/lib/isc/string.c
+++ b/usr.sbin/bind/lib/isc/string.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2011, 2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/isc/strtoul.c b/usr.sbin/bind/lib/isc/strtoul.c
index 1fca4489371..25337205044 100644
--- a/usr.sbin/bind/lib/isc/strtoul.c
+++ b/usr.sbin/bind/lib/isc/strtoul.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -49,7 +48,7 @@
 static char sccsid[] = "@(#)strtoul.c	8.1 (Berkeley) 6/4/93";
 #endif /* LIBC_SCCS and not lint */
 
-/* $Id: strtoul.c,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: strtoul.c,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 #include <config.h>
 
diff --git a/usr.sbin/bind/lib/isc/symtab.c b/usr.sbin/bind/lib/isc/symtab.c
index b0aee077766..1936c50f7a7 100644
--- a/usr.sbin/bind/lib/isc/symtab.c
+++ b/usr.sbin/bind/lib/isc/symtab.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1996-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: symtab.c,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: symtab.c,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isc/task.c b/usr.sbin/bind/lib/isc/task.c
index 44da80c6771..3c3c095fd9e 100644
--- a/usr.sbin/bind/lib/isc/task.c
+++ b/usr.sbin/bind/lib/isc/task.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2015, 2017  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -707,6 +706,7 @@ isc__task_purgerange(isc_task_t *task0, void *sender, isc_eventtype_t first,
 
 	for (event = HEAD(events); event != NULL; event = next_event) {
 		next_event = NEXT(event, ev_link);
+		ISC_LIST_UNLINK(events, event, ev_link);
 		isc_event_free(&event);
 	}
 
@@ -886,8 +886,7 @@ isc__task_setname(isc_task_t *task0, const char *name, void *tag) {
 	REQUIRE(VALID_TASK(task));
 
 	LOCK(&task->lock);
-	memset(task->name, 0, sizeof(task->name));
-	strncpy(task->name, name, sizeof(task->name) - 1);
+	strlcpy(task->name, name, sizeof(task->name));
 	task->tag = tag;
 	UNLOCK(&task->lock);
 }
@@ -1438,6 +1437,10 @@ isc__taskmgr_create(isc_mem_t *mctx, unsigned int workers,
 		if (isc_thread_create(run, manager,
 				      &manager->threads[manager->workers]) ==
 		    ISC_R_SUCCESS) {
+			char name[16];	/* thread name limit on Linux */
+			snprintf(name, sizeof(name), "isc-worker%04u", i);
+			isc_thread_setname(manager->threads[manager->workers],
+					   name);
 			manager->workers++;
 			started++;
 		}
@@ -1960,7 +1963,7 @@ isc_taskmgr_renderjson(isc_taskmgr_t *mgr0, json_object *tasks) {
 		CHECKMEM(taskobj);
 		json_object_array_add(array, taskobj);
 
-		sprintf(buf, "%p", task);
+		snprintf(buf, sizeof(buf), "%p", task);
 		obj = json_object_new_string(buf);
 		CHECKMEM(obj);
 		json_object_object_add(taskobj, "id", obj);
diff --git a/usr.sbin/bind/lib/isc/task_p.h b/usr.sbin/bind/lib/isc/task_p.h
index f489666ce49..a8c3a1782fa 100644
--- a/usr.sbin/bind/lib/isc/task_p.h
+++ b/usr.sbin/bind/lib/isc/task_p.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: task_p.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: task_p.h,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 #ifndef ISC_TASK_P_H
 #define ISC_TASK_P_H
diff --git a/usr.sbin/bind/lib/isc/taskpool.c b/usr.sbin/bind/lib/isc/taskpool.c
index 560c975c194..05a784dafdf 100644
--- a/usr.sbin/bind/lib/isc/taskpool.c
+++ b/usr.sbin/bind/lib/isc/taskpool.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: taskpool.c,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: taskpool.c,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isc/timer.c b/usr.sbin/bind/lib/isc/timer.c
index b0ef62898e2..161d91cd9c9 100644
--- a/usr.sbin/bind/lib/isc/timer.c
+++ b/usr.sbin/bind/lib/isc/timer.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007-2009, 2011-2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer.c,v 1.3 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: timer.c,v 1.4 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
@@ -923,6 +922,7 @@ isc__timermgr_create(isc_mem_t *mctx, isc_timermgr_t **managerp) {
 						ISC_MSG_FAILED, "failed"));
 		return (ISC_R_UNEXPECTED);
 	}
+	isc_thread_setname(manager->thread, "isc-timer");
 #endif
 #ifdef USE_SHARED_MANAGER
 	manager->refs = 1;
diff --git a/usr.sbin/bind/lib/isc/timer_p.h b/usr.sbin/bind/lib/isc/timer_p.h
index 4d0816ef3ff..bc3cb09cb60 100644
--- a/usr.sbin/bind/lib/isc/timer_p.h
+++ b/usr.sbin/bind/lib/isc/timer_p.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer_p.h,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: timer_p.h,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 #ifndef ISC_TIMER_P_H
 #define ISC_TIMER_P_H
diff --git a/usr.sbin/bind/lib/isc/tm.c b/usr.sbin/bind/lib/isc/tm.c
index 842a2f7fb4a..3063783e0de 100644
--- a/usr.sbin/bind/lib/isc/tm.c
+++ b/usr.sbin/bind/lib/isc/tm.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/isc/unix/Makefile.in b/usr.sbin/bind/lib/isc/unix/Makefile.in
index e823c25c952..8659bda43aa 100644
--- a/usr.sbin/bind/lib/isc/unix/Makefile.in
+++ b/usr.sbin/bind/lib/isc/unix/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2007, 2009, 2012, 2014, 2016  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -20,8 +19,8 @@ top_srcdir =	@top_srcdir@
 CINCLUDES =	-I${srcdir}/include \
 		-I${srcdir}/../@ISC_THREAD_DIR@/include \
 		-I../include \
-		-I${srcdir}/../include @ISC_OPENSSL_INC@ \
-		-I${srcdir}/..
+		-I${srcdir}/../include \
+		-I${srcdir}/.. @ISC_OPENSSL_INC@
 
 CDEFINES =	@CRYPTO@
 CWARNINGS =
diff --git a/usr.sbin/bind/lib/isc/unix/app.c b/usr.sbin/bind/lib/isc/unix/app.c
index edd0745db50..98bcdb4fd1d 100644
--- a/usr.sbin/bind/lib/isc/unix/app.c
+++ b/usr.sbin/bind/lib/isc/unix/app.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007-2009, 2013-2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -425,6 +424,7 @@ isc__app_ctxonrun(isc_appctx_t *ctx0, isc_mem_t *mctx, isc_task_t *task,
 	event = isc_event_allocate(mctx, cloned_task, ISC_APPEVENT_SHUTDOWN,
 				   action, arg, sizeof(*event));
 	if (event == NULL) {
+		isc_task_detach(&cloned_task);
 		result = ISC_R_NOMEMORY;
 		goto unlock;
 	}
diff --git a/usr.sbin/bind/lib/isc/unix/dir.c b/usr.sbin/bind/lib/isc/unix/dir.c
index 5456d14a471..287aa70a39c 100644
--- a/usr.sbin/bind/lib/isc/unix/dir.c
+++ b/usr.sbin/bind/lib/isc/unix/dir.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007-2009, 2011, 2012, 2017  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -30,6 +29,7 @@
 #include <isc/dir.h>
 #include <isc/magic.h>
 #include <isc/netdb.h>
+#include <isc/print.h>
 #include <isc/string.h>
 #include <isc/util.h>
 
@@ -66,10 +66,11 @@ isc_dir_open(isc_dir_t *dir, const char *dirname) {
 	 * Copy directory name.  Need to have enough space for the name,
 	 * a possible path separator, the wildcard, and the final NUL.
 	 */
-	if (strlen(dirname) + 3 > sizeof(dir->dirname))
+	if (strlen(dirname) + 3 > sizeof(dir->dirname)) {
 		/* XXXDCL ? */
 		return (ISC_R_NOSPACE);
-	strcpy(dir->dirname, dirname);
+	}
+	strlcpy(dir->dirname, dirname, sizeof(dir->dirname));
 
 	/*
 	 * Append path separator, if needed, and "*".
@@ -85,8 +86,9 @@ isc_dir_open(isc_dir_t *dir, const char *dirname) {
 	 */
 	dir->handle = opendir(dirname);
 
-	if (dir->handle == NULL)
-		return isc__errno2result(errno);
+	if (dir->handle == NULL) {
+		return (isc__errno2result(errno));
+	}
 
 	return (result);
 }
@@ -116,9 +118,9 @@ isc_dir_read(isc_dir_t *dir) {
 	 * Make sure that the space for the name is long enough.
 	 */
 	if (sizeof(dir->entry.name) <= strlen(entry->d_name))
-	    return (ISC_R_UNEXPECTED);
+		return (ISC_R_UNEXPECTED);
 
-	strcpy(dir->entry.name, entry->d_name);
+	strlcpy(dir->entry.name, entry->d_name, sizeof(dir->entry.name));
 
 	/*
 	 * Some dirents have d_namlen, but it is not portable.
diff --git a/usr.sbin/bind/lib/isc/unix/entropy.c b/usr.sbin/bind/lib/isc/unix/entropy.c
index c13d3fd2ce5..95466a86cec 100644
--- a/usr.sbin/bind/lib/isc/unix/entropy.c
+++ b/usr.sbin/bind/lib/isc/unix/entropy.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: entropy.c,v 1.7 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: entropy.c,v 1.8 2019/12/17 01:46:37 sthen Exp $ */
 
 /* \file unix/entropy.c
  * \brief
@@ -37,7 +36,9 @@
 #include <unistd.h>
 
 #include <isc/platform.h>
+#include <isc/print.h>
 #include <isc/strerror.h>
+#include <isc/string.h>
 
 #ifdef ISC_PLATFORM_NEEDSYSSELECTH
 #include <sys/select.h>
@@ -160,7 +161,7 @@ get_from_usocketsource(isc_entropysource_t *source, isc_uint32_t desired) {
 			INSIST(n == 2);
 			source->sources.usocket.status =
 						isc_usocketsource_wrote;
-			/*FALLTHROUGH*/
+			/* FALLTHROUGH */
 
 		case isc_usocketsource_wrote:
 			if (recvfrom(fd, buf, 1, 0, NULL, NULL) != 1) {
@@ -198,7 +199,7 @@ get_from_usocketsource(isc_entropysource_t *source, isc_uint32_t desired) {
 			source->sources.usocket.sz_to_recv = sz_to_recv;
 			if (sz_to_recv > sizeof(buf))
 				goto err;
-			/*FALLTHROUGH*/
+			/* FALLTHROUGH */
 
 		case isc_usocketsource_reading:
 			if (sz_to_recv != 0U) {
@@ -456,11 +457,14 @@ destroyusocketsource(isc_entropyusocketsource_t *source) {
 static isc_result_t
 make_nonblock(int fd) {
 	int ret;
-	int flags;
 	char strbuf[ISC_STRERRORSIZE];
 #ifdef USE_FIONBIO_IOCTL
 	int on = 1;
+#else
+	int flags;
+#endif
 
+#ifdef USE_FIONBIO_IOCTL
 	ret = ioctl(fd, FIONBIO, (char *)&on);
 #else
 	flags = fcntl(fd, F_GETFL, 0);
diff --git a/usr.sbin/bind/lib/isc/unix/errno.c b/usr.sbin/bind/lib/isc/unix/errno.c
index 609e15f6c3f..b7292338adb 100644
--- a/usr.sbin/bind/lib/isc/unix/errno.c
+++ b/usr.sbin/bind/lib/isc/unix/errno.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/isc/unix/errno2result.c b/usr.sbin/bind/lib/isc/unix/errno2result.c
index 74363730bf1..baac7805d6b 100644
--- a/usr.sbin/bind/lib/isc/unix/errno2result.c
+++ b/usr.sbin/bind/lib/isc/unix/errno2result.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2011-2013, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: errno2result.c,v 1.2 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: errno2result.c,v 1.3 2019/12/17 01:46:37 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isc/unix/errno2result.h b/usr.sbin/bind/lib/isc/unix/errno2result.h
index 6f53ed74798..9c9c00daca8 100644
--- a/usr.sbin/bind/lib/isc/unix/errno2result.h
+++ b/usr.sbin/bind/lib/isc/unix/errno2result.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2011, 2012, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/isc/unix/file.c b/usr.sbin/bind/lib/isc/unix/file.c
index 75980292713..d43e4f7aaae 100644
--- a/usr.sbin/bind/lib/isc/unix/file.c
+++ b/usr.sbin/bind/lib/isc/unix/file.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2011-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -44,7 +43,7 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: file.c,v 1.6 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: file.c,v 1.7 2019/12/17 01:46:37 sthen Exp $ */
 
 /*! \file */
 
@@ -239,17 +238,18 @@ isc_file_template(const char *path, const char *templet, char *buf,
 	s = strrchr(path, '/');
 
 	if (s != NULL) {
-		if ((s - path + 1 + strlen(templet) + 1) > buflen)
+		size_t prefixlen = s - path + 1;
+		if ((prefixlen + strlen(templet) + 1) > buflen)
 			return (ISC_R_NOSPACE);
 
-		strncpy(buf, path, s - path + 1);
-		buf[s - path + 1] = '\0';
-		strcat(buf, templet);
+		/* Copy 'prefixlen' bytes and NUL terminate. */
+		strlcpy(buf, path, ISC_MIN(prefixlen + 1, buflen));
+		strlcat(buf, templet, buflen);
 	} else {
 		if ((strlen(templet) + 1) > buflen)
 			return (ISC_R_NOSPACE);
 
-		strcpy(buf, templet);
+		strlcpy(buf, templet, buflen);
 	}
 
 	return (ISC_R_SUCCESS);
@@ -546,15 +546,17 @@ dir_current(char *dirname, size_t length) {
 	cwd = getcwd(dirname, length);
 
 	if (cwd == NULL) {
-		if (errno == ERANGE)
+		if (errno == ERANGE) {
 			result = ISC_R_NOSPACE;
-		else
+		} else {
 			result = isc__errno2result(errno);
+		}
 	} else {
-		if (strlen(dirname) + 1 == length)
+		if (strlen(dirname) + 1 == length) {
 			result = ISC_R_NOSPACE;
-		else if (dirname[1] != '\0')
-			strcat(dirname, "/");
+		} else if (dirname[1] != '\0') {
+			strlcat(dirname, "/", length);
+		}
 	}
 
 	return (result);
@@ -568,7 +570,7 @@ isc_file_absolutepath(const char *filename, char *path, size_t pathlen) {
 		return (result);
 	if (strlen(path) + strlen(filename) + 1 > pathlen)
 		return (ISC_R_NOSPACE);
-	strcat(path, filename);
+	strlcat(path, filename, pathlen);
 	return (ISC_R_SUCCESS);
 }
 
@@ -701,3 +703,8 @@ isc_file_munmap(void *addr, size_t len) {
 	return (0);
 #endif
 }
+
+isc_boolean_t
+isc_file_isdirwritable(const char *path) {
+	return (ISC_TF(access(path, W_OK|X_OK) == 0));
+}
diff --git a/usr.sbin/bind/lib/isc/unix/fsaccess.c b/usr.sbin/bind/lib/isc/unix/fsaccess.c
index 8f0093c1c87..a68d84efb9f 100644
--- a/usr.sbin/bind/lib/isc/unix/fsaccess.c
+++ b/usr.sbin/bind/lib/isc/unix/fsaccess.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: fsaccess.c,v 1.5 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: fsaccess.c,v 1.6 2019/12/17 01:46:37 sthen Exp $ */
 
 #include <config.h>
 
diff --git a/usr.sbin/bind/lib/isc/unix/ifiter_getifaddrs.c b/usr.sbin/bind/lib/isc/unix/ifiter_getifaddrs.c
index 5905e1e1e37..66cf55b332a 100644
--- a/usr.sbin/bind/lib/isc/unix/ifiter_getifaddrs.c
+++ b/usr.sbin/bind/lib/isc/unix/ifiter_getifaddrs.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007-2009, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ifiter_getifaddrs.c,v 1.2 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: ifiter_getifaddrs.c,v 1.3 2019/12/17 01:46:37 sthen Exp $ */
 
 /*! \file
  * \brief
diff --git a/usr.sbin/bind/lib/isc/unix/ifiter_ioctl.c b/usr.sbin/bind/lib/isc/unix/ifiter_ioctl.c
index 8dedf2726d7..f0f8200e36b 100644
--- a/usr.sbin/bind/lib/isc/unix/ifiter_ioctl.c
+++ b/usr.sbin/bind/lib/isc/unix/ifiter_ioctl.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ifiter_ioctl.c,v 1.9 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: ifiter_ioctl.c,v 1.10 2019/12/17 01:46:37 sthen Exp $ */
 
 #include <isc/print.h>
 
@@ -411,7 +410,8 @@ internal_current_clusteralias(isc_interfaceiter_t *iter) {
 	memset(&iter->current, 0, sizeof(iter->current));
 	iter->current.af = iter->clua_sa.sa_family;
 	memset(iter->current.name, 0, sizeof(iter->current.name));
-	sprintf(iter->current.name, "clua%d", ci.aliasid);
+	snprintf(iter->current.name, sizeof(iter->current.name),
+		 "clua%d", ci.aliasid);
 	iter->current.flags = INTERFACE_F_UP;
 	get_inaddr(&iter->current.address, &ci.addr);
 	get_inaddr(&iter->current.netmask, &ci.netmask);
@@ -563,7 +563,8 @@ internal_current4(isc_interfaceiter_t *iter) {
 			bits = 8 - prefixlen;
 			prefixlen = 0;
 		}
-		iter->current.netmask.type.in6.s6_addr[i] = (~0 << bits) & 0xff;
+		iter->current.netmask.type.in6.s6_addr[i] =
+			(~0U << bits) & 0xff;
 	}
 	return (ISC_R_SUCCESS);
 
@@ -757,7 +758,7 @@ internal_current6(isc_interfaceiter_t *iter) {
 			bits = lifreq.lifr_addrlen - i;
 			bits = (bits < 8) ? (8 - bits) : 0;
 			iter->current.netmask.type.in6.s6_addr[i / 8] =
-				(~0 << bits) & 0xff;
+				(~0U << bits) & 0xff;
 		}
 
 		return (ISC_R_SUCCESS);
diff --git a/usr.sbin/bind/lib/isc/unix/ifiter_sysctl.c b/usr.sbin/bind/lib/isc/unix/ifiter_sysctl.c
index 0ffed216162..339745421c3 100644
--- a/usr.sbin/bind/lib/isc/unix/ifiter_sysctl.c
+++ b/usr.sbin/bind/lib/isc/unix/ifiter_sysctl.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ifiter_sysctl.c,v 1.2 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: ifiter_sysctl.c,v 1.3 2019/12/17 01:46:37 sthen Exp $ */
 
 /*! \file
  * \brief
diff --git a/usr.sbin/bind/lib/isc/unix/include/Makefile.in b/usr.sbin/bind/lib/isc/unix/include/Makefile.in
index 96a52201f9b..3f172ed64d8 100644
--- a/usr.sbin/bind/lib/isc/unix/include/Makefile.in
+++ b/usr.sbin/bind/lib/isc/unix/include/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2007, 2012, 2014  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:27 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:37 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/unix/include/isc/Makefile.in b/usr.sbin/bind/lib/isc/unix/include/isc/Makefile.in
index e32d7bc5076..774aa45fcd2 100644
--- a/usr.sbin/bind/lib/isc/unix/include/isc/Makefile.in
+++ b/usr.sbin/bind/lib/isc/unix/include/isc/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2007, 2012-2016  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2001  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:28 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:37 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/unix/include/isc/dir.h b/usr.sbin/bind/lib/isc/unix/include/isc/dir.h
index 9cb6ad7bee9..137d84c2689 100644
--- a/usr.sbin/bind/lib/isc/unix/include/isc/dir.h
+++ b/usr.sbin/bind/lib/isc/unix/include/isc/dir.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dir.h,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: dir.h,v 1.3 2019/12/17 01:46:37 sthen Exp $ */
 
 /* Principal Authors: DCL */
 
diff --git a/usr.sbin/bind/lib/isc/unix/include/isc/int.h b/usr.sbin/bind/lib/isc/unix/include/isc/int.h
index ab5d162e6be..b492ea68328 100644
--- a/usr.sbin/bind/lib/isc/unix/include/isc/int.h
+++ b/usr.sbin/bind/lib/isc/unix/include/isc/int.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,14 +14,14 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: int.h,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: int.h,v 1.3 2019/12/17 01:46:37 sthen Exp $ */
 
 #ifndef ISC_INT_H
 #define ISC_INT_H 1
 
 /*! \file */
 
-typedef char				isc_int8_t;
+typedef signed char			isc_int8_t;
 typedef unsigned char			isc_uint8_t;
 typedef short				isc_int16_t;
 typedef unsigned short			isc_uint16_t;
diff --git a/usr.sbin/bind/lib/isc/unix/include/isc/keyboard.h b/usr.sbin/bind/lib/isc/unix/include/isc/keyboard.h
index 4cc18423b96..1101bdb1e32 100644
--- a/usr.sbin/bind/lib/isc/unix/include/isc/keyboard.h
+++ b/usr.sbin/bind/lib/isc/unix/include/isc/keyboard.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keyboard.h,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: keyboard.h,v 1.3 2019/12/17 01:46:37 sthen Exp $ */
 
 #ifndef ISC_KEYBOARD_H
 #define ISC_KEYBOARD_H 1
diff --git a/usr.sbin/bind/lib/isc/unix/include/isc/net.h b/usr.sbin/bind/lib/isc/unix/include/isc/net.h
index ff4be26f9fe..3d5ee894f8b 100644
--- a/usr.sbin/bind/lib/isc/unix/include/isc/net.h
+++ b/usr.sbin/bind/lib/isc/unix/include/isc/net.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008, 2012-2014, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: net.h,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: net.h,v 1.3 2019/12/17 01:46:37 sthen Exp $ */
 
 #ifndef ISC_NET_H
 #define ISC_NET_H 1
@@ -184,6 +183,11 @@
 #define PF_INET6 AF_INET6
 #endif
 
+#ifndef INADDR_ANY
+/*% inaddr any */
+#define INADDR_ANY 0x00000000UL
+#endif
+
 #ifndef INADDR_LOOPBACK
 /*% inaddr loopback */
 #define INADDR_LOOPBACK 0x7f000001UL
@@ -396,6 +400,7 @@ isc_net_getudpportrange(int af, in_port_t *low, in_port_t *high);
 #ifdef ISC_PLATFORM_NEEDNTOP
 const char *
 isc_net_ntop(int af, const void *src, char *dst, size_t size);
+#undef inet_ntop
 #define inet_ntop isc_net_ntop
 #endif
 
diff --git a/usr.sbin/bind/lib/isc/unix/include/isc/netdb.h b/usr.sbin/bind/lib/isc/unix/include/isc/netdb.h
index b5d39e36b08..1e65d0444d4 100644
--- a/usr.sbin/bind/lib/isc/unix/include/isc/netdb.h
+++ b/usr.sbin/bind/lib/isc/unix/include/isc/netdb.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netdb.h,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: netdb.h,v 1.3 2019/12/17 01:46:37 sthen Exp $ */
 
 #ifndef ISC_NETDB_H
 #define ISC_NETDB_H 1
diff --git a/usr.sbin/bind/lib/isc/unix/include/isc/offset.h b/usr.sbin/bind/lib/isc/unix/include/isc/offset.h
index a44b7ae77c6..1b200c10d8e 100644
--- a/usr.sbin/bind/lib/isc/unix/include/isc/offset.h
+++ b/usr.sbin/bind/lib/isc/unix/include/isc/offset.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: offset.h,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: offset.h,v 1.3 2019/12/17 01:46:37 sthen Exp $ */
 
 #ifndef ISC_OFFSET_H
 #define ISC_OFFSET_H 1
diff --git a/usr.sbin/bind/lib/isc/unix/include/isc/stat.h b/usr.sbin/bind/lib/isc/unix/include/isc/stat.h
index 70b00d74855..7e4a369907e 100644
--- a/usr.sbin/bind/lib/isc/unix/include/isc/stat.h
+++ b/usr.sbin/bind/lib/isc/unix/include/isc/stat.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stat.h,v 1.4 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: stat.h,v 1.5 2019/12/17 01:46:37 sthen Exp $ */
 
 #ifndef ISC_STAT_H
 #define ISC_STAT_H 1
diff --git a/usr.sbin/bind/lib/isc/unix/include/isc/stdtime.h b/usr.sbin/bind/lib/isc/unix/include/isc/stdtime.h
index 97706021630..f776a24a642 100644
--- a/usr.sbin/bind/lib/isc/unix/include/isc/stdtime.h
+++ b/usr.sbin/bind/lib/isc/unix/include/isc/stdtime.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stdtime.h,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: stdtime.h,v 1.3 2019/12/17 01:46:37 sthen Exp $ */
 
 #ifndef ISC_STDTIME_H
 #define ISC_STDTIME_H 1
diff --git a/usr.sbin/bind/lib/isc/unix/include/isc/strerror.h b/usr.sbin/bind/lib/isc/unix/include/isc/strerror.h
index 756d8dca0b4..5116c9a6292 100644
--- a/usr.sbin/bind/lib/isc/unix/include/isc/strerror.h
+++ b/usr.sbin/bind/lib/isc/unix/include/isc/strerror.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: strerror.h,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: strerror.h,v 1.3 2019/12/17 01:46:37 sthen Exp $ */
 
 #ifndef ISC_STRERROR_H
 #define ISC_STRERROR_H
diff --git a/usr.sbin/bind/lib/isc/unix/include/isc/syslog.h b/usr.sbin/bind/lib/isc/unix/include/isc/syslog.h
index c2550c249a5..75d590523de 100644
--- a/usr.sbin/bind/lib/isc/unix/include/isc/syslog.h
+++ b/usr.sbin/bind/lib/isc/unix/include/isc/syslog.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: syslog.h,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: syslog.h,v 1.3 2019/12/17 01:46:37 sthen Exp $ */
 
 #ifndef ISC_SYSLOG_H
 #define ISC_SYSLOG_H 1
diff --git a/usr.sbin/bind/lib/isc/unix/include/isc/time.h b/usr.sbin/bind/lib/isc/unix/include/isc/time.h
index 8d19f234192..19381959463 100644
--- a/usr.sbin/bind/lib/isc/unix/include/isc/time.h
+++ b/usr.sbin/bind/lib/isc/unix/include/isc/time.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2009, 2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: time.h,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: time.h,v 1.3 2019/12/17 01:46:37 sthen Exp $ */
 
 #ifndef ISC_TIME_H
 #define ISC_TIME_H 1
diff --git a/usr.sbin/bind/lib/isc/unix/include/pkcs11/Makefile.in b/usr.sbin/bind/lib/isc/unix/include/pkcs11/Makefile.in
index 3501a13029b..df1b94e7efa 100644
--- a/usr.sbin/bind/lib/isc/unix/include/pkcs11/Makefile.in
+++ b/usr.sbin/bind/lib/isc/unix/include/pkcs11/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2014, 2016  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1 2019/12/16 16:31:36 deraadt Exp $
+# $Id: Makefile.in,v 1.2 2019/12/17 01:46:37 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/unix/interfaceiter.c b/usr.sbin/bind/lib/isc/unix/interfaceiter.c
index 691a8e8c8c4..acb88b6aa96 100644
--- a/usr.sbin/bind/lib/isc/unix/interfaceiter.c
+++ b/usr.sbin/bind/lib/isc/unix/interfaceiter.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: interfaceiter.c,v 1.2 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: interfaceiter.c,v 1.3 2019/12/17 01:46:37 sthen Exp $ */
 
 /*! \file */
 
@@ -186,7 +185,7 @@ linux_if_inet6_current(isc_interfaceiter_t *iter) {
 	char address[33];
 	char name[IF_NAMESIZE+1];
 	struct in6_addr addr6;
-	int ifindex, prefix, flag3, flag4;
+	unsigned int ifindex, prefix, flag3, flag4;
 	int res;
 	unsigned int i;
 
@@ -238,7 +237,7 @@ linux_if_inet6_current(isc_interfaceiter_t *iter) {
 		}
 	}
 	isc_netaddr_fromin6(&iter->current.netmask, &addr6);
-	strncpy(iter->current.name, name, sizeof(iter->current.name));
+	strlcpy(iter->current.name, name, sizeof(iter->current.name));
 	return (ISC_R_SUCCESS);
 }
 #endif
diff --git a/usr.sbin/bind/lib/isc/unix/ipv6.c b/usr.sbin/bind/lib/isc/unix/ipv6.c
index 1f794727403..92da08d4051 100644
--- a/usr.sbin/bind/lib/isc/unix/ipv6.c
+++ b/usr.sbin/bind/lib/isc/unix/ipv6.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ipv6.c,v 1.2 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: ipv6.c,v 1.3 2019/12/17 01:46:37 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isc/unix/keyboard.c b/usr.sbin/bind/lib/isc/unix/keyboard.c
index efd2410f5a5..c241d1840da 100644
--- a/usr.sbin/bind/lib/isc/unix/keyboard.c
+++ b/usr.sbin/bind/lib/isc/unix/keyboard.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keyboard.c,v 1.2 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: keyboard.c,v 1.3 2019/12/17 01:46:37 sthen Exp $ */
 
 #include <config.h>
 
diff --git a/usr.sbin/bind/lib/isc/unix/net.c b/usr.sbin/bind/lib/isc/unix/net.c
index 8a732aabd05..3f9fda2c79a 100644
--- a/usr.sbin/bind/lib/isc/unix/net.c
+++ b/usr.sbin/bind/lib/isc/unix/net.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008, 2012-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: net.c,v 1.5 2019/12/16 17:35:38 deraadt Exp $ */
+/* $Id: net.c,v 1.6 2019/12/17 01:46:37 sthen Exp $ */
 
 #include <config.h>
 
@@ -147,6 +146,9 @@ try_proto(int domain) {
 #ifdef EAFNOSUPPORT
 		case EAFNOSUPPORT:
 #endif
+#ifdef EPFNOSUPPORT
+		case EPFNOSUPPORT:
+#endif
 #ifdef EPROTONOSUPPORT
 		case EPROTONOSUPPORT:
 #endif
diff --git a/usr.sbin/bind/lib/isc/unix/os.c b/usr.sbin/bind/lib/isc/unix/os.c
index 3b24c9a120b..658b86b844f 100644
--- a/usr.sbin/bind/lib/isc/unix/os.c
+++ b/usr.sbin/bind/lib/isc/unix/os.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.c,v 1.2 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: os.c,v 1.3 2019/12/17 01:46:37 sthen Exp $ */
 
 #include <config.h>
 
diff --git a/usr.sbin/bind/lib/isc/unix/pk11_api.c b/usr.sbin/bind/lib/isc/unix/pk11_api.c
index c73007d7001..c610c36d2da 100644
--- a/usr.sbin/bind/lib/isc/unix/pk11_api.c
+++ b/usr.sbin/bind/lib/isc/unix/pk11_api.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014, 2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: pk11_api.c,v 1.1 2019/12/16 16:31:36 deraadt Exp $ */
+/* $Id: pk11_api.c,v 1.2 2019/12/17 01:46:37 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isc/unix/resource.c b/usr.sbin/bind/lib/isc/unix/resource.c
index 2ea86f40368..fd2fb9524a9 100644
--- a/usr.sbin/bind/lib/isc/unix/resource.c
+++ b/usr.sbin/bind/lib/isc/unix/resource.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resource.c,v 1.3 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: resource.c,v 1.4 2019/12/17 01:46:37 sthen Exp $ */
 
 #include <config.h>
 
diff --git a/usr.sbin/bind/lib/isc/unix/socket.c b/usr.sbin/bind/lib/isc/unix/socket.c
index 67382adb0d4..fa8e8bf1d07 100644
--- a/usr.sbin/bind/lib/isc/unix/socket.c
+++ b/usr.sbin/bind/lib/isc/unix/socket.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -60,6 +59,7 @@
 #include <isc/socket.h>
 #include <isc/stats.h>
 #include <isc/strerror.h>
+#include <isc/string.h>
 #include <isc/task.h>
 #include <isc/thread.h>
 #include <isc/util.h>
@@ -319,6 +319,35 @@ typedef isc_event_t intev_t;
 #endif /* TUNE_LARGE */
 
 /*%
+ * Instead of calculating the cmsgbuf lengths every time we take
+ * a rule of thumb approach - sizes are taken from x86_64 linux,
+ * multiplied by 2, everything should fit. Those sizes are not
+ * large enough to cause any concern.
+ */
+#if defined(USE_CMSG) && defined(ISC_PLATFORM_HAVEIN6PKTINFO)
+#define CMSG_SP_IN6PKT 40
+#else
+#define CMSG_SP_IN6PKT 0
+#endif
+
+#if defined(USE_CMSG) && defined(SO_TIMESTAMP)
+#define CMSG_SP_TIMESTAMP 32
+#else
+#define CMSG_SP_TIMESTAMP 0
+#endif
+
+#if defined(USE_CMSG) && (defined(IPV6_TCLASS) || defined(IP_TOS))
+#define CMSG_SP_TCTOS 24
+#else
+#define CMSG_SP_TCTOS 0
+#endif
+
+#define CMSG_SP_INT 24
+
+#define RECVCMSGBUFLEN (2*(CMSG_SP_IN6PKT + CMSG_SP_TIMESTAMP + CMSG_SP_TCTOS)+1)
+#define SENDCMSGBUFLEN (2*(CMSG_SP_IN6PKT + CMSG_SP_INT + CMSG_SP_TCTOS)+1)
+
+/*%
  * The number of times a send operation is repeated if the result is EINTR.
  */
 #define NRETRIES 10
@@ -370,15 +399,10 @@ struct isc__socket {
 				active : 1,         /* currently active */
 				pktdscp : 1;	    /* per packet dscp */
 
-#ifdef ISC_NET_RECVOVERFLOW
+#ifdef ISC_PLATFORM_RECVOVERFLOW
 	unsigned char		overflow; /* used for MSG_TRUNC fake */
 #endif
 
-	char			*recvcmsgbuf;
-	ISC_SOCKADDR_LEN_T	recvcmsgbuflen;
-	char			*sendcmsgbuf;
-	ISC_SOCKADDR_LEN_T	sendcmsgbuflen;
-
 	void			*fdwatcharg;
 	isc_sockfdwatch_t	fdwatchcb;
 	int			fdwatchflags;
@@ -462,7 +486,7 @@ static isc__socketmgr_t *socketmgr = NULL;
  * send() and recv() iovec counts
  */
 #define MAXSCATTERGATHER_SEND	(ISC_SOCKET_MAXSCATTERGATHER)
-#ifdef ISC_NET_RECVOVERFLOW
+#ifdef ISC_PLATFORM_RECVOVERFLOW
 # define MAXSCATTERGATHER_RECV	(ISC_SOCKET_MAXSCATTERGATHER + 1)
 #else
 # define MAXSCATTERGATHER_RECV	(ISC_SOCKET_MAXSCATTERGATHER)
@@ -485,9 +509,9 @@ static void internal_send(isc_task_t *, isc_event_t *);
 static void internal_fdwatch_write(isc_task_t *, isc_event_t *);
 static void internal_fdwatch_read(isc_task_t *, isc_event_t *);
 static void process_cmsg(isc__socket_t *, struct msghdr *, isc_socketevent_t *);
-static void build_msghdr_send(isc__socket_t *, isc_socketevent_t *,
+static void build_msghdr_send(isc__socket_t *, char *, isc_socketevent_t *,
 			      struct msghdr *, struct iovec *, size_t *);
-static void build_msghdr_recv(isc__socket_t *, isc_socketevent_t *,
+static void build_msghdr_recv(isc__socket_t *, char *, isc_socketevent_t *,
 			      struct msghdr *, struct iovec *, size_t *);
 #ifdef USE_WATCHER_THREAD
 static isc_boolean_t process_ctlfd(isc__socketmgr_t *manager);
@@ -1223,11 +1247,14 @@ select_poke(isc__socketmgr_t *manager, int fd, int msg) {
 static isc_result_t
 make_nonblock(int fd) {
 	int ret;
-	int flags;
 	char strbuf[ISC_STRERRORSIZE];
 #ifdef USE_FIONBIO_IOCTL
 	int on = 1;
+#else
+	int flags;
+#endif
 
+#ifdef USE_FIONBIO_IOCTL
 	ret = ioctl(fd, FIONBIO, (char *)&on);
 #else
 	flags = fcntl(fd, F_GETFL, 0);
@@ -1309,6 +1336,7 @@ cmsg_space(ISC_SOCKADDR_LEN_T len) {
  */
 static void
 process_cmsg(isc__socket_t *sock, struct msghdr *msg, isc_socketevent_t *dev) {
+#ifdef ISC_NET_BSD44MSGHDR
 #ifdef USE_CMSG
 	struct cmsghdr *cmsgp;
 #ifdef ISC_PLATFORM_HAVEIN6PKTINFO
@@ -1318,6 +1346,7 @@ process_cmsg(isc__socket_t *sock, struct msghdr *msg, isc_socketevent_t *dev) {
 	void *timevalp;
 #endif
 #endif
+#endif
 
 	/*
 	 * sock is used only when ISC_NET_BSD44MSGHDR and USE_CMSG are defined.
@@ -1436,7 +1465,7 @@ process_cmsg(isc__socket_t *sock, struct msghdr *msg, isc_socketevent_t *dev) {
  * this transaction can send.
  */
 static void
-build_msghdr_send(isc__socket_t *sock, isc_socketevent_t *dev,
+build_msghdr_send(isc__socket_t *sock, char* cmsgbuf, isc_socketevent_t *dev,
 		  struct msghdr *msg, struct iovec *iov, size_t *write_countp)
 {
 	unsigned int iovcount;
@@ -1526,11 +1555,11 @@ build_msghdr_send(isc__socket_t *sock, isc_socketevent_t *dev,
 			   "sendto pktinfo data, ifindex %u",
 			   dev->pktinfo.ipi6_ifindex);
 
+		msg->msg_control = (void *)cmsgbuf;
 		msg->msg_controllen = cmsg_space(sizeof(struct in6_pktinfo));
-		INSIST(msg->msg_controllen <= sock->sendcmsgbuflen);
-		msg->msg_control = (void *)sock->sendcmsgbuf;
+		INSIST(msg->msg_controllen <= SENDCMSGBUFLEN);
 
-		cmsgp = (struct cmsghdr *)sock->sendcmsgbuf;
+		cmsgp = (struct cmsghdr *)cmsgbuf;
 		cmsgp->cmsg_level = IPPROTO_IPV6;
 		cmsgp->cmsg_type = IPV6_PKTINFO;
 		cmsgp->cmsg_len = cmsg_len(sizeof(struct in6_pktinfo));
@@ -1545,10 +1574,12 @@ build_msghdr_send(isc__socket_t *sock, isc_socketevent_t *dev,
 	{
 		int use_min_mtu = 1;	/* -1, 0, 1 */
 
-		cmsgp = (struct cmsghdr *)(sock->sendcmsgbuf +
+		cmsgp = (struct cmsghdr *)(cmsgbuf +
 					   msg->msg_controllen);
+
+		msg->msg_control = (void *)cmsgbuf;
 		msg->msg_controllen += cmsg_space(sizeof(use_min_mtu));
-		INSIST(msg->msg_controllen <= sock->sendcmsgbuflen);
+		INSIST(msg->msg_controllen <= SENDCMSGBUFLEN);
 
 		cmsgp->cmsg_level = IPPROTO_IPV6;
 		cmsgp->cmsg_type = IPV6_USE_MIN_MTU;
@@ -1564,6 +1595,7 @@ build_msghdr_send(isc__socket_t *sock, isc_socketevent_t *dev,
 			INSIST((int)sock->dscp == isc_dscp_check_value);
 	}
 
+#if defined(IP_TOS) || (defined(IPPROTO_IPV6) && defined(IPV6_TCLASS))
 	if ((sock->type == isc_sockettype_udp) &&
 	    ((dev->attributes & ISC_SOCKEVENTATTR_DSCP) != 0))
 	{
@@ -1573,11 +1605,11 @@ build_msghdr_send(isc__socket_t *sock, isc_socketevent_t *dev,
 
 #ifdef IP_TOS
 		if (sock->pf == AF_INET && sock->pktdscp) {
-			cmsgp = (struct cmsghdr *)(sock->sendcmsgbuf +
+			cmsgp = (struct cmsghdr *)(cmsgbuf +
 						   msg->msg_controllen);
-			msg->msg_control = (void *)sock->sendcmsgbuf;
+			msg->msg_control = (void *)cmsgbuf;
 			msg->msg_controllen += cmsg_space(sizeof(dscp));
-			INSIST(msg->msg_controllen <= sock->sendcmsgbuflen);
+			INSIST(msg->msg_controllen <= SENDCMSGBUFLEN);
 
 			cmsgp->cmsg_level = IPPROTO_IP;
 			cmsgp->cmsg_type = IP_TOS;
@@ -1604,11 +1636,11 @@ build_msghdr_send(isc__socket_t *sock, isc_socketevent_t *dev,
 #endif
 #if defined(IPPROTO_IPV6) && defined(IPV6_TCLASS)
 		if (sock->pf == AF_INET6 && sock->pktdscp) {
-			cmsgp = (struct cmsghdr *)(sock->sendcmsgbuf +
+			cmsgp = (struct cmsghdr *)(cmsgbuf +
 						   msg->msg_controllen);
-			msg->msg_control = (void *)sock->sendcmsgbuf;
+			msg->msg_control = (void *)cmsgbuf;
 			msg->msg_controllen += cmsg_space(sizeof(dscp));
-			INSIST(msg->msg_controllen <= sock->sendcmsgbuflen);
+			INSIST(msg->msg_controllen <= SENDCMSGBUFLEN);
 
 			cmsgp->cmsg_level = IPPROTO_IPV6;
 			cmsgp->cmsg_type = IPV6_TCLASS;
@@ -1632,7 +1664,14 @@ build_msghdr_send(isc__socket_t *sock, isc_socketevent_t *dev,
 				sock->dscp = dscp;
 		}
 #endif
+		if (msg->msg_controllen != 0 &&
+		    msg->msg_controllen < SENDCMSGBUFLEN)
+		{
+			memset(cmsgbuf + msg->msg_controllen, 0,
+			       SENDCMSGBUFLEN - msg->msg_controllen);
+		}
 	}
+#endif
 #endif /* USE_CMSG */
 #else /* ISC_NET_BSD44MSGHDR */
 	msg->msg_accrights = NULL;
@@ -1656,7 +1695,7 @@ build_msghdr_send(isc__socket_t *sock, isc_socketevent_t *dev,
  * this transaction can receive.
  */
 static void
-build_msghdr_recv(isc__socket_t *sock, isc_socketevent_t *dev,
+build_msghdr_recv(isc__socket_t *sock, char *cmsgbuf, isc_socketevent_t *dev,
 		  struct msghdr *msg, struct iovec *iov, size_t *read_countp)
 {
 	unsigned int iovcount;
@@ -1688,10 +1727,6 @@ build_msghdr_recv(isc__socket_t *sock, isc_socketevent_t *dev,
 		msg->msg_name = (void *)&dev->address.type.sa;
 		msg->msg_namelen = sizeof(dev->address.type);
 #endif
-#ifdef ISC_NET_RECVOVERFLOW
-		/* If needed, steal one iovec for overflow detection. */
-		maxiov--;
-#endif
 	} else { /* TCP */
 		msg->msg_name = NULL;
 		msg->msg_namelen = 0;
@@ -1742,12 +1777,11 @@ build_msghdr_recv(isc__socket_t *sock, isc_socketevent_t *dev,
  config:
 
 	/*
-	 * If needed, set up to receive that one extra byte.  Note that
-	 * we know there is at least one iov left, since we stole it
-	 * at the top of this function.
+	 * If needed, set up to receive that one extra byte.
 	 */
-#ifdef ISC_NET_RECVOVERFLOW
+#ifdef ISC_PLATFORM_RECVOVERFLOW
 	if (sock->type == isc_sockettype_udp) {
+		INSIST(iovcount < MAXSCATTERGATHER_RECV);
 		iov[iovcount].iov_base = (void *)(&sock->overflow);
 		iov[iovcount].iov_len = 1;
 		iovcount++;
@@ -1759,8 +1793,8 @@ build_msghdr_recv(isc__socket_t *sock, isc_socketevent_t *dev,
 
 #ifdef ISC_NET_BSD44MSGHDR
 #if defined(USE_CMSG)
-	msg->msg_control = sock->recvcmsgbuf;
-	msg->msg_controllen = sock->recvcmsgbuflen;
+	msg->msg_control = cmsgbuf;
+	msg->msg_controllen = RECVCMSGBUFLEN;
 #else
 	msg->msg_control = NULL;
 	msg->msg_controllen = 0;
@@ -1838,7 +1872,7 @@ dump_msg(struct msghdr *msg) {
 	printf("\tiov %p, iovlen %ld\n", msg->msg_iov,
 	       (long) msg->msg_iovlen);
 	for (i = 0; i < (unsigned int)msg->msg_iovlen; i++)
-		printf("\t\t%d\tbase %p, len %ld\n", i,
+		printf("\t\t%u\tbase %p, len %ld\n", i,
 		       msg->msg_iov[i].iov_base,
 		       (long) msg->msg_iov[i].iov_len);
 #ifdef ISC_NET_BSD44MSGHDR
@@ -1863,8 +1897,9 @@ doio_recv(isc__socket_t *sock, isc_socketevent_t *dev) {
 	isc_buffer_t *buffer;
 	int recv_errno;
 	char strbuf[ISC_STRERRORSIZE];
+	char cmsgbuf[RECVCMSGBUFLEN] = {0};
 
-	build_msghdr_recv(sock, dev, &msghdr, iov, &read_count);
+	build_msghdr_recv(sock, cmsgbuf, dev, &msghdr, iov, &read_count);
 
 #if defined(ISC_SOCKET_DEBUG)
 	dump_msg(&msghdr);
@@ -1984,7 +2019,7 @@ doio_recv(isc__socket_t *sock, isc_socketevent_t *dev) {
 	 * this indicates an overflow situation.  Set the flag in the
 	 * dev entry and adjust how much we read by one.
 	 */
-#ifdef ISC_NET_RECVOVERFLOW
+#ifdef ISC_PLATFORM_RECVOVERFLOW
 	if ((sock->type == isc_sockettype_udp) && ((size_t)cc > read_count)) {
 		dev->attributes |= ISC_SOCKEVENTATTR_TRUNC;
 		cc--;
@@ -2058,8 +2093,9 @@ doio_send(isc__socket_t *sock, isc_socketevent_t *dev) {
 	int attempts = 0;
 	int send_errno;
 	char strbuf[ISC_STRERRORSIZE];
+	char cmsgbuf[SENDCMSGBUFLEN] = {0};
 
-	build_msghdr_send(sock, dev, &msghdr, iov, &write_count);
+	build_msghdr_send(sock, cmsgbuf, dev, &msghdr, iov, &write_count);
 
  resend:
 	if (sock->type == isc_sockettype_udp &&
@@ -2277,7 +2313,6 @@ allocate_socket(isc__socketmgr_t *manager, isc_sockettype_t type,
 {
 	isc__socket_t *sock;
 	isc_result_t result;
-	ISC_SOCKADDR_LEN_T cmsgbuflen;
 
 	sock = isc_mem_get(manager->mctx, sizeof(*sock));
 
@@ -2298,53 +2333,6 @@ allocate_socket(isc__socketmgr_t *manager, isc_sockettype_t type,
 
 	ISC_LINK_INIT(sock, link);
 
-	sock->recvcmsgbuf = NULL;
-	sock->sendcmsgbuf = NULL;
-
-	/*
-	 * Set up cmsg buffers.
-	 */
-	cmsgbuflen = 0;
-#if defined(USE_CMSG) && defined(ISC_PLATFORM_HAVEIN6PKTINFO)
-	cmsgbuflen += cmsg_space(sizeof(struct in6_pktinfo));
-#endif
-#if defined(USE_CMSG) && defined(SO_TIMESTAMP)
-	cmsgbuflen += cmsg_space(sizeof(struct timeval));
-#endif
-#if defined(USE_CMSG) && (defined(IPV6_TCLASS) || defined(IP_TOS))
-	cmsgbuflen += cmsg_space(sizeof(int));
-#endif
-	sock->recvcmsgbuflen = cmsgbuflen;
-	if (sock->recvcmsgbuflen != 0U) {
-		sock->recvcmsgbuf = isc_mem_get(manager->mctx, cmsgbuflen);
-		if (sock->recvcmsgbuf == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto error;
-		}
-	}
-
-	cmsgbuflen = 0;
-#if defined(USE_CMSG) && defined(ISC_PLATFORM_HAVEIN6PKTINFO)
-	cmsgbuflen += cmsg_space(sizeof(struct in6_pktinfo));
-#if defined(IPV6_USE_MIN_MTU)
-	/*
-	 * Provide space for working around FreeBSD's broken IPV6_USE_MIN_MTU
-	 * support.
-	 */
-	cmsgbuflen += cmsg_space(sizeof(int));
-#endif
-#endif
-#if defined(USE_CMSG) && (defined(IP_TOS) || defined(IPV6_TCLASS))
-	cmsgbuflen += cmsg_space(sizeof(int));
-#endif
-	sock->sendcmsgbuflen = cmsgbuflen;
-	if (sock->sendcmsgbuflen != 0U) {
-		sock->sendcmsgbuf = isc_mem_get(manager->mctx, cmsgbuflen);
-		if (sock->sendcmsgbuf == NULL) {
-			result = ISC_R_NOMEMORY;
-			goto error;
-		}
-	}
 
 	memset(sock->name, 0, sizeof(sock->name));
 	sock->tag = NULL;
@@ -2392,12 +2380,6 @@ allocate_socket(isc__socketmgr_t *manager, isc_sockettype_t type,
 	return (ISC_R_SUCCESS);
 
  error:
-	if (sock->recvcmsgbuf != NULL)
-		isc_mem_put(manager->mctx, sock->recvcmsgbuf,
-			    sock->recvcmsgbuflen);
-	if (sock->sendcmsgbuf != NULL)
-		isc_mem_put(manager->mctx, sock->sendcmsgbuf,
-			    sock->sendcmsgbuflen);
 	isc_mem_put(manager->mctx, sock, sizeof(*sock));
 
 	return (result);
@@ -2425,13 +2407,6 @@ free_socket(isc__socket_t **socketp) {
 	INSIST(ISC_LIST_EMPTY(sock->accept_list));
 	INSIST(!ISC_LINK_LINKED(sock, link));
 
-	if (sock->recvcmsgbuf != NULL)
-		isc_mem_put(sock->manager->mctx, sock->recvcmsgbuf,
-			    sock->recvcmsgbuflen);
-	if (sock->sendcmsgbuf != NULL)
-		isc_mem_put(sock->manager->mctx, sock->sendcmsgbuf,
-			    sock->sendcmsgbuflen);
-
 	sock->common.magic = 0;
 	sock->common.impmagic = 0;
 
@@ -2658,20 +2633,20 @@ opensocket(isc__socketmgr_t *manager, isc__socket_t *sock,
 	 */
 	if (manager->reserved != 0 && sock->type == isc_sockettype_udp &&
 	    sock->fd >= 0 && sock->fd < manager->reserved) {
-		int new, tmp;
-		new = fcntl(sock->fd, F_DUPFD, manager->reserved);
+		int newfd, tmp;
+		newfd = fcntl(sock->fd, F_DUPFD, manager->reserved);
 		tmp = errno;
 		(void)close(sock->fd);
 		errno = tmp;
-		sock->fd = new;
+		sock->fd = newfd;
 		err = "isc_socket_create: fcntl/reserved";
 	} else if (sock->fd >= 0 && sock->fd < 20) {
-		int new, tmp;
-		new = fcntl(sock->fd, F_DUPFD, 20);
+		int newfd, tmp;
+		newfd = fcntl(sock->fd, F_DUPFD, 20);
 		tmp = errno;
 		(void)close(sock->fd);
 		errno = tmp;
-		sock->fd = new;
+		sock->fd = newfd;
 		err = "isc_socket_create: fcntl";
 	}
 #endif
@@ -2802,15 +2777,6 @@ opensocket(isc__socketmgr_t *manager, isc__socket_t *sock,
 #endif /* SO_TIMESTAMP */
 
 #if defined(ISC_PLATFORM_HAVEIPV6)
-		if (sock->pf == AF_INET6 && sock->recvcmsgbuflen == 0U) {
-			/*
-			 * Warn explicitly because this anomaly can be hidden
-			 * in usual operation (and unexpectedly appear later).
-			 */
-			UNEXPECTED_ERROR(__FILE__, __LINE__,
-					 "No buffer available to receive "
-					 "IPv6 destination");
-		}
 #ifdef ISC_PLATFORM_HAVEIN6PKTINFO
 #ifdef IPV6_RECVPKTINFO
 		/* RFC 3542 */
@@ -3565,12 +3531,12 @@ internal_accept(isc_task_t *me, isc_event_t *ev) {
 	 * Leave a space for stdio to work in.
 	 */
 	if (fd >= 0 && fd < 20) {
-		int new, tmp;
-		new = fcntl(fd, F_DUPFD, 20);
+		int newfd, tmp;
+		newfd = fcntl(fd, F_DUPFD, 20);
 		tmp = errno;
 		(void)close(fd);
 		errno = tmp;
-		fd = new;
+		fd = newfd;
 		err = "accept/fcntl";
 	}
 #endif
@@ -3704,6 +3670,12 @@ internal_accept(isc_task_t *me, isc_event_t *ev) {
 		 */
 		dev->address = NEWCONNSOCK(dev)->peer_address;
 
+		if (NEWCONNSOCK(dev)->active == 0) {
+			inc_stats(manager->stats,
+				  NEWCONNSOCK(dev)->statsindex[STATID_ACTIVE]);
+			NEWCONNSOCK(dev)->active = 1;
+		}
+
 		LOCK(&manager->fdlock[lockid]);
 		manager->fds[fd] = NEWCONNSOCK(dev);
 		manager->fdstate[fd] = MANAGED;
@@ -3729,7 +3701,6 @@ internal_accept(isc_task_t *me, isc_event_t *ev) {
 		UNLOCK(&manager->lock);
 
 		inc_stats(manager->stats, sock->statsindex[STATID_ACCEPT]);
-		inc_stats(manager->stats, sock->statsindex[STATID_ACTIVE]);
 	} else {
 		inc_stats(manager->stats, sock->statsindex[STATID_ACCEPTFAIL]);
 		NEWCONNSOCK(dev)->references--;
@@ -4755,6 +4726,7 @@ isc__socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
 		result = ISC_R_UNEXPECTED;
 		goto cleanup;
 	}
+	isc_thread_setname(manager->watcher, "isc-socket");
 #endif /* USE_WATCHER_THREAD */
 	isc_mem_attach(mctx, &manager->mctx);
 
@@ -5202,6 +5174,8 @@ socket_send(isc__socket_t *sock, isc_socketevent_t *dev, isc_task_t *task,
 			break;
 		}
 
+		/* FALLTHROUGH */
+
 	case DOIO_HARD:
 	case DOIO_SUCCESS:
 		if ((flags & ISC_SOCKFLAG_IMMEDIATE) == 0)
@@ -5481,17 +5455,19 @@ isc__socket_permunix(isc_sockaddr_t *sockaddr, isc_uint32_t perm,
 
 	REQUIRE(sockaddr->type.sa.sa_family == AF_UNIX);
 	INSIST(strlen(sockaddr->type.sunix.sun_path) < sizeof(path));
-	strcpy(path, sockaddr->type.sunix.sun_path);
+	strlcpy(path, sockaddr->type.sunix.sun_path, sizeof(path));
 
 #ifdef NEED_SECURE_DIRECTORY
 	slash = strrchr(path, '/');
 	if (slash != NULL) {
-		if (slash != path)
+		if (slash != path) {
 			*slash = '\0';
-		else
-			strcpy(path, "/");
-	} else
-		strcpy(path, ".");
+		} else {
+			strlcpy(path, "/", sizeof(path));
+		}
+	} else {
+		strlcpy(path, ".", sizeof(path));
+	}
 #endif
 
 	if (chmod(path, perm) < 0) {
@@ -5612,7 +5588,7 @@ isc__socket_filter(isc_socket_t *sock0, const char *filter) {
 
 #if defined(SO_ACCEPTFILTER) && defined(ENABLE_ACCEPTFILTER)
 	bzero(&afa, sizeof(afa));
-	strncpy(afa.af_name, filter, sizeof(afa.af_name));
+	strlcpy(afa.af_name, filter, sizeof(afa.af_name));
 	if (setsockopt(sock->fd, SOL_SOCKET, SO_ACCEPTFILTER,
 			 &afa, sizeof(afa)) == -1) {
 		isc__strerror(errno, strbuf, sizeof(strbuf));
@@ -6466,8 +6442,7 @@ isc__socket_setname(isc_socket_t *socket0, const char *name, void *tag) {
 	REQUIRE(VALID_SOCKET(sock));
 
 	LOCK(&sock->lock);
-	memset(sock->name, 0, sizeof(sock->name));
-	strncpy(sock->name, name, sizeof(sock->name) - 1);
+	strlcpy(sock->name, name, sizeof(sock->name));
 	sock->tag = tag;
 	UNLOCK(&sock->lock);
 }
@@ -6664,7 +6639,7 @@ isc_socketmgr_renderjson(isc_socketmgr_t *mgr0, json_object *stats) {
 
 		LOCK(&sock->lock);
 
-		sprintf(buf, "%p", sock);
+		snprintf(buf, sizeof(buf), "%p", sock);
 		obj = json_object_new_string(buf);
 		CHECKMEM(obj);
 		json_object_object_add(entry, "id", obj);
diff --git a/usr.sbin/bind/lib/isc/unix/socket_p.h b/usr.sbin/bind/lib/isc/unix/socket_p.h
index ec8fcf9279f..306d1d5ed4a 100644
--- a/usr.sbin/bind/lib/isc/unix/socket_p.h
+++ b/usr.sbin/bind/lib/isc/unix/socket_p.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket_p.h,v 1.4 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: socket_p.h,v 1.5 2019/12/17 01:46:37 sthen Exp $ */
 
 #ifndef ISC_SOCKET_P_H
 #define ISC_SOCKET_P_H
diff --git a/usr.sbin/bind/lib/isc/unix/stdio.c b/usr.sbin/bind/lib/isc/unix/stdio.c
index 27a6462950f..3cd4f5e1fdb 100644
--- a/usr.sbin/bind/lib/isc/unix/stdio.c
+++ b/usr.sbin/bind/lib/isc/unix/stdio.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2011-2014, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stdio.c,v 1.2 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: stdio.c,v 1.3 2019/12/17 01:46:37 sthen Exp $ */
 
 #include <config.h>
 
diff --git a/usr.sbin/bind/lib/isc/unix/stdtime.c b/usr.sbin/bind/lib/isc/unix/stdtime.c
index e7e8170ecc3..bbb2c610a65 100644
--- a/usr.sbin/bind/lib/isc/unix/stdtime.c
+++ b/usr.sbin/bind/lib/isc/unix/stdtime.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stdtime.c,v 1.2 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: stdtime.c,v 1.3 2019/12/17 01:46:37 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isc/unix/strerror.c b/usr.sbin/bind/lib/isc/unix/strerror.c
index b139d6738db..08643c70540 100644
--- a/usr.sbin/bind/lib/isc/unix/strerror.c
+++ b/usr.sbin/bind/lib/isc/unix/strerror.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: strerror.c,v 1.2 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: strerror.c,v 1.3 2019/12/17 01:46:37 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isc/unix/syslog.c b/usr.sbin/bind/lib/isc/unix/syslog.c
index 0dfffdb8261..3400335b495 100644
--- a/usr.sbin/bind/lib/isc/unix/syslog.c
+++ b/usr.sbin/bind/lib/isc/unix/syslog.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: syslog.c,v 1.2 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: syslog.c,v 1.3 2019/12/17 01:46:37 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isc/unix/time.c b/usr.sbin/bind/lib/isc/unix/time.c
index f8aabecdda7..04566e6b012 100644
--- a/usr.sbin/bind/lib/isc/unix/time.c
+++ b/usr.sbin/bind/lib/isc/unix/time.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2011, 2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: time.c,v 1.5 2019/12/16 16:16:27 deraadt Exp $ */
+/* $Id: time.c,v 1.6 2019/12/17 01:46:37 sthen Exp $ */
 
 /*! \file */
 
@@ -30,6 +29,7 @@
 #include <sys/time.h>	/* Required for struct timeval on some platforms. */
 
 #include <isc/log.h>
+#include <isc/platform.h>
 #include <isc/print.h>
 #include <isc/strerror.h>
 #include <isc/string.h>
@@ -384,31 +384,53 @@ void
 isc_time_formattimestamp(const isc_time_t *t, char *buf, unsigned int len) {
 	time_t now;
 	unsigned int flen;
+#ifdef ISC_PLATFORM_USETHREADS
+	struct tm tm;
+#endif
 
+	REQUIRE(t != NULL);
+	INSIST(t->nanoseconds < NS_PER_S);
+	REQUIRE(buf != NULL);
 	REQUIRE(len > 0);
 
 	now = (time_t) t->seconds;
+#ifdef ISC_PLATFORM_USETHREADS
+	flen = strftime(buf, len, "%d-%b-%Y %X", localtime_r(&now, &tm));
+#else
 	flen = strftime(buf, len, "%d-%b-%Y %X", localtime(&now));
+#endif
 	INSIST(flen < len);
-	if (flen != 0)
+	if (flen != 0) {
 		snprintf(buf + flen, len - flen,
 			 ".%03u", t->nanoseconds / 1000000);
-	else
-		snprintf(buf, len, "99-Bad-9999 99:99:99.999");
+	} else {
+		strlcpy(buf, "99-Bad-9999 99:99:99.999", len);
+	}
 }
 
 void
 isc_time_formathttptimestamp(const isc_time_t *t, char *buf, unsigned int len) {
 	time_t now;
 	unsigned int flen;
+#ifdef ISC_PLATFORM_USETHREADS
+	struct tm tm;
+#endif
 
+	REQUIRE(t != NULL);
+	INSIST(t->nanoseconds < NS_PER_S);
+	REQUIRE(buf != NULL);
 	REQUIRE(len > 0);
 
 	/*
 	 * 5 spaces, 1 comma, 3 GMT, 2 %d, 4 %Y, 8 %H:%M:%S, 3+ %a, 3+ %b (29+)
 	 */
 	now = (time_t)t->seconds;
+#ifdef ISC_PLATFORM_USETHREADS
+	flen = strftime(buf, len, "%a, %d %b %Y %H:%M:%S GMT",
+			gmtime_r(&now, &tm));
+#else
 	flen = strftime(buf, len, "%a, %d %b %Y %H:%M:%S GMT", gmtime(&now));
+#endif
 	INSIST(flen < len);
 }
 
@@ -420,6 +442,7 @@ isc_time_parsehttptimestamp(char *buf, isc_time_t *t) {
 
 	REQUIRE(buf != NULL);
 	REQUIRE(t != NULL);
+
 	p = isc_tm_strptime(buf, "%a, %d %b %Y %H:%M:%S", &t_tm);
 	if (p == NULL)
 		return (ISC_R_UNEXPECTED);
@@ -434,10 +457,20 @@ void
 isc_time_formatISO8601(const isc_time_t *t, char *buf, unsigned int len) {
 	time_t now;
 	unsigned int flen;
+#ifdef ISC_PLATFORM_USETHREADS
+	struct tm tm;
+#endif
 
+	REQUIRE(t != NULL);
+	INSIST(t->nanoseconds < NS_PER_S);
+	REQUIRE(buf != NULL);
 	REQUIRE(len > 0);
 
 	now = (time_t)t->seconds;
+#ifdef ISC_PLATFORM_USETHREADS
+	flen = strftime(buf, len, "%Y-%m-%dT%H:%M:%SZ", gmtime_r(&now, &tm));
+#else
 	flen = strftime(buf, len, "%Y-%m-%dT%H:%M:%SZ", gmtime(&now));
+#endif
 	INSIST(flen < len);
 }
diff --git a/usr.sbin/bind/lib/isc/version.c b/usr.sbin/bind/lib/isc/version.c
index 45772a571cf..9309742945e 100644
--- a/usr.sbin/bind/lib/isc/version.c
+++ b/usr.sbin/bind/lib/isc/version.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.2 2019/12/16 16:16:26 deraadt Exp $ */
+/* $Id: version.c,v 1.3 2019/12/17 01:46:34 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isc/x86_32/Makefile.in b/usr.sbin/bind/lib/isc/x86_32/Makefile.in
index 4d11fb5172e..7689722b50a 100644
--- a/usr.sbin/bind/lib/isc/x86_32/Makefile.in
+++ b/usr.sbin/bind/lib/isc/x86_32/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:28 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:37 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/x86_32/include/Makefile.in b/usr.sbin/bind/lib/isc/x86_32/include/Makefile.in
index 00ae365da1e..056586b4787 100644
--- a/usr.sbin/bind/lib/isc/x86_32/include/Makefile.in
+++ b/usr.sbin/bind/lib/isc/x86_32/include/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:28 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:37 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/x86_32/include/isc/Makefile.in b/usr.sbin/bind/lib/isc/x86_32/include/isc/Makefile.in
index 9b05657759d..ac008f6e1e2 100644
--- a/usr.sbin/bind/lib/isc/x86_32/include/isc/Makefile.in
+++ b/usr.sbin/bind/lib/isc/x86_32/include/isc/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2007, 2012, 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:28 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:37 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/x86_32/include/isc/atomic.h b/usr.sbin/bind/lib/isc/x86_32/include/isc/atomic.h
index 1f100160f05..171262c942d 100644
--- a/usr.sbin/bind/lib/isc/x86_32/include/isc/atomic.h
+++ b/usr.sbin/bind/lib/isc/x86_32/include/isc/atomic.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005, 2007, 2008, 2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: atomic.h,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: atomic.h,v 1.3 2019/12/17 01:46:37 sthen Exp $ */
 
 #ifndef ISC_ATOMIC_H
 #define ISC_ATOMIC_H 1
@@ -130,12 +130,10 @@ isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
  * positions of the stack frame, which would not actually point to the
  * intended address in the embedded mnemonic.
  */
-#include <isc/util.h>		/* for 'UNUSED' macro */
-
 static isc_int32_t
 isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
-	UNUSED(p);
-	UNUSED(val);
+	(void)(p);
+	(void)(val);
 
 	__asm (
 		"movl 8(%ebp), %ecx\n"
@@ -156,8 +154,8 @@ isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
 
 static void
 isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
-	UNUSED(p);
-	UNUSED(val);
+	(void)(p);
+	(void)(val);
 
 	__asm (
 		"movl 8(%ebp), %ecx\n"
@@ -171,9 +169,9 @@ isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
 
 static isc_int32_t
 isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
-	UNUSED(p);
-	UNUSED(cmpval);
-	UNUSED(val);
+	(void)(p);
+	(void)(cmpval);
+	(void)(val);
 
 	__asm (
 		"movl 8(%ebp), %ecx\n"
diff --git a/usr.sbin/bind/lib/isc/x86_64/Makefile.in b/usr.sbin/bind/lib/isc/x86_64/Makefile.in
index 4d11fb5172e..7689722b50a 100644
--- a/usr.sbin/bind/lib/isc/x86_64/Makefile.in
+++ b/usr.sbin/bind/lib/isc/x86_64/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:28 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:37 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/x86_64/include/Makefile.in b/usr.sbin/bind/lib/isc/x86_64/include/Makefile.in
index 00ae365da1e..056586b4787 100644
--- a/usr.sbin/bind/lib/isc/x86_64/include/Makefile.in
+++ b/usr.sbin/bind/lib/isc/x86_64/include/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:28 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:37 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/x86_64/include/isc/Makefile.in b/usr.sbin/bind/lib/isc/x86_64/include/isc/Makefile.in
index 9b05657759d..ac008f6e1e2 100644
--- a/usr.sbin/bind/lib/isc/x86_64/include/isc/Makefile.in
+++ b/usr.sbin/bind/lib/isc/x86_64/include/isc/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2007, 2012, 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:28 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:37 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isc/x86_64/include/isc/atomic.h b/usr.sbin/bind/lib/isc/x86_64/include/isc/atomic.h
index 4a8ade09db9..d51d05f5b24 100644
--- a/usr.sbin/bind/lib/isc/x86_64/include/isc/atomic.h
+++ b/usr.sbin/bind/lib/isc/x86_64/include/isc/atomic.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2005, 2007, 2008, 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: atomic.h,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: atomic.h,v 1.3 2019/12/17 01:46:37 sthen Exp $ */
 
 #ifndef ISC_ATOMIC_H
 #define ISC_ATOMIC_H 1
@@ -35,12 +35,11 @@
  * registers for arguments, which would not actually correspond to the
  * intended address or value in the embedded mnemonic.
  */
-#include <isc/util.h>		/* for 'UNUSED' macro */
 
 static isc_int32_t
 isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
-	UNUSED(p);
-	UNUSED(val);
+	(void)(p);
+	(void)(val);
 
 	__asm (
 		"movq %rdi, %rdx\n"
@@ -58,8 +57,8 @@ isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
 #ifdef ISC_PLATFORM_HAVEXADDQ
 static isc_int64_t
 isc_atomic_xaddq(isc_int64_t *p, isc_int64_t val) {
-	UNUSED(p);
-	UNUSED(val);
+	(void)(p);
+	(void)(val);
 
 	__asm (
 		"movq %rdi, %rdx\n"
@@ -77,8 +76,8 @@ isc_atomic_xaddq(isc_int64_t *p, isc_int64_t val) {
 
 static void
 isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
-	UNUSED(p);
-	UNUSED(val);
+	(void)(p);
+	(void)(val);
 
 	__asm (
 		"movq %rdi, %rax\n"
@@ -93,8 +92,8 @@ isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
 #ifdef ISC_PLATFORM_HAVEATOMICSTOREQ
 static void
 isc_atomic_storeq(isc_int64_t *p, isc_int64_t val) {
-	UNUSED(p);
-	UNUSED(val);
+	(void)(p);
+	(void)(val);
 
 	__asm (
 		"movq %rdi, %rax\n"
@@ -109,9 +108,9 @@ isc_atomic_storeq(isc_int64_t *p, isc_int64_t val) {
 
 static isc_int32_t
 isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
-	UNUSED(p);
-	UNUSED(cmpval);
-	UNUSED(val);
+	(void)(p);
+	(void)(cmpval);
+	(void)(val);
 
 	__asm (
 		/*
diff --git a/usr.sbin/bind/lib/isccc/Makefile.in b/usr.sbin/bind/lib/isccc/Makefile.in
index ec6c8cd6220..4c35876a5d1 100644
--- a/usr.sbin/bind/lib/isccc/Makefile.in
+++ b/usr.sbin/bind/lib/isccc/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2007, 2009, 2011, 2012, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001, 2003  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.5 2019/12/16 16:16:28 deraadt Exp $
+# $Id: Makefile.in,v 1.6 2019/12/17 01:46:37 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isccc/alist.c b/usr.sbin/bind/lib/isccc/alist.c
index b07b474103e..96bf273b185 100644
--- a/usr.sbin/bind/lib/isccc/alist.c
+++ b/usr.sbin/bind/lib/isccc/alist.c
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2005, 2007, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,6 +13,9 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -29,7 +31,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: alist.c,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: alist.c,v 1.3 2019/12/17 01:46:37 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isccc/api b/usr.sbin/bind/lib/isccc/api
index 1dd47388594..13c35e573e6 100644
--- a/usr.sbin/bind/lib/isccc/api
+++ b/usr.sbin/bind/lib/isccc/api
@@ -2,10 +2,12 @@
 # 9.6: 50-59, 110-119
 # 9.7: 60-79
 # 9.8: 80-89, 120-129
-# 9.9: 90-109
-# 9.9-sub: 130-139
-# 9.10: 140-149, 170-179
-# 9.11: 160-169
+# 9.9: 90-109, 170-179
+# 9.9-sub: 130-139, 150-159, 200-209
+# 9.10: 140-149, 190-199
+# 9.10-sub: 180-189
+# 9.11: 160-169,1100-1199
+# 9.12: 1200-1299
 LIBINTERFACE = 140
-LIBREVISION = 5
+LIBREVISION = 6
 LIBAGE = 0
diff --git a/usr.sbin/bind/lib/isccc/base64.c b/usr.sbin/bind/lib/isccc/base64.c
index fd32555fc1a..3c41af17559 100644
--- a/usr.sbin/bind/lib/isccc/base64.c
+++ b/usr.sbin/bind/lib/isccc/base64.c
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2005, 2007, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,6 +13,9 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -29,7 +31,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: base64.c,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: base64.c,v 1.3 2019/12/17 01:46:37 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isccc/cc.c b/usr.sbin/bind/lib/isccc/cc.c
index da3bb1292f9..59a73f2f00e 100644
--- a/usr.sbin/bind/lib/isccc/cc.c
+++ b/usr.sbin/bind/lib/isccc/cc.c
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2007, 2012, 2013, 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001-2003  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,6 +13,9 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
diff --git a/usr.sbin/bind/lib/isccc/ccmsg.c b/usr.sbin/bind/lib/isccc/ccmsg.c
index c82edcca9d9..c9a3144f190 100644
--- a/usr.sbin/bind/lib/isccc/ccmsg.c
+++ b/usr.sbin/bind/lib/isccc/ccmsg.c
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,6 +13,9 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -29,7 +31,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ccmsg.c,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: ccmsg.c,v 1.3 2019/12/17 01:46:37 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isccc/include/Makefile.in b/usr.sbin/bind/lib/isccc/include/Makefile.in
index 0f1f4c981c4..1a4bc9bddf4 100644
--- a/usr.sbin/bind/lib/isccc/include/Makefile.in
+++ b/usr.sbin/bind/lib/isccc/include/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:28 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:37 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isccc/include/isccc/Makefile.in b/usr.sbin/bind/lib/isccc/include/isccc/Makefile.in
index 3860395df74..cc69a2e6a72 100644
--- a/usr.sbin/bind/lib/isccc/include/isccc/Makefile.in
+++ b/usr.sbin/bind/lib/isccc/include/isccc/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2007, 2012, 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:28 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:38 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isccc/include/isccc/alist.h b/usr.sbin/bind/lib/isccc/include/isccc/alist.h
index 2a8b50007ae..aa24f43d083 100644
--- a/usr.sbin/bind/lib/isccc/include/isccc/alist.h
+++ b/usr.sbin/bind/lib/isccc/include/isccc/alist.h
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,6 +13,9 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -29,7 +31,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: alist.h,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: alist.h,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 #ifndef ISCCC_ALIST_H
 #define ISCCC_ALIST_H 1
diff --git a/usr.sbin/bind/lib/isccc/include/isccc/base64.h b/usr.sbin/bind/lib/isccc/include/isccc/base64.h
index e96fbf8e5fd..af25c057ee8 100644
--- a/usr.sbin/bind/lib/isccc/include/isccc/base64.h
+++ b/usr.sbin/bind/lib/isccc/include/isccc/base64.h
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,6 +13,9 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -29,7 +31,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: base64.h,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: base64.h,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 #ifndef ISCCC_BASE64_H
 #define ISCCC_BASE64_H 1
diff --git a/usr.sbin/bind/lib/isccc/include/isccc/cc.h b/usr.sbin/bind/lib/isccc/include/isccc/cc.h
index 5fab4e0b53a..d361188f0bf 100644
--- a/usr.sbin/bind/lib/isccc/include/isccc/cc.h
+++ b/usr.sbin/bind/lib/isccc/include/isccc/cc.h
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2007, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,6 +13,9 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -29,7 +31,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cc.h,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: cc.h,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 #ifndef ISCCC_CC_H
 #define ISCCC_CC_H 1
diff --git a/usr.sbin/bind/lib/isccc/include/isccc/ccmsg.h b/usr.sbin/bind/lib/isccc/include/isccc/ccmsg.h
index 52105f226a1..6ed2fe21b62 100644
--- a/usr.sbin/bind/lib/isccc/include/isccc/ccmsg.h
+++ b/usr.sbin/bind/lib/isccc/include/isccc/ccmsg.h
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,6 +13,9 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -29,7 +31,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ccmsg.h,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: ccmsg.h,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 #ifndef ISCCC_CCMSG_H
 #define ISCCC_CCMSG_H 1
diff --git a/usr.sbin/bind/lib/isccc/include/isccc/events.h b/usr.sbin/bind/lib/isccc/include/isccc/events.h
index 3a92343e532..048b41c31a3 100644
--- a/usr.sbin/bind/lib/isccc/include/isccc/events.h
+++ b/usr.sbin/bind/lib/isccc/include/isccc/events.h
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,6 +13,9 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -29,7 +31,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: events.h,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: events.h,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 #ifndef ISCCC_EVENTS_H
 #define ISCCC_EVENTS_H 1
diff --git a/usr.sbin/bind/lib/isccc/include/isccc/lib.h b/usr.sbin/bind/lib/isccc/include/isccc/lib.h
index f8c92867cf0..76fc320e657 100644
--- a/usr.sbin/bind/lib/isccc/include/isccc/lib.h
+++ b/usr.sbin/bind/lib/isccc/include/isccc/lib.h
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,6 +13,9 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -29,7 +31,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.h,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: lib.h,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 #ifndef ISCCC_LIB_H
 #define ISCCC_LIB_H 1
diff --git a/usr.sbin/bind/lib/isccc/include/isccc/result.h b/usr.sbin/bind/lib/isccc/include/isccc/result.h
index 02b2902d590..1103b19269f 100644
--- a/usr.sbin/bind/lib/isccc/include/isccc/result.h
+++ b/usr.sbin/bind/lib/isccc/include/isccc/result.h
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001, 2003  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,6 +13,9 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -29,7 +31,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.h,v 1.5 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: result.h,v 1.6 2019/12/17 01:46:38 sthen Exp $ */
 
 #ifndef ISCCC_RESULT_H
 #define ISCCC_RESULT_H 1
diff --git a/usr.sbin/bind/lib/isccc/include/isccc/sexpr.h b/usr.sbin/bind/lib/isccc/include/isccc/sexpr.h
index 40ac8d82e4e..33aa95f5316 100644
--- a/usr.sbin/bind/lib/isccc/include/isccc/sexpr.h
+++ b/usr.sbin/bind/lib/isccc/include/isccc/sexpr.h
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,6 +13,9 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -29,7 +31,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sexpr.h,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: sexpr.h,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 #ifndef ISCCC_SEXPR_H
 #define ISCCC_SEXPR_H 1
diff --git a/usr.sbin/bind/lib/isccc/include/isccc/symtab.h b/usr.sbin/bind/lib/isccc/include/isccc/symtab.h
index 16534440b43..bcd1775e0a6 100644
--- a/usr.sbin/bind/lib/isccc/include/isccc/symtab.h
+++ b/usr.sbin/bind/lib/isccc/include/isccc/symtab.h
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,6 +13,9 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -29,7 +31,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: symtab.h,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: symtab.h,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 #ifndef ISCCC_SYMTAB_H
 #define ISCCC_SYMTAB_H 1
diff --git a/usr.sbin/bind/lib/isccc/include/isccc/symtype.h b/usr.sbin/bind/lib/isccc/include/isccc/symtype.h
index cb1d375cdcf..4092b9b7474 100644
--- a/usr.sbin/bind/lib/isccc/include/isccc/symtype.h
+++ b/usr.sbin/bind/lib/isccc/include/isccc/symtype.h
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,6 +13,9 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -29,7 +31,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: symtype.h,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: symtype.h,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 #ifndef ISCCC_SYMTYPE_H
 #define ISCCC_SYMTYPE_H 1
diff --git a/usr.sbin/bind/lib/isccc/include/isccc/types.h b/usr.sbin/bind/lib/isccc/include/isccc/types.h
index 75e4f55b875..2d3e71c7ad4 100644
--- a/usr.sbin/bind/lib/isccc/include/isccc/types.h
+++ b/usr.sbin/bind/lib/isccc/include/isccc/types.h
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,6 +13,9 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -29,7 +31,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: types.h,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 #ifndef ISCCC_TYPES_H
 #define ISCCC_TYPES_H 1
diff --git a/usr.sbin/bind/lib/isccc/include/isccc/util.h b/usr.sbin/bind/lib/isccc/include/isccc/util.h
index c16cdd4801c..1e95d376528 100644
--- a/usr.sbin/bind/lib/isccc/include/isccc/util.h
+++ b/usr.sbin/bind/lib/isccc/include/isccc/util.h
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004-2007, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,6 +13,9 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -29,7 +31,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: util.h,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: util.h,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 #ifndef ISCCC_UTIL_H
 #define ISCCC_UTIL_H 1
diff --git a/usr.sbin/bind/lib/isccc/include/isccc/version.h b/usr.sbin/bind/lib/isccc/include/isccc/version.h
index 0e7890b7a20..1c7cf7f4e1d 100644
--- a/usr.sbin/bind/lib/isccc/include/isccc/version.h
+++ b/usr.sbin/bind/lib/isccc/include/isccc/version.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.h,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: version.h,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 /*! \file isccc/version.h */
 
diff --git a/usr.sbin/bind/lib/isccc/lib.c b/usr.sbin/bind/lib/isccc/lib.c
index 544cd363f15..6fcd8030dcb 100644
--- a/usr.sbin/bind/lib/isccc/lib.c
+++ b/usr.sbin/bind/lib/isccc/lib.c
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,6 +13,9 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -29,7 +31,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.c,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: lib.c,v 1.3 2019/12/17 01:46:37 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isccc/result.c b/usr.sbin/bind/lib/isccc/result.c
index 8534fc2bc66..f12f88061c2 100644
--- a/usr.sbin/bind/lib/isccc/result.c
+++ b/usr.sbin/bind/lib/isccc/result.c
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001, 2003  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,6 +13,9 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -29,7 +31,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.c,v 1.5 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: result.c,v 1.6 2019/12/17 01:46:37 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isccc/sexpr.c b/usr.sbin/bind/lib/isccc/sexpr.c
index adf27bde79d..d5c7c08ec05 100644
--- a/usr.sbin/bind/lib/isccc/sexpr.c
+++ b/usr.sbin/bind/lib/isccc/sexpr.c
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2005, 2007, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,6 +13,9 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
diff --git a/usr.sbin/bind/lib/isccc/symtab.c b/usr.sbin/bind/lib/isccc/symtab.c
index 76bb816bdd1..755d642466c 100644
--- a/usr.sbin/bind/lib/isccc/symtab.c
+++ b/usr.sbin/bind/lib/isccc/symtab.c
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2001  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,6 +13,9 @@
  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -29,7 +31,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: symtab.c,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: symtab.c,v 1.3 2019/12/17 01:46:37 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isccc/version.c b/usr.sbin/bind/lib/isccc/version.c
index 63df78fbf35..91eaa3508c6 100644
--- a/usr.sbin/bind/lib/isccc/version.c
+++ b/usr.sbin/bind/lib/isccc/version.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: version.c,v 1.3 2019/12/17 01:46:37 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isccfg/Makefile.in b/usr.sbin/bind/lib/isccfg/Makefile.in
index 04e01de9c71..538e0398be1 100644
--- a/usr.sbin/bind/lib/isccfg/Makefile.in
+++ b/usr.sbin/bind/lib/isccfg/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2005, 2007, 2009, 2011-2016  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001-2003  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.5 2019/12/16 16:16:28 deraadt Exp $
+# $Id: Makefile.in,v 1.6 2019/12/17 01:46:38 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isccfg/aclconf.c b/usr.sbin/bind/lib/isccfg/aclconf.c
index 83fb8fe9a1f..d90e5398148 100644
--- a/usr.sbin/bind/lib/isccfg/aclconf.c
+++ b/usr.sbin/bind/lib/isccfg/aclconf.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,6 +17,7 @@
 #include <config.h>
 
 #include <isc/mem.h>
+#include <isc/print.h>
 #include <isc/string.h>		/* Required for HP/UX (and others?) */
 #include <isc/util.h>
 
@@ -421,23 +421,27 @@ geoip_can_answer(dns_aclelement_t *elt, cfg_aclconfctx_t *ctx) {
 		    ctx->geoip->country_v6 != NULL ||
 		    ctx->geoip->region != NULL)
 			return (ISC_TRUE);
+		/* FALLTHROUGH */
 	case dns_geoip_region:
 	case dns_geoip_regionname:
 		if (ctx->geoip->city_v4 != NULL ||
 		    ctx->geoip->city_v6 != NULL ||
 		    ctx->geoip->region != NULL)
 			return (ISC_TRUE);
+		/* FALLTHROUGH */
 	case dns_geoip_country_code:
 	case dns_geoip_country_code3:
 	case dns_geoip_country_name:
 		if (ctx->geoip->country_v4 != NULL ||
 		    ctx->geoip->country_v6 != NULL)
 			return (ISC_TRUE);
+		/* FALLTHROUGH */
 	case dns_geoip_region_countrycode:
 	case dns_geoip_region_code:
 	case dns_geoip_region_name:
 		if (ctx->geoip->region != NULL)
 			return (ISC_TRUE);
+		/* FALLTHROUGH */
 	case dns_geoip_city_countrycode:
 	case dns_geoip_city_countrycode3:
 	case dns_geoip_city_countryname:
@@ -452,18 +456,23 @@ geoip_can_answer(dns_aclelement_t *elt, cfg_aclconfctx_t *ctx) {
 		if (ctx->geoip->city_v4 != NULL ||
 		    ctx->geoip->city_v6 != NULL)
 			return (ISC_TRUE);
+		/* FALLTHROUGH */
 	case dns_geoip_isp_name:
 		if (ctx->geoip->isp != NULL)
 			return (ISC_TRUE);
+		/* FALLTHROUGH */
 	case dns_geoip_org_name:
 		if (ctx->geoip->org != NULL)
 			return (ISC_TRUE);
+		/* FALLTHROUGH */
 	case dns_geoip_as_asnum:
 		if (ctx->geoip->as != NULL)
 			return (ISC_TRUE);
+		/* FALLTHROUGH */
 	case dns_geoip_domain_name:
 		if (ctx->geoip->domain != NULL)
 			return (ISC_TRUE);
+		/* FALLTHROUGH */
 	case dns_geoip_netspeed_id:
 		if (ctx->geoip->netspeed != NULL)
 			return (ISC_TRUE);
diff --git a/usr.sbin/bind/lib/isccfg/api b/usr.sbin/bind/lib/isccfg/api
index c9725cb9d96..0aaf5dfceb3 100644
--- a/usr.sbin/bind/lib/isccfg/api
+++ b/usr.sbin/bind/lib/isccfg/api
@@ -2,10 +2,12 @@
 # 9.6: 50-59, 110-119
 # 9.7: 60-79
 # 9.8: 80-89, 120-129
-# 9.9: 90-109
-# 9.9-sub: 130-139
-# 9.10: 140-149, 170-179
-# 9.11: 160-169
-LIBINTERFACE = 144
-LIBREVISION = 0
-LIBAGE = 0
+# 9.9: 90-109, 170-179
+# 9.9-sub: 130-139, 150-159, 200-209
+# 9.10: 140-149, 190-199
+# 9.10-sub: 180-189
+# 9.11: 160-169,1100-1199
+# 9.12: 1200-1299
+LIBINTERFACE = 145
+LIBREVISION = 1
+LIBAGE = 1
diff --git a/usr.sbin/bind/lib/isccfg/dnsconf.c b/usr.sbin/bind/lib/isccfg/dnsconf.c
index faad1aca27c..7e32fe17caa 100644
--- a/usr.sbin/bind/lib/isccfg/dnsconf.c
+++ b/usr.sbin/bind/lib/isccfg/dnsconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnsconf.c,v 1.1 2019/12/16 16:31:36 deraadt Exp $ */
+/* $Id: dnsconf.c,v 1.2 2019/12/17 01:46:38 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isccfg/include/Makefile.in b/usr.sbin/bind/lib/isccfg/include/Makefile.in
index fdff5afa20f..8be5a9f0a0c 100644
--- a/usr.sbin/bind/lib/isccfg/include/Makefile.in
+++ b/usr.sbin/bind/lib/isccfg/include/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:28 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:38 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isccfg/include/isccfg/Makefile.in b/usr.sbin/bind/lib/isccfg/include/isccfg/Makefile.in
index 928dbe74e10..071333c735f 100644
--- a/usr.sbin/bind/lib/isccfg/include/isccfg/Makefile.in
+++ b/usr.sbin/bind/lib/isccfg/include/isccfg/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2005, 2007, 2012, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001, 2002  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:28 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:38 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/isccfg/include/isccfg/aclconf.h b/usr.sbin/bind/lib/isccfg/include/isccfg/aclconf.h
index 19dc5afa546..a733653c9cb 100644
--- a/usr.sbin/bind/lib/isccfg/include/isccfg/aclconf.h
+++ b/usr.sbin/bind/lib/isccfg/include/isccfg/aclconf.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2010-2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: aclconf.h,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: aclconf.h,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 #ifndef ISCCFG_ACLCONF_H
 #define ISCCFG_ACLCONF_H 1
diff --git a/usr.sbin/bind/lib/isccfg/include/isccfg/cfg.h b/usr.sbin/bind/lib/isccfg/include/isccfg/cfg.h
index e4373aa1921..a6d4670e01a 100644
--- a/usr.sbin/bind/lib/isccfg/include/isccfg/cfg.h
+++ b/usr.sbin/bind/lib/isccfg/include/isccfg/cfg.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2010, 2013-2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cfg.h,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: cfg.h,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 #ifndef ISCCFG_CFG_H
 #define ISCCFG_CFG_H 1
@@ -121,6 +120,11 @@ cfg_parse_file(cfg_parser_t *pctx, const char *filename,
 isc_result_t
 cfg_parse_buffer(cfg_parser_t *pctx, isc_buffer_t *buffer,
 		 const cfg_type_t *type, cfg_obj_t **ret);
+isc_result_t
+cfg_parse_buffer4(cfg_parser_t *pctx, isc_buffer_t *buffer,
+		  const char *file, unsigned int line,
+		  const cfg_type_t *type, unsigned int flags,
+		  cfg_obj_t **ret);
 /*%<
  * Read a configuration containing data of type 'type'
  * and make '*ret' point to its parse tree.
@@ -136,6 +140,7 @@ cfg_parse_buffer(cfg_parser_t *pctx, isc_buffer_t *buffer,
  *\li 	"mem" is valid.
  *\li	"type" is valid.
  *\li 	"cfg" is non-NULL and "*cfg" is NULL.
+ *\li   "flags" be one or more of CFG_PCTX_NODEPRECATED or zero.
  *
  * Returns:
  *     \li #ISC_R_SUCCESS                 - success
diff --git a/usr.sbin/bind/lib/isccfg/include/isccfg/dnsconf.h b/usr.sbin/bind/lib/isccfg/include/isccfg/dnsconf.h
index 597451763dc..10fe91d460f 100644
--- a/usr.sbin/bind/lib/isccfg/include/isccfg/dnsconf.h
+++ b/usr.sbin/bind/lib/isccfg/include/isccfg/dnsconf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,10 +14,10 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnsconf.h,v 1.1 2019/12/16 16:31:36 deraadt Exp $ */
+/* $Id: dnsconf.h,v 1.2 2019/12/17 01:46:38 sthen Exp $ */
 
-#ifndef ISCCFG_NAMEDCONF_H
-#define ISCCFG_NAMEDCONF_H 1
+#ifndef ISCCFG_DNSCONF_H
+#define ISCCFG_DNSCONF_H 1
 
 /*! \file
  * \brief
@@ -32,4 +32,4 @@
 LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_dnsconf;
 /*%< A complete dns.conf file. */
 
-#endif /* ISCCFG_CFG_H */
+#endif /* ISCCFG_DNSCONF_H */
diff --git a/usr.sbin/bind/lib/isccfg/include/isccfg/grammar.h b/usr.sbin/bind/lib/isccfg/include/isccfg/grammar.h
index d09fc6d0423..c8356534569 100644
--- a/usr.sbin/bind/lib/isccfg/include/isccfg/grammar.h
+++ b/usr.sbin/bind/lib/isccfg/include/isccfg/grammar.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2011, 2013-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: grammar.h,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: grammar.h,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 #ifndef ISCCFG_GRAMMAR_H
 #define ISCCFG_GRAMMAR_H 1
@@ -57,6 +56,8 @@
 #define CFG_CLAUSEFLAG_NOTCONFIGURED	0x00000080
 /*% A option for a experimental feature. */
 #define CFG_CLAUSEFLAG_EXPERIMENTAL	0x00000100
+/*% Clause is obsolete in a future release */
+#define CFG_CLAUSEFLAG_DEPRECATED	0x00000400
 
 typedef struct cfg_clausedef cfg_clausedef_t;
 typedef struct cfg_tuplefielddef cfg_tuplefielddef_t;
@@ -235,6 +236,7 @@ struct cfg_parser {
 
 /* Parser context flags */
 #define CFG_PCTX_SKIP		0x1
+#define CFG_PCTX_NODEPRECATED	0x2
 
 /*@{*/
 /*%
diff --git a/usr.sbin/bind/lib/isccfg/include/isccfg/log.h b/usr.sbin/bind/lib/isccfg/include/isccfg/log.h
index c83a82ff307..133951533b0 100644
--- a/usr.sbin/bind/lib/isccfg/include/isccfg/log.h
+++ b/usr.sbin/bind/lib/isccfg/include/isccfg/log.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.h,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: log.h,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 #ifndef ISCCFG_LOG_H
 #define ISCCFG_LOG_H 1
diff --git a/usr.sbin/bind/lib/isccfg/include/isccfg/namedconf.h b/usr.sbin/bind/lib/isccfg/include/isccfg/namedconf.h
index c89d7744f2b..6681875e8e5 100644
--- a/usr.sbin/bind/lib/isccfg/include/isccfg/namedconf.h
+++ b/usr.sbin/bind/lib/isccfg/include/isccfg/namedconf.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2009, 2010  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.h,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: namedconf.h,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 #ifndef ISCCFG_NAMEDCONF_H
 #define ISCCFG_NAMEDCONF_H 1
diff --git a/usr.sbin/bind/lib/isccfg/include/isccfg/version.h b/usr.sbin/bind/lib/isccfg/include/isccfg/version.h
index b4807270d13..10ff89ed082 100644
--- a/usr.sbin/bind/lib/isccfg/include/isccfg/version.h
+++ b/usr.sbin/bind/lib/isccfg/include/isccfg/version.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.h,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: version.h,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 /*! \file isccfg/version.h */
 
diff --git a/usr.sbin/bind/lib/isccfg/log.c b/usr.sbin/bind/lib/isccfg/log.c
index c0aeb178ed5..b402f39bf69 100644
--- a/usr.sbin/bind/lib/isccfg/log.c
+++ b/usr.sbin/bind/lib/isccfg/log.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.c,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: log.c,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/isccfg/namedconf.c b/usr.sbin/bind/lib/isccfg/namedconf.c
index 00f8640cad7..ece40659cb7 100644
--- a/usr.sbin/bind/lib/isccfg/namedconf.c
+++ b/usr.sbin/bind/lib/isccfg/namedconf.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2002, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -1009,9 +1008,6 @@ options_clauses[] = {
 	{ "blackhole", &cfg_type_bracketed_aml, 0 },
 	{ "coresize", &cfg_type_size, 0 },
 	{ "datasize", &cfg_type_size, 0 },
-	{ "session-keyfile", &cfg_type_qstringornone, 0 },
-	{ "session-keyname", &cfg_type_astring, 0 },
-	{ "session-keyalg", &cfg_type_astring, 0 },
 	{ "deallocate-on-exit", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "directory", &cfg_type_qstring, CFG_CLAUSEFLAG_CALLBACK },
 	{ "dscp", &cfg_type_uint32, 0 },
@@ -1033,42 +1029,45 @@ options_clauses[] = {
 	{ "interface-interval", &cfg_type_uint32, 0 },
 	{ "listen-on", &cfg_type_listenon, CFG_CLAUSEFLAG_MULTI },
 	{ "listen-on-v6", &cfg_type_listenon, CFG_CLAUSEFLAG_MULTI },
-#ifdef ISC_PLATFORM_USESIT
-	{ "sit-secret", &cfg_type_sstring, CFG_CLAUSEFLAG_EXPERIMENTAL },
-#else
-	{ "sit-secret", &cfg_type_sstring,
-	  CFG_CLAUSEFLAG_EXPERIMENTAL | CFG_CLAUSEFLAG_NOTCONFIGURED },
-#endif
 	{ "managed-keys-directory", &cfg_type_qstring, 0 },
 	{ "match-mapped-addresses", &cfg_type_boolean, 0 },
 	{ "max-rsa-exponent-size", &cfg_type_uint32, 0 },
-	{ "memstatistics-file", &cfg_type_qstring, 0 },
 	{ "memstatistics", &cfg_type_boolean, 0 },
+	{ "memstatistics-file", &cfg_type_qstring, 0 },
 	{ "multiple-cnames", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "named-xfer", &cfg_type_qstring, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "pid-file", &cfg_type_qstringornone, 0 },
 	{ "port", &cfg_type_uint32, 0 },
 	{ "querylog", &cfg_type_boolean, 0 },
-	{ "recursing-file", &cfg_type_qstring, 0 },
 	{ "random-device", &cfg_type_qstring, 0 },
+	{ "recursing-file", &cfg_type_qstring, 0 },
 	{ "recursive-clients", &cfg_type_uint32, 0 },
 	{ "reserved-sockets", &cfg_type_uint32, 0 },
 	{ "secroots-file", &cfg_type_qstring, 0 },
 	{ "serial-queries", &cfg_type_uint32, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "serial-query-rate", &cfg_type_uint32, 0 },
 	{ "server-id", &cfg_type_serverid, 0 },
+	{ "session-keyalg", &cfg_type_astring, 0 },
+	{ "session-keyfile", &cfg_type_qstringornone, 0 },
+	{ "session-keyname", &cfg_type_astring, 0 },
+#ifdef ISC_PLATFORM_USESIT
+	{ "sit-secret", &cfg_type_sstring, CFG_CLAUSEFLAG_EXPERIMENTAL },
+#else
+	{ "sit-secret", &cfg_type_sstring,
+	  CFG_CLAUSEFLAG_EXPERIMENTAL | CFG_CLAUSEFLAG_NOTCONFIGURED },
+#endif
 	{ "stacksize", &cfg_type_size, 0 },
 	{ "statistics-file", &cfg_type_qstring, 0 },
 	{ "statistics-interval", &cfg_type_uint32, CFG_CLAUSEFLAG_NYI },
 	{ "tcp-clients", &cfg_type_uint32, 0 },
 	{ "tcp-listen-queue", &cfg_type_uint32, 0 },
 	{ "tkey-dhkey", &cfg_type_tkey_dhkey, 0 },
+	{ "tkey-domain", &cfg_type_qstring, 0 },
 	{ "tkey-gssapi-credential", &cfg_type_qstring, 0 },
 	{ "tkey-gssapi-keytab", &cfg_type_qstring, 0 },
-	{ "tkey-domain", &cfg_type_qstring, 0 },
-	{ "transfers-per-ns", &cfg_type_uint32, 0 },
 	{ "transfers-in", &cfg_type_uint32, 0 },
 	{ "transfers-out", &cfg_type_uint32, 0 },
+	{ "transfers-per-ns", &cfg_type_uint32, 0 },
 	{ "treat-cr-as-space", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "use-id-pool", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "use-ixfr", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
@@ -1172,8 +1171,8 @@ static cfg_type_t cfg_type_masterformat = {
 
 /*%
  *  response-policy {
- *	zone <string> [ policy (given|disabled|passthru|drop|tcp-only|
- *					nxdomain|nodata|cname <domain> ) ]
+ *	zone &lt;string&gt; [ policy (given|disabled|passthru|drop|tcp-only|
+ *					nxdomain|nodata|cname &lt;domain&gt; ) ]
  *		      [ recursive-only yes|no ] [ max-policy-ttl number ] ;
  *  } [ recursive-only yes|no ] [ max-policy-ttl number ]
  *	 [ break-dnssec yes|no ] [ min-ns-dots number ]
@@ -1558,8 +1557,8 @@ view_clauses[] = {
 	  CFG_CLAUSEFLAG_MULTI },
 	{ "disable-empty-zone", &cfg_type_astring, CFG_CLAUSEFLAG_MULTI },
 	{ "dns64", &cfg_type_dns64, CFG_CLAUSEFLAG_MULTI },
-	{ "dns64-server", &cfg_type_astring, 0 },
 	{ "dns64-contact", &cfg_type_astring, 0 },
+	{ "dns64-server", &cfg_type_astring, 0 },
 	{ "dnssec-accept-expired", &cfg_type_boolean, 0 },
 	{ "dnssec-enable", &cfg_type_boolean, 0 },
 	{ "dnssec-lookaside", &cfg_type_lookaside, CFG_CLAUSEFLAG_MULTI },
@@ -1577,18 +1576,27 @@ view_clauses[] = {
 	{ "fetches-per-server", &cfg_type_fetchesper, 0 },
 	{ "fetches-per-zone", &cfg_type_fetchesper, 0 },
 #else
-	{ "fetch-quota-params", &cfg_type_fetchquota, CFG_CLAUSEFLAG_NOTCONFIGURED },
-	{ "fetches-per-server", &cfg_type_fetchesper, CFG_CLAUSEFLAG_NOTCONFIGURED },
-	{ "fetches-per-zone", &cfg_type_fetchesper, CFG_CLAUSEFLAG_NOTCONFIGURED },
+	{ "fetch-quota-params", &cfg_type_fetchquota,
+	  CFG_CLAUSEFLAG_NOTCONFIGURED },
+	{ "fetches-per-server", &cfg_type_fetchesper,
+	  CFG_CLAUSEFLAG_NOTCONFIGURED },
+	{ "fetches-per-zone", &cfg_type_fetchesper,
+	  CFG_CLAUSEFLAG_NOTCONFIGURED },
 #endif /* ENABLE_FETCHLIMIT */
-	{ "ixfr-from-differences", &cfg_type_ixfrdifftype, 0 },
-	{ "lame-ttl", &cfg_type_uint32, 0 },
-#ifdef ISC_PLATFORM_USESIT
-	{ "nosit-udp-size", &cfg_type_uint32, CFG_CLAUSEFLAG_EXPERIMENTAL },
+#ifdef ALLOW_FILTER_AAAA
+	{ "filter-aaaa", &cfg_type_bracketed_aml, 0 },
+	{ "filter-aaaa-on-v4", &cfg_type_filter_aaaa, 0 },
+	{ "filter-aaaa-on-v6", &cfg_type_filter_aaaa, 0 },
 #else
-	{ "nosit-udp-size", &cfg_type_uint32,
-	  CFG_CLAUSEFLAG_EXPERIMENTAL | CFG_CLAUSEFLAG_NOTCONFIGURED },
+	{ "filter-aaaa", &cfg_type_bracketed_aml,
+	  CFG_CLAUSEFLAG_NOTCONFIGURED },
+	{ "filter-aaaa-on-v4", &cfg_type_filter_aaaa,
+	  CFG_CLAUSEFLAG_NOTCONFIGURED },
+	{ "filter-aaaa-on-v6", &cfg_type_filter_aaaa,
+	  CFG_CLAUSEFLAG_NOTCONFIGURED },
 #endif
+	{ "ixfr-from-differences", &cfg_type_ixfrdifftype, 0 },
+	{ "lame-ttl", &cfg_type_uint32, 0 },
 	{ "max-acache-size", &cfg_type_sizenodefault, 0 },
 	{ "max-cache-size", &cfg_type_sizenodefault, 0 },
 	{ "max-cache-ttl", &cfg_type_uint32, 0 },
@@ -1599,9 +1607,15 @@ view_clauses[] = {
 	{ "max-udp-size", &cfg_type_uint32, 0 },
 	{ "min-roots", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTIMP },
 	{ "minimal-responses", &cfg_type_boolean, 0 },
-	{ "prefetch", &cfg_type_prefetch, 0 },
-	{ "preferred-glue", &cfg_type_astring, 0 },
 	{ "no-case-compress", &cfg_type_bracketed_aml, 0 },
+#ifdef ISC_PLATFORM_USESIT
+	{ "nosit-udp-size", &cfg_type_uint32, CFG_CLAUSEFLAG_EXPERIMENTAL },
+#else
+	{ "nosit-udp-size", &cfg_type_uint32,
+	  CFG_CLAUSEFLAG_EXPERIMENTAL | CFG_CLAUSEFLAG_NOTCONFIGURED },
+#endif
+	{ "preferred-glue", &cfg_type_astring, 0 },
+	{ "prefetch", &cfg_type_prefetch, 0 },
 	{ "provide-ixfr", &cfg_type_boolean, 0 },
 	/*
 	 * Note that the query-source option syntax is different
@@ -1612,17 +1626,20 @@ view_clauses[] = {
 	{ "queryport-pool-ports", &cfg_type_uint32, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "queryport-pool-updateinterval", &cfg_type_uint32,
 	  CFG_CLAUSEFLAG_OBSOLETE },
+	{ "rate-limit", &cfg_type_rrl, 0 },
 	{ "recursion", &cfg_type_boolean, 0 },
+	{ "request-nsid", &cfg_type_boolean, 0 },
 #ifdef ISC_PLATFORM_USESIT
 	{ "request-sit", &cfg_type_boolean, CFG_CLAUSEFLAG_EXPERIMENTAL },
 #else
 	{ "request-sit", &cfg_type_boolean,
 	  CFG_CLAUSEFLAG_EXPERIMENTAL | CFG_CLAUSEFLAG_NOTCONFIGURED },
 #endif
-	{ "request-nsid", &cfg_type_boolean, 0 },
 	{ "resolver-query-timeout", &cfg_type_uint32, 0 },
+	{ "response-policy", &cfg_type_rpz, 0 },
 	{ "rfc2308-type1", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI },
 	{ "root-delegation-only",  &cfg_type_optional_exclude, 0 },
+	{ "root-key-sentinel", &cfg_type_boolean, 0 },
 	{ "rrset-order", &cfg_type_rrsetorder, 0 },
 	{ "sortlist", &cfg_type_bracketed_aml, 0 },
 	{ "suppress-initial-notify", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI },
@@ -1632,20 +1649,6 @@ view_clauses[] = {
 	  CFG_CLAUSEFLAG_EXPERIMENTAL },
 	{ "use-queryport-pool", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "zero-no-soa-ttl-cache", &cfg_type_boolean, 0 },
-#ifdef ALLOW_FILTER_AAAA
-	{ "filter-aaaa", &cfg_type_bracketed_aml, 0 },
-	{ "filter-aaaa-on-v4", &cfg_type_filter_aaaa, 0 },
-	{ "filter-aaaa-on-v6", &cfg_type_filter_aaaa, 0 },
-#else
-	{ "filter-aaaa", &cfg_type_bracketed_aml,
-	   CFG_CLAUSEFLAG_NOTCONFIGURED },
-	{ "filter-aaaa-on-v4", &cfg_type_filter_aaaa,
-	   CFG_CLAUSEFLAG_NOTCONFIGURED },
-	{ "filter-aaaa-on-v6", &cfg_type_filter_aaaa,
-	   CFG_CLAUSEFLAG_NOTCONFIGURED },
-#endif
-	{ "response-policy", &cfg_type_rpz, 0 },
-	{ "rate-limit", &cfg_type_rrl, 0 },
 	{ NULL, NULL, 0 }
 };
 
@@ -1888,7 +1891,6 @@ server_clauses[] = {
 	{ "edns-udp-size", &cfg_type_uint32, 0 },
 	{ "keys", &cfg_type_server_key_kludge, 0 },
 	{ "max-udp-size", &cfg_type_uint32, 0 },
-	{ "tcp-only", &cfg_type_boolean, 0 },
 	{ "notify-source", &cfg_type_sockaddr4wild, 0 },
 	{ "notify-source-v6", &cfg_type_sockaddr6wild, 0 },
 	{ "provide-ixfr", &cfg_type_boolean, 0 },
@@ -1903,6 +1905,7 @@ server_clauses[] = {
 	  CFG_CLAUSEFLAG_EXPERIMENTAL | CFG_CLAUSEFLAG_NOTCONFIGURED },
 #endif
 	{ "support-ixfr", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "tcp-only", &cfg_type_boolean, 0 },
 	{ "transfer-format", &cfg_type_transferformat, 0 },
 	{ "transfer-source", &cfg_type_sockaddr4wild, 0 },
 	{ "transfer-source-v6", &cfg_type_sockaddr6wild, 0 },
diff --git a/usr.sbin/bind/lib/isccfg/parser.c b/usr.sbin/bind/lib/isccfg/parser.c
index f82b3d91dd2..8e5128b1c14 100644
--- a/usr.sbin/bind/lib/isccfg/parser.c
+++ b/usr.sbin/bind/lib/isccfg/parser.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -302,7 +301,7 @@ cfg_print_tuple(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 
 void
 cfg_doc_tuple(cfg_printer_t *pctx, const cfg_type_t *type) {
-	const cfg_tuplefielddef_t *fields = type->of;
+	const cfg_tuplefielddef_t *fields;
 	const cfg_tuplefielddef_t *f;
 	isc_boolean_t need_space = ISC_FALSE;
 
@@ -546,7 +545,8 @@ parse2(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 
 	if (result != ISC_R_SUCCESS) {
 		/* Parsing failed but no errors have been logged. */
-		cfg_parser_error(pctx, 0, "parsing failed");
+		cfg_parser_error(pctx, 0, "parsing failed: %s",
+				 isc_result_totext(result));
 		goto cleanup;
 	}
 
@@ -582,13 +582,29 @@ isc_result_t
 cfg_parse_buffer(cfg_parser_t *pctx, isc_buffer_t *buffer,
 	const cfg_type_t *type, cfg_obj_t **ret)
 {
+	return (cfg_parse_buffer4(pctx, buffer, NULL, 0, type, 0, ret));
+}
+
+isc_result_t
+cfg_parse_buffer4(cfg_parser_t *pctx, isc_buffer_t *buffer,
+		  const char *file, unsigned int line,
+		  const cfg_type_t *type, unsigned int flags,
+		  cfg_obj_t **ret)
+{
 	isc_result_t result;
 	REQUIRE(pctx != NULL);
 	REQUIRE(type != NULL);
 	REQUIRE(buffer != NULL);
 	REQUIRE(ret != NULL && *ret == NULL);
+	REQUIRE((flags & ~(CFG_PCTX_NODEPRECATED)) == 0);
+
+	UNUSED(file);
+	UNUSED(line);
 
 	CHECK(isc_lex_openbuffer(pctx->lexer, buffer));
+
+	pctx->flags = flags;
+
 	CHECK(parse2(pctx, type, ret));
  cleanup:
 	return (result);
@@ -1104,7 +1120,7 @@ cfg_parse_boolean(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 	cfg_obj_t *obj = NULL;
 
 	REQUIRE(pctx != NULL);
-	REQUIRE(ret != NULL && ret != NULL);
+	REQUIRE(ret != NULL && *ret == NULL);
 
 	UNUSED(type);
 
@@ -1501,12 +1517,14 @@ cfg_parse_mapbody(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 		}
 	done:
 		if (clause == NULL || clause->name == NULL) {
-			cfg_parser_error(pctx, CFG_LOG_NOPREP, "unknown option");
+			cfg_parser_error(pctx, CFG_LOG_NOPREP,
+					 "unknown option");
 			/*
 			 * Try to recover by parsing this option as an unknown
 			 * option and discarding it.
 			 */
-			CHECK(cfg_parse_obj(pctx, &cfg_type_unsupported, &eltobj));
+			CHECK(cfg_parse_obj(pctx, &cfg_type_unsupported,
+					    &eltobj));
 			cfg_obj_destroy(pctx, &eltobj);
 			CHECK(parse_semicolon(pctx));
 			continue;
@@ -1515,15 +1533,24 @@ cfg_parse_mapbody(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 		/* Clause is known. */
 
 		/* Issue warnings if appropriate */
-		if ((clause->flags & CFG_CLAUSEFLAG_OBSOLETE) != 0)
+		if ((pctx->flags & CFG_PCTX_NODEPRECATED) == 0 &&
+		    (clause->flags & CFG_CLAUSEFLAG_DEPRECATED) != 0)
+		{
+			cfg_parser_warning(pctx, 0, "option '%s' is deprecated",
+					   clause->name);
+		}
+		if ((clause->flags & CFG_CLAUSEFLAG_OBSOLETE) != 0) {
 			cfg_parser_warning(pctx, 0, "option '%s' is obsolete",
-				       clause->name);
-		if ((clause->flags & CFG_CLAUSEFLAG_NOTIMP) != 0)
+					   clause->name);
+		}
+		if ((clause->flags & CFG_CLAUSEFLAG_NOTIMP) != 0) {
 			cfg_parser_warning(pctx, 0, "option '%s' is "
-				       "not implemented", clause->name);
-		if ((clause->flags & CFG_CLAUSEFLAG_NYI) != 0)
+					   "not implemented", clause->name);
+		}
+		if ((clause->flags & CFG_CLAUSEFLAG_NYI) != 0) {
 			cfg_parser_warning(pctx, 0, "option '%s' is "
-				       "not implemented", clause->name);
+					   "not implemented", clause->name);
+		}
 
 		if ((clause->flags & CFG_CLAUSEFLAG_NOTCONFIGURED) != 0) {
 			cfg_parser_warning(pctx, 0, "option '%s' was not "
@@ -2032,27 +2059,25 @@ token_addr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na) {
 				return (ISC_R_SUCCESS);
 			}
 		}
-		if ((flags & CFG_ADDR_V4PREFIXOK) != 0 &&
-		    strlen(s) <= 15U) {
+		if ((flags & CFG_ADDR_V4PREFIXOK) != 0 && strlen(s) <= 15U) {
 			char buf[64];
 			int i;
 
-			strcpy(buf, s);
+			strlcpy(buf, s, sizeof(buf));
 			for (i = 0; i < 3; i++) {
-				strcat(buf, ".0");
+				strlcat(buf, ".0", sizeof(buf));
 				if (inet_pton(AF_INET, buf, &in4a) == 1) {
 					isc_netaddr_fromin(na, &in4a);
 					return (ISC_R_SUCCESS);
 				}
 			}
 		}
-		if ((flags & CFG_ADDR_V6OK) != 0 &&
-		    strlen(s) <= 127U) {
+		if ((flags & CFG_ADDR_V6OK) != 0 && strlen(s) <= 127U) {
 			char buf[128]; /* see lib/bind9/getaddresses.c */
 			char *d; /* zone delimiter */
 			isc_uint32_t zone = 0; /* scope zone ID */
 
-			strcpy(buf, s);
+			strlcpy(buf, s, sizeof(buf));
 			d = strchr(buf, '%');
 			if (d != NULL)
 				*d = '\0';
@@ -2703,9 +2728,10 @@ parser_complain(cfg_parser_t *pctx, isc_boolean_t is_warning,
 
 	len = vsnprintf(message, sizeof(message), format, args);
 #define ELIPSIS " ... "
-	if (len >= sizeof(message))
-		strcpy(message + sizeof(message) - sizeof(ELIPSIS) - 1,
-		       ELIPSIS);
+	if (len >= sizeof(message)) {
+		message[sizeof(message) - sizeof(ELIPSIS)] = 0;
+		strlcat(message, ELIPSIS, sizeof(message));
+	}
 
 	if ((flags & (CFG_LOG_NEAR|CFG_LOG_BEFORE|CFG_LOG_NOPREP)) != 0) {
 		isc_region_t r;
diff --git a/usr.sbin/bind/lib/isccfg/version.c b/usr.sbin/bind/lib/isccfg/version.c
index df14c77e08c..e6674b0bf77 100644
--- a/usr.sbin/bind/lib/isccfg/version.c
+++ b/usr.sbin/bind/lib/isccfg/version.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1998-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: version.c,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/lwres/Makefile.in b/usr.sbin/bind/lib/lwres/Makefile.in
index d20149930c2..e9f3b344d6b 100644
--- a/usr.sbin/bind/lib/lwres/Makefile.in
+++ b/usr.sbin/bind/lib/lwres/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2005, 2007, 2012, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:28 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:38 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -74,6 +73,8 @@ liblwres.la: ${OBJS} version.@O@
 timestamp: liblwres.@A@
 	touch timestamp
 
+testdirs: liblwres.@A@
+
 installdirs:
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${libdir}
 
diff --git a/usr.sbin/bind/lib/lwres/api b/usr.sbin/bind/lib/lwres/api
index e8435c620f1..e70183f6dd2 100644
--- a/usr.sbin/bind/lib/lwres/api
+++ b/usr.sbin/bind/lib/lwres/api
@@ -2,10 +2,12 @@
 # 9.6: 50-59, 110-119
 # 9.7: 60-79
 # 9.8: 80-89, 120-129
-# 9.9: 90-109
-# 9.9-sub: 130-139
-# 9.10: 140-149, 170-179
-# 9.11: 160-169
+# 9.9: 90-109, 170-179
+# 9.9-sub: 130-139, 150-159, 200-209
+# 9.10: 140-149, 190-199
+# 9.10-sub: 180-189
+# 9.11: 160-169,1100-1199
+# 9.12: 1200-1299
 LIBINTERFACE = 141
-LIBREVISION = 3
+LIBREVISION = 5
 LIBAGE = 0
diff --git a/usr.sbin/bind/lib/lwres/assert_p.h b/usr.sbin/bind/lib/lwres/assert_p.h
index ae990953c0c..23362c48707 100644
--- a/usr.sbin/bind/lib/lwres/assert_p.h
+++ b/usr.sbin/bind/lib/lwres/assert_p.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: assert_p.h,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: assert_p.h,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 #ifndef LWRES_ASSERT_P_H
 #define LWRES_ASSERT_P_H 1
diff --git a/usr.sbin/bind/lib/lwres/compat.c b/usr.sbin/bind/lib/lwres/compat.c
index 3b7a07048e2..e12ea77f431 100644
--- a/usr.sbin/bind/lib/lwres/compat.c
+++ b/usr.sbin/bind/lib/lwres/compat.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/lwres/context.c b/usr.sbin/bind/lib/lwres/context.c
index 27804facf35..d73e886cfe8 100644
--- a/usr.sbin/bind/lib/lwres/context.c
+++ b/usr.sbin/bind/lib/lwres/context.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007-2009, 2012-2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: context.c,v 1.8 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: context.c,v 1.9 2019/12/17 01:46:38 sthen Exp $ */
 
 /*! \file context.c
    lwres_context_create() creates a #lwres_context_t structure for use in
diff --git a/usr.sbin/bind/lib/lwres/context_p.h b/usr.sbin/bind/lib/lwres/context_p.h
index 3c467cc7c6a..0a9c363d95b 100644
--- a/usr.sbin/bind/lib/lwres/context_p.h
+++ b/usr.sbin/bind/lib/lwres/context_p.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: context_p.h,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: context_p.h,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 #ifndef LWRES_CONTEXT_P_H
 #define LWRES_CONTEXT_P_H 1
diff --git a/usr.sbin/bind/lib/lwres/gai_strerror.c b/usr.sbin/bind/lib/lwres/gai_strerror.c
index 9cf4abe7e7b..9c3b7764a73 100644
--- a/usr.sbin/bind/lib/lwres/gai_strerror.c
+++ b/usr.sbin/bind/lib/lwres/gai_strerror.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gai_strerror.c,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: gai_strerror.c,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 /*! \file gai_strerror.c
  * lwres_gai_strerror() returns an error message corresponding to an
diff --git a/usr.sbin/bind/lib/lwres/getaddrinfo.c b/usr.sbin/bind/lib/lwres/getaddrinfo.c
index 98f29237124..763be95055f 100644
--- a/usr.sbin/bind/lib/lwres/getaddrinfo.c
+++ b/usr.sbin/bind/lib/lwres/getaddrinfo.c
@@ -1,6 +1,8 @@
 /*
- * Copyright (C) 2004-2008, 2012, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
  *
  * This code is derived from software contributed to ISC by
  * Berkeley Software Design, Inc.
@@ -18,7 +20,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getaddrinfo.c,v 1.7 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: getaddrinfo.c,v 1.8 2019/12/17 01:46:38 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/lwres/gethost.c b/usr.sbin/bind/lib/lwres/gethost.c
index 059beeedda4..2e2d6a7803f 100644
--- a/usr.sbin/bind/lib/lwres/gethost.c
+++ b/usr.sbin/bind/lib/lwres/gethost.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2013-2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gethost.c,v 1.5 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: gethost.c,v 1.6 2019/12/17 01:46:38 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/lwres/getipnode.c b/usr.sbin/bind/lib/lwres/getipnode.c
index 54584f5e3c0..630887f6236 100644
--- a/usr.sbin/bind/lib/lwres/getipnode.c
+++ b/usr.sbin/bind/lib/lwres/getipnode.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2012, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getipnode.c,v 1.8 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: getipnode.c,v 1.9 2019/12/17 01:46:38 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/lwres/getnameinfo.c b/usr.sbin/bind/lib/lwres/getnameinfo.c
index f1b391e39d0..af78f3c2c37 100644
--- a/usr.sbin/bind/lib/lwres/getnameinfo.c
+++ b/usr.sbin/bind/lib/lwres/getnameinfo.c
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2005, 2007, 2011-2013  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getnameinfo.c,v 1.8 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: getnameinfo.c,v 1.9 2019/12/17 01:46:38 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/lwres/getrrset.c b/usr.sbin/bind/lib/lwres/getrrset.c
index eed39b80871..3b3803aa476 100644
--- a/usr.sbin/bind/lib/lwres/getrrset.c
+++ b/usr.sbin/bind/lib/lwres/getrrset.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2012, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getrrset.c,v 1.6 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: getrrset.c,v 1.7 2019/12/17 01:46:38 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/lwres/herror.c b/usr.sbin/bind/lib/lwres/herror.c
index 6603adfba03..1039fdf4338 100644
--- a/usr.sbin/bind/lib/lwres/herror.c
+++ b/usr.sbin/bind/lib/lwres/herror.c
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2005, 2007, 2011, 2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -68,7 +67,7 @@
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)herror.c	8.1 (Berkeley) 6/4/93";
 static const char rcsid[] =
-	"$Id: herror.c,v 1.6 2019/12/16 16:16:28 deraadt Exp $";
+	"$Id: herror.c,v 1.7 2019/12/17 01:46:38 sthen Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
diff --git a/usr.sbin/bind/lib/lwres/include/Makefile.in b/usr.sbin/bind/lib/lwres/include/Makefile.in
index 2f501fa4635..6015951061e 100644
--- a/usr.sbin/bind/lib/lwres/include/Makefile.in
+++ b/usr.sbin/bind/lib/lwres/include/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:29 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:38 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/lwres/include/lwres/Makefile.in b/usr.sbin/bind/lib/lwres/include/lwres/Makefile.in
index 9f9744bea4c..f5c3b8eb071 100644
--- a/usr.sbin/bind/lib/lwres/include/lwres/Makefile.in
+++ b/usr.sbin/bind/lib/lwres/include/lwres/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2007, 2012, 2014, 2016  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2000, 2001  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/lwres/include/lwres/context.h b/usr.sbin/bind/lib/lwres/include/lwres/context.h
index 963c779a7e2..9febdff7bf0 100644
--- a/usr.sbin/bind/lib/lwres/include/lwres/context.h
+++ b/usr.sbin/bind/lib/lwres/include/lwres/context.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: context.h,v 1.2 2019/12/16 16:16:29 deraadt Exp $ */
+/* $Id: context.h,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 #ifndef LWRES_CONTEXT_H
 #define LWRES_CONTEXT_H 1
diff --git a/usr.sbin/bind/lib/lwres/include/lwres/int.h b/usr.sbin/bind/lib/lwres/include/lwres/int.h
index 5faa7e8dcc2..21194e4966e 100644
--- a/usr.sbin/bind/lib/lwres/include/lwres/int.h
+++ b/usr.sbin/bind/lib/lwres/include/lwres/int.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: int.h,v 1.2 2019/12/16 16:16:29 deraadt Exp $ */
+/* $Id: int.h,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 #ifndef LWRES_INT_H
 #define LWRES_INT_H 1
diff --git a/usr.sbin/bind/lib/lwres/include/lwres/ipv6.h b/usr.sbin/bind/lib/lwres/include/lwres/ipv6.h
index 76941c7bfbd..9d38295e4fe 100644
--- a/usr.sbin/bind/lib/lwres/include/lwres/ipv6.h
+++ b/usr.sbin/bind/lib/lwres/include/lwres/ipv6.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ipv6.h,v 1.2 2019/12/16 16:16:29 deraadt Exp $ */
+/* $Id: ipv6.h,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 #ifndef LWRES_IPV6_H
 #define LWRES_IPV6_H 1
@@ -41,11 +40,11 @@
 
 /*% in6_addr structure */
 struct in6_addr {
-        union {
+	union {
 		lwres_uint8_t	_S6_u8[16];
 		lwres_uint16_t	_S6_u16[8];
 		lwres_uint32_t	_S6_u32[4];
-        } _S6_un;
+	} _S6_un;
 };
 /*@{*/
 /*% IP v6 types */
@@ -89,36 +88,36 @@ struct in6_pktinfo {
  * Unspecified IPv6 address
  */
 #define IN6_IS_ADDR_UNSPECIFIED(a)      \
-        (((a)->s6_addr32[0] == 0) &&    \
-         ((a)->s6_addr32[1] == 0) &&    \
-         ((a)->s6_addr32[2] == 0) &&    \
-         ((a)->s6_addr32[3] == 0))
+	(((a)->s6_addr32[0] == 0) &&    \
+	 ((a)->s6_addr32[1] == 0) &&    \
+	 ((a)->s6_addr32[2] == 0) &&    \
+	 ((a)->s6_addr32[3] == 0))
 
 /*
  * Loopback
  */
 #define IN6_IS_ADDR_LOOPBACK(a)         \
-        (((a)->s6_addr32[0] == 0) &&    \
-         ((a)->s6_addr32[1] == 0) &&    \
-         ((a)->s6_addr32[2] == 0) &&    \
-         ((a)->s6_addr32[3] == htonl(1)))
+	(((a)->s6_addr32[0] == 0) &&    \
+	 ((a)->s6_addr32[1] == 0) &&    \
+	 ((a)->s6_addr32[2] == 0) &&    \
+	 ((a)->s6_addr32[3] == htonl(1)))
 
 /*
  * IPv4 compatible
  */
 #define IN6_IS_ADDR_V4COMPAT(a)         \
-        (((a)->s6_addr32[0] == 0) &&    \
-         ((a)->s6_addr32[1] == 0) &&    \
-         ((a)->s6_addr32[2] == 0) &&    \
-         ((a)->s6_addr32[3] != 0) &&    \
-         ((a)->s6_addr32[3] != htonl(1)))
+	(((a)->s6_addr32[0] == 0) &&    \
+	 ((a)->s6_addr32[1] == 0) &&    \
+	 ((a)->s6_addr32[2] == 0) &&    \
+	 ((a)->s6_addr32[3] != 0) &&    \
+	 ((a)->s6_addr32[3] != htonl(1)))
 
 /*
  * Mapped
  */
 #define IN6_IS_ADDR_V4MAPPED(a)               \
-        (((a)->s6_addr32[0] == 0) &&          \
-         ((a)->s6_addr32[1] == 0) &&          \
-         ((a)->s6_addr32[2] == htonl(0x0000ffff)))
+	(((a)->s6_addr32[0] == 0) &&          \
+	 ((a)->s6_addr32[1] == 0) &&          \
+	 ((a)->s6_addr32[2] == htonl(0x0000ffff)))
 
 #endif /* LWRES_IPV6_H */
diff --git a/usr.sbin/bind/lib/lwres/include/lwres/lang.h b/usr.sbin/bind/lib/lwres/include/lwres/lang.h
index c9ec2a8fe65..d0789eee6b5 100644
--- a/usr.sbin/bind/lib/lwres/include/lwres/lang.h
+++ b/usr.sbin/bind/lib/lwres/include/lwres/lang.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lang.h,v 1.2 2019/12/16 16:16:29 deraadt Exp $ */
+/* $Id: lang.h,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 #ifndef LWRES_LANG_H
 #define LWRES_LANG_H 1
diff --git a/usr.sbin/bind/lib/lwres/include/lwres/list.h b/usr.sbin/bind/lib/lwres/include/lwres/list.h
index bf3e57bd2c0..aba3fe60766 100644
--- a/usr.sbin/bind/lib/lwres/include/lwres/list.h
+++ b/usr.sbin/bind/lib/lwres/include/lwres/list.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1997-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: list.h,v 1.2 2019/12/16 16:16:29 deraadt Exp $ */
+/* $Id: list.h,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 #ifndef LWRES_LIST_H
 #define LWRES_LIST_H 1
diff --git a/usr.sbin/bind/lib/lwres/include/lwres/lwbuffer.h b/usr.sbin/bind/lib/lwres/include/lwres/lwbuffer.h
index 0631495a2f0..0fb841d9ac7 100644
--- a/usr.sbin/bind/lib/lwres/include/lwres/lwbuffer.h
+++ b/usr.sbin/bind/lib/lwres/include/lwres/lwbuffer.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwbuffer.h,v 1.2 2019/12/16 16:16:29 deraadt Exp $ */
+/* $Id: lwbuffer.h,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 
 /*! \file lwres/lwbuffer.h
diff --git a/usr.sbin/bind/lib/lwres/include/lwres/lwpacket.h b/usr.sbin/bind/lib/lwres/include/lwres/lwpacket.h
index 7a8cb427094..eea0a0a60da 100644
--- a/usr.sbin/bind/lib/lwres/include/lwres/lwpacket.h
+++ b/usr.sbin/bind/lib/lwres/include/lwres/lwpacket.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwpacket.h,v 1.2 2019/12/16 16:16:29 deraadt Exp $ */
+/* $Id: lwpacket.h,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 #ifndef LWRES_LWPACKET_H
 #define LWRES_LWPACKET_H 1
@@ -29,83 +28,83 @@ typedef struct lwres_lwpacket lwres_lwpacket_t;
 
 /*% lwres_lwpacket structure */
 struct lwres_lwpacket {
-	/*! The overall packet length, including the 
+	/*! The overall packet length, including the
 	 *  entire packet header.
 	 *  This field is filled in by the
-	 *  \link lwres_gabn.c lwres_gabn_*()\endlink 
+	 *  \link lwres_gabn.c lwres_gabn_*()\endlink
 	 *  and \link lwres_gnba.c lwres_gnba_*()\endlink calls.
 	 */
 	lwres_uint32_t		length;
-	/*! Specifies the header format.  Currently, 
+	/*! Specifies the header format.  Currently,
 	 *  there is only one format, #LWRES_LWPACKETVERSION_0.
 	 *  This field is filled in by the
-	 *  \link lwres_gabn.c lwres_gabn_*()\endlink 
+	 *  \link lwres_gabn.c lwres_gabn_*()\endlink
 	 *  and \link lwres_gnba.c lwres_gnba_*()\endlink calls.
-         */
+	 */
 	lwres_uint16_t		version;
- 	/*! Specifies library-defined flags for this packet, such as
-	 *  whether the packet is a request or a reply.  None of 
-	 *  these are definable by the caller, but library-defined values 
-	 *  can be set by the caller.  For example, one bit in this field 
+	/*! Specifies library-defined flags for this packet, such as
+	 *  whether the packet is a request or a reply.  None of
+	 *  these are definable by the caller, but library-defined values
+	 *  can be set by the caller.  For example, one bit in this field
 	 *  indicates if the packet is a request or a response.
 	 *  This field is filled in by
 	 *  the application wits the exception of the
 	 *  #LWRES_LWPACKETFLAG_RESPONSE bit, which is set by the library
 	 *  in the
-	 *  \link lwres_gabn.c lwres_gabn_*()\endlink 
+	 *  \link lwres_gabn.c lwres_gabn_*()\endlink
 	 *  and \link lwres_gnba.c lwres_gnba_*()\endlink calls.
-         */
+	 */
 	lwres_uint16_t		pktflags;
- 	/*! Set by the requestor and is returned in all replies.  
-	 *  If two packets from the same source have the same serial 
-	 *  number and are from the same source, they are assumed to 
-	 *  be duplicates and the latter ones may be dropped.  
+	/*! Set by the requestor and is returned in all replies.
+	 *  If two packets from the same source have the same serial
+	 *  number and are from the same source, they are assumed to
+	 *  be duplicates and the latter ones may be dropped.
 	 *  (The library does not do this by default on replies, but
- 	 * does so on requests.)
-         */
+	 * does so on requests.)
+	 */
 	lwres_uint32_t		serial;
- 	/*! Opcodes between 0x04000000 and 0xffffffff
- 	 *  are application defined.  Opcodes between 
+	/*! Opcodes between 0x04000000 and 0xffffffff
+	 *  are application defined.  Opcodes between
 	 *  0x00000000 and 0x03ffffff are
- 	 * reserved for library use.
+	 * reserved for library use.
 	 *  This field is filled in by the
-	 *  \link lwres_gabn.c lwres_gabn_*()\endlink 
+	 *  \link lwres_gabn.c lwres_gabn_*()\endlink
 	 *  and \link lwres_gnba.c lwres_gnba_*()\endlink calls.
 	 */
 	lwres_uint32_t		opcode;
- 	/*! Only valid for results.  
-	 *  Results between 0x04000000 and 0xffffffff are application 
+	/*! Only valid for results.
+	 *  Results between 0x04000000 and 0xffffffff are application
 	 *  defined.
- 	 * Results between 0x00000000 and 0x03ffffff are reserved for 
+	 * Results between 0x00000000 and 0x03ffffff are reserved for
 	 * library use.
- 	 * (This is the same reserved range defined in <isc/resultclass.h>, 
+	 * (This is the same reserved range defined in <isc/resultclass.h>,
 	 * so it
- 	 * would be trivial to map ISC_R_* result codes into packet result 
+	 * would be trivial to map ISC_R_* result codes into packet result
 	 * codes when appropriate.)
 	 *  This field is filled in by the
-	 *  \link lwres_gabn.c lwres_gabn_*()\endlink 
+	 *  \link lwres_gabn.c lwres_gabn_*()\endlink
 	 *  and \link lwres_gnba.c lwres_gnba_*()\endlink calls.
 	 */
 	lwres_uint32_t		result;
- 	/*! Set to the maximum buffer size that the receiver can
- 	 *  handle on requests, and the size of the buffer needed to 
+	/*! Set to the maximum buffer size that the receiver can
+	 *  handle on requests, and the size of the buffer needed to
 	 *  satisfy a request
- 	 *  when the buffer is too large for replies.
+	 *  when the buffer is too large for replies.
 	 *  This field is supplied by the application.
 	 */
 	lwres_uint32_t		recvlength;
- 	/*! The packet level auth type used.
- 	 *  Authtypes between 0x1000 and 0xffff are application defined.  
+	/*! The packet level auth type used.
+	 *  Authtypes between 0x1000 and 0xffff are application defined.
 	 *  Authtypes
- 	 *  between 0x0000 and 0x0fff are reserved for library use.  
+	 *  between 0x0000 and 0x0fff are reserved for library use.
 	 *  This is currently
- 	 *  unused and MUST be set to zero.
+	 *  unused and MUST be set to zero.
 	 */
 	lwres_uint16_t		authtype;
- 	/*! The length of the authentication data.  
+	/*! The length of the authentication data.
 	 *  See the specific
- 	 * authtypes for more information on what is contained 
-	 * in this field.  This is currently unused, and 
+	 * authtypes for more information on what is contained
+	 * in this field.  This is currently unused, and
 	 * MUST be set to zero.
 	 */
 	lwres_uint16_t		authlength;
diff --git a/usr.sbin/bind/lib/lwres/include/lwres/lwres.h b/usr.sbin/bind/lib/lwres/include/lwres/lwres.h
index 17ef4f7a186..f79da529fd5 100644
--- a/usr.sbin/bind/lib/lwres/include/lwres/lwres.h
+++ b/usr.sbin/bind/lib/lwres/include/lwres/lwres.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwres.h,v 1.3 2019/12/16 16:16:29 deraadt Exp $ */
+/* $Id: lwres.h,v 1.4 2019/12/17 01:46:38 sthen Exp $ */
 
 #ifndef LWRES_LWRES_H
 #define LWRES_LWRES_H 1
diff --git a/usr.sbin/bind/lib/lwres/include/lwres/netdb.h.in b/usr.sbin/bind/lib/lwres/include/lwres/netdb.h.in
index bef45afe95f..83474f82ace 100644
--- a/usr.sbin/bind/lib/lwres/include/lwres/netdb.h.in
+++ b/usr.sbin/bind/lib/lwres/include/lwres/netdb.h.in
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2009, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netdb.h.in,v 1.2 2019/12/16 16:16:29 deraadt Exp $ */
+/* $Id: netdb.h.in,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/lwres/include/lwres/platform.h.in b/usr.sbin/bind/lib/lwres/include/lwres/platform.h.in
index 913d051021a..eff2810ed33 100644
--- a/usr.sbin/bind/lib/lwres/include/lwres/platform.h.in
+++ b/usr.sbin/bind/lib/lwres/include/lwres/platform.h.in
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: platform.h.in,v 1.2 2019/12/16 16:16:29 deraadt Exp $ */
+/* $Id: platform.h.in,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/lwres/include/lwres/result.h b/usr.sbin/bind/lib/lwres/include/lwres/result.h
index 22d876fb280..3fc9aba3e41 100644
--- a/usr.sbin/bind/lib/lwres/include/lwres/result.h
+++ b/usr.sbin/bind/lib/lwres/include/lwres/result.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.h,v 1.2 2019/12/16 16:16:29 deraadt Exp $ */
+/* $Id: result.h,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 #ifndef LWRES_RESULT_H
 #define LWRES_RESULT_H 1
diff --git a/usr.sbin/bind/lib/lwres/include/lwres/stdlib.h b/usr.sbin/bind/lib/lwres/include/lwres/stdlib.h
index 4ee1dd2dacc..6bb3f8312df 100644
--- a/usr.sbin/bind/lib/lwres/include/lwres/stdlib.h
+++ b/usr.sbin/bind/lib/lwres/include/lwres/stdlib.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/lwres/include/lwres/string.h b/usr.sbin/bind/lib/lwres/include/lwres/string.h
index deebb5a51c4..f5c9a8912e2 100644
--- a/usr.sbin/bind/lib/lwres/include/lwres/string.h
+++ b/usr.sbin/bind/lib/lwres/include/lwres/string.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/lwres/include/lwres/version.h b/usr.sbin/bind/lib/lwres/include/lwres/version.h
index 62242f52381..8ea8a9d0913 100644
--- a/usr.sbin/bind/lib/lwres/include/lwres/version.h
+++ b/usr.sbin/bind/lib/lwres/include/lwres/version.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.h,v 1.2 2019/12/16 16:16:29 deraadt Exp $ */
+/* $Id: version.h,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 /*! \file lwres/version.h */
 
diff --git a/usr.sbin/bind/lib/lwres/lwbuffer.c b/usr.sbin/bind/lib/lwres/lwbuffer.c
index 12c9a5a9c96..8aee809e4a6 100644
--- a/usr.sbin/bind/lib/lwres/lwbuffer.c
+++ b/usr.sbin/bind/lib/lwres/lwbuffer.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwbuffer.c,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: lwbuffer.c,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/lwres/lwconfig.c b/usr.sbin/bind/lib/lwres/lwconfig.c
index 32019b97318..7f9c85e6a77 100644
--- a/usr.sbin/bind/lib/lwres/lwconfig.c
+++ b/usr.sbin/bind/lib/lwres/lwconfig.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004-2008, 2011, 2012, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/lwres/lwinetaton.c b/usr.sbin/bind/lib/lwres/lwinetaton.c
index d9ee27b490e..22ddfad6fc8 100644
--- a/usr.sbin/bind/lib/lwres/lwinetaton.c
+++ b/usr.sbin/bind/lib/lwres/lwinetaton.c
@@ -1,6 +1,5 @@
 /*
- * Portions Copyright (C) 2004, 2005, 2007, 2012-2014  Internet Systems Consortium, Inc. ("ISC")
- * Portions Copyright (C) 1996-2001, 2003  Internet Software Consortium.
+ * Portions Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -68,7 +67,7 @@
  */
 #if defined(LIBC_SCCS) && !defined(lint)
 static char sccsid[] = "@(#)inet_addr.c	8.1 (Berkeley) 6/17/93";
-static char rcsid[] = "$Id: lwinetaton.c,v 1.7 2019/12/16 16:16:28 deraadt Exp $";
+static char rcsid[] = "$Id: lwinetaton.c,v 1.8 2019/12/17 01:46:38 sthen Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
diff --git a/usr.sbin/bind/lib/lwres/lwinetntop.c b/usr.sbin/bind/lib/lwres/lwinetntop.c
index 6cb1fc19345..45ea1484ece 100644
--- a/usr.sbin/bind/lib/lwres/lwinetntop.c
+++ b/usr.sbin/bind/lib/lwres/lwinetntop.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1996-2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -19,7 +18,7 @@
  */
 #if defined(LIBC_SCCS) && !defined(lint)
 static char rcsid[] =
-	"$Id: lwinetntop.c,v 1.10 2019/12/16 16:16:28 deraadt Exp $";
+	"$Id: lwinetntop.c,v 1.11 2019/12/17 01:46:38 sthen Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
diff --git a/usr.sbin/bind/lib/lwres/lwinetpton.c b/usr.sbin/bind/lib/lwres/lwinetpton.c
index 8181d2a9d22..37bb3a82f9a 100644
--- a/usr.sbin/bind/lib/lwres/lwinetpton.c
+++ b/usr.sbin/bind/lib/lwres/lwinetpton.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2011-2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1996-2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -19,7 +18,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] = "$Id: lwinetpton.c,v 1.2 2019/12/16 16:16:28 deraadt Exp $";
+static char rcsid[] = "$Id: lwinetpton.c,v 1.3 2019/12/17 01:46:38 sthen Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
@@ -90,12 +89,12 @@ inet_pton4(const char *src, unsigned char *dst) {
 		const char *pch;
 
 		if ((pch = strchr(digits, ch)) != NULL) {
-			unsigned int new = *tp * 10;
+			unsigned int byte = *tp * 10;
 
-			new += (unsigned int)(pch - digits);
-			if (new > 255)
+			byte += (unsigned int)(pch - digits);
+			if (byte > 255)
 				return (0);
-			*tp = new;
+			*tp = byte;
 			if (! saw_digit) {
 				if (++octets > 4)
 					return (0);
diff --git a/usr.sbin/bind/lib/lwres/lwpacket.c b/usr.sbin/bind/lib/lwres/lwpacket.c
index d200e47ae2b..9f565fb3b5e 100644
--- a/usr.sbin/bind/lib/lwres/lwpacket.c
+++ b/usr.sbin/bind/lib/lwres/lwpacket.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,40 +14,40 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwpacket.c,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: lwpacket.c,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 /*! \file */
 
 /**
  *    These functions rely on a struct lwres_lwpacket which is defined in
  *    \link lwpacket.h lwres/lwpacket.h.\endlink
- * 
- *    The following opcodes are currently defined:   
- * 
+ *
+ *    The following opcodes are currently defined:
+ *
  * \li   #LWRES_OPCODE_NOOP
  *           Success is always returned and the packet contents are
  *           echoed. The \link lwres_noop.c lwres_noop_*()\endlink functions should be used for this
  *           type.
- * 
+ *
  * \li   #LWRES_OPCODE_GETADDRSBYNAME
  *           returns all known addresses for a given name. The
  *           \link lwres_gabn.c lwres_gabn_*()\endlink functions should be used for this type.
- * 
+ *
  * \li   #LWRES_OPCODE_GETNAMEBYADDR
  *           return the hostname for the given address. The
- *           \link lwres_gnba.c lwres_gnba_*() \endlink functions should be used for this type.     
- * 
+ *           \link lwres_gnba.c lwres_gnba_*() \endlink functions should be used for this type.
+ *
  *    lwres_lwpacket_renderheader() transfers the contents of lightweight
  *    resolver packet structure #lwres_lwpacket_t *pkt in network byte
  *    order to the lightweight resolver buffer, *b.
- * 
+ *
  *    lwres_lwpacket_parseheader() performs the converse operation. It
  *    transfers data in network byte order from buffer *b to resolver
- *    packet *pkt. The contents of the buffer b should correspond to a   
+ *    packet *pkt. The contents of the buffer b should correspond to a
  *    #lwres_lwpacket_t.
- * 
+ *
  * \section lwpacket_return Return Values
- * 
+ *
  *    Successful calls to lwres_lwpacket_renderheader() and
  *    lwres_lwpacket_parseheader() return #LWRES_R_SUCCESS. If there is
  *    insufficient space to copy data between the buffer *b and
diff --git a/usr.sbin/bind/lib/lwres/lwres_gabn.c b/usr.sbin/bind/lib/lwres/lwres_gabn.c
index b84ecb77586..d846b0df179 100644
--- a/usr.sbin/bind/lib/lwres/lwres_gabn.c
+++ b/usr.sbin/bind/lib/lwres/lwres_gabn.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwres_gabn.c,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: lwres_gabn.c,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 /*! \file lwres_gabn.c
    These are low-level routines for creating and parsing lightweight
diff --git a/usr.sbin/bind/lib/lwres/lwres_gnba.c b/usr.sbin/bind/lib/lwres/lwres_gnba.c
index 32b2600082f..a0a346dad55 100644
--- a/usr.sbin/bind/lib/lwres/lwres_gnba.c
+++ b/usr.sbin/bind/lib/lwres/lwres_gnba.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwres_gnba.c,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: lwres_gnba.c,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 /*! \file lwres_gnba.c
    These are low-level routines for creating and parsing lightweight
diff --git a/usr.sbin/bind/lib/lwres/lwres_grbn.c b/usr.sbin/bind/lib/lwres/lwres_grbn.c
index 517a97c43d5..aff24328b38 100644
--- a/usr.sbin/bind/lib/lwres/lwres_grbn.c
+++ b/usr.sbin/bind/lib/lwres/lwres_grbn.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2013, 2016  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwres_grbn.c,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: lwres_grbn.c,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 /*! \file lwres_grbn.c
 
diff --git a/usr.sbin/bind/lib/lwres/lwres_noop.c b/usr.sbin/bind/lib/lwres/lwres_noop.c
index b2fafaede09..01c30bd3e94 100644
--- a/usr.sbin/bind/lib/lwres/lwres_noop.c
+++ b/usr.sbin/bind/lib/lwres/lwres_noop.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2013  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwres_noop.c,v 1.2 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: lwres_noop.c,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/lwres/lwresutil.c b/usr.sbin/bind/lib/lwres/lwresutil.c
index 3dd565fe285..29a3d6a073f 100644
--- a/usr.sbin/bind/lib/lwres/lwresutil.c
+++ b/usr.sbin/bind/lib/lwres/lwresutil.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2014  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwresutil.c,v 1.5 2019/12/16 16:16:28 deraadt Exp $ */
+/* $Id: lwresutil.c,v 1.6 2019/12/17 01:46:38 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/lwres/man/Makefile.in b/usr.sbin/bind/lib/lwres/man/Makefile.in
index b2e7cb962ba..43f3e4eae54 100644
--- a/usr.sbin/bind/lib/lwres/man/Makefile.in
+++ b/usr.sbin/bind/lib/lwres/man/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2007, 2012, 2015, 2016  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:29 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:38 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/lwres/man/lwres.3 b/usr.sbin/bind/lib/lwres/man/lwres.3
index c16482bca27..1faedba8e51 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres.3
+++ b/usr.sbin/bind/lib/lwres/man/lwres.3
@@ -1,5 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -181,7 +180,5 @@ bit should be set\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/usr.sbin/bind/lib/lwres/man/lwres.docbook b/usr.sbin/bind/lib/lwres/man/lwres.docbook
index d6b0932644b..4b95a6c34ea 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres.docbook
+++ b/usr.sbin/bind/lib/lwres/man/lwres.docbook
@@ -1,6 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -37,19 +36,17 @@
 
   <docinfo>
     <copyright>
+      <year>2000</year>
+      <year>2001</year>
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
   </docinfo>
 
   <refsynopsisdiv>
diff --git a/usr.sbin/bind/lib/lwres/man/lwres.html b/usr.sbin/bind/lib/lwres/man/lwres.html
index 125ad4b5605..5e838ffbf08 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres.html
+++ b/usr.sbin/bind/lib/lwres/man/lwres.html
@@ -1,7 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_buffer.3 b/usr.sbin/bind/lib/lwres/man/lwres_buffer.3
index addd43a4685..db5931a979e 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_buffer.3
+++ b/usr.sbin/bind/lib/lwres/man/lwres_buffer.3
@@ -1,5 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -257,7 +256,5 @@ to
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_buffer.docbook b/usr.sbin/bind/lib/lwres/man/lwres_buffer.docbook
index 8cf144372d6..66512cbd2b7 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_buffer.docbook
+++ b/usr.sbin/bind/lib/lwres/man/lwres_buffer.docbook
@@ -1,6 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -33,19 +32,17 @@
 
   <docinfo>
     <copyright>
+      <year>2000</year>
+      <year>2001</year>
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
   </docinfo>
 
   <refnamediv>
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_buffer.html b/usr.sbin/bind/lib/lwres/man/lwres_buffer.html
index 521e4be0f1a..901c54a8108 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_buffer.html
+++ b/usr.sbin/bind/lib/lwres/man/lwres_buffer.html
@@ -1,7 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_config.3 b/usr.sbin/bind/lib/lwres/man/lwres_config.3
index 2362721c512..ff0d8c81327 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_config.3
+++ b/usr.sbin/bind/lib/lwres/man/lwres_config.3
@@ -1,5 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -121,7 +120,5 @@ unless an error occurred when converting the network addresses to a numeric host
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_config.docbook b/usr.sbin/bind/lib/lwres/man/lwres_config.docbook
index ed36173c434..a6c641c6731 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_config.docbook
+++ b/usr.sbin/bind/lib/lwres/man/lwres_config.docbook
@@ -1,6 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -33,19 +32,17 @@
 
   <docinfo>
     <copyright>
+      <year>2000</year>
+      <year>2001</year>
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
   </docinfo>
 
   <refnamediv>
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_config.html b/usr.sbin/bind/lib/lwres/man/lwres_config.html
index 4c6021e0624..aed0adf68be 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_config.html
+++ b/usr.sbin/bind/lib/lwres/man/lwres_config.html
@@ -1,7 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_context.3 b/usr.sbin/bind/lib/lwres/man/lwres_context.3
index a65abfbe35e..9c93ef2d4c7 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_context.3
+++ b/usr.sbin/bind/lib/lwres/man/lwres_context.3
@@ -1,5 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
+.\" Copyright (C) 2000, 2001, 2003-2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -186,7 +185,5 @@ times out waiting for a response\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001, 2003 Internet Software Consortium.
+Copyright \(co 2000, 2001, 2003-2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_context.docbook b/usr.sbin/bind/lib/lwres/man/lwres_context.docbook
index 12ff7037115..28cb760c35a 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_context.docbook
+++ b/usr.sbin/bind/lib/lwres/man/lwres_context.docbook
@@ -1,8 +1,7 @@
 <!DOCTYPE book [
 <!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -35,20 +34,18 @@
 
   <docinfo>
     <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2003</year>
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
   </docinfo>
 
   <refnamediv>
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_context.html b/usr.sbin/bind/lib/lwres/man/lwres_context.html
index 324e5499c07..9acbf2483f4 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_context.html
+++ b/usr.sbin/bind/lib/lwres/man/lwres_context.html
@@ -1,7 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
+ - Copyright (C) 2000, 2001, 2003-2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_gabn.3 b/usr.sbin/bind/lib/lwres/man/lwres_gabn.3
index d986a4d41b9..97cd0004850 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_gabn.3
+++ b/usr.sbin/bind/lib/lwres/man/lwres_gabn.3
@@ -1,5 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -222,7 +221,5 @@ indicate that the packet is not a response to an earlier query\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_gabn.docbook b/usr.sbin/bind/lib/lwres/man/lwres_gabn.docbook
index 02c86812a3c..256ea371504 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_gabn.docbook
+++ b/usr.sbin/bind/lib/lwres/man/lwres_gabn.docbook
@@ -1,8 +1,7 @@
 <!DOCTYPE book [
 <!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -35,19 +34,17 @@
 
   <docinfo>
     <copyright>
+      <year>2000</year>
+      <year>2001</year>
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
   </docinfo>
 
   <refnamediv>
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_gabn.html b/usr.sbin/bind/lib/lwres/man/lwres_gabn.html
index 6bfb5e5b5e4..2aefac6df5c 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_gabn.html
+++ b/usr.sbin/bind/lib/lwres/man/lwres_gabn.html
@@ -1,7 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_gai_strerror.3 b/usr.sbin/bind/lib/lwres/man/lwres_gai_strerror.3
index 82720bf3213..42068c9b0fc 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_gai_strerror.3
+++ b/usr.sbin/bind/lib/lwres/man/lwres_gai_strerror.3
@@ -1,5 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -145,7 +144,5 @@ used by
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_gai_strerror.docbook b/usr.sbin/bind/lib/lwres/man/lwres_gai_strerror.docbook
index 64ab8ef525e..619825d2e2e 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_gai_strerror.docbook
+++ b/usr.sbin/bind/lib/lwres/man/lwres_gai_strerror.docbook
@@ -1,6 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -33,19 +32,17 @@
 
   <docinfo>
     <copyright>
+      <year>2000</year>
+      <year>2001</year>
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
   </docinfo>
 
   <refnamediv>
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_gai_strerror.html b/usr.sbin/bind/lib/lwres/man/lwres_gai_strerror.html
index 2f5cced798a..2b63797b983 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_gai_strerror.html
+++ b/usr.sbin/bind/lib/lwres/man/lwres_gai_strerror.html
@@ -1,7 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_getaddrinfo.3 b/usr.sbin/bind/lib/lwres/man/lwres_getaddrinfo.3
index cd1517257b4..a448ebe5bf3 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_getaddrinfo.3
+++ b/usr.sbin/bind/lib/lwres/man/lwres_getaddrinfo.3
@@ -1,5 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
+.\" Copyright (C) 2000, 2001, 2003-2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -259,7 +258,5 @@ returns
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001, 2003 Internet Software Consortium.
+Copyright \(co 2000, 2001, 2003-2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_getaddrinfo.docbook b/usr.sbin/bind/lib/lwres/man/lwres_getaddrinfo.docbook
index eba07648e96..af36b9f074b 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_getaddrinfo.docbook
+++ b/usr.sbin/bind/lib/lwres/man/lwres_getaddrinfo.docbook
@@ -1,8 +1,7 @@
 <!DOCTYPE book [
 <!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -35,20 +34,18 @@
 
   <docinfo>
     <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2003</year>
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
   </docinfo>
 
   <refnamediv>
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_getaddrinfo.html b/usr.sbin/bind/lib/lwres/man/lwres_getaddrinfo.html
index 1dbc7a116f2..f2d1ce182f7 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_getaddrinfo.html
+++ b/usr.sbin/bind/lib/lwres/man/lwres_getaddrinfo.html
@@ -1,7 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
+ - Copyright (C) 2000, 2001, 2003-2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_gethostent.3 b/usr.sbin/bind/lib/lwres/man/lwres_gethostent.3
index 82c7264e029..98f6104b510 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_gethostent.3
+++ b/usr.sbin/bind/lib/lwres/man/lwres_gethostent.3
@@ -1,5 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2001 Internet Software Consortium.
+.\" Copyright (C) 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -334,7 +333,5 @@ or
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2001 Internet Software Consortium.
+Copyright \(co 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_gethostent.docbook b/usr.sbin/bind/lib/lwres/man/lwres_gethostent.docbook
index c8f0bb056ed..63535c8a09c 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_gethostent.docbook
+++ b/usr.sbin/bind/lib/lwres/man/lwres_gethostent.docbook
@@ -1,8 +1,7 @@
 <!DOCTYPE book [
 <!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2001  Internet Software Consortium.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -35,18 +34,16 @@
 
   <docinfo>
     <copyright>
+      <year>2001</year>
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
-    <copyright>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
   </docinfo>
 
   <refnamediv>
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_gethostent.html b/usr.sbin/bind/lib/lwres/man/lwres_gethostent.html
index 057ca3fac5f..1d24f805752 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_gethostent.html
+++ b/usr.sbin/bind/lib/lwres/man/lwres_gethostent.html
@@ -1,7 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2001 Internet Software Consortium.
+ - Copyright (C) 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_getipnode.3 b/usr.sbin/bind/lib/lwres/man/lwres_getipnode.3
index 48fa42845a4..b2ce9787d5b 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_getipnode.3
+++ b/usr.sbin/bind/lib/lwres/man/lwres_getipnode.3
@@ -1,5 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
+.\" Copyright (C) 2000, 2001, 2003-2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -225,7 +224,5 @@ translates these error codes to suitable error messages\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001, 2003 Internet Software Consortium.
+Copyright \(co 2000, 2001, 2003-2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_getipnode.docbook b/usr.sbin/bind/lib/lwres/man/lwres_getipnode.docbook
index 25dd11a17c2..8952fc227c9 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_getipnode.docbook
+++ b/usr.sbin/bind/lib/lwres/man/lwres_getipnode.docbook
@@ -1,6 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -33,20 +32,18 @@
 
   <docinfo>
     <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2003</year>
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <year>2003</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
   </docinfo>
 
   <refnamediv>
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_getipnode.html b/usr.sbin/bind/lib/lwres/man/lwres_getipnode.html
index 238842114f8..4411b365217 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_getipnode.html
+++ b/usr.sbin/bind/lib/lwres/man/lwres_getipnode.html
@@ -1,7 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001, 2003 Internet Software Consortium.
+ - Copyright (C) 2000, 2001, 2003-2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_getnameinfo.3 b/usr.sbin/bind/lib/lwres/man/lwres_getnameinfo.3
index 5c8adbea278..c2ab912a9c5 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_getnameinfo.3
+++ b/usr.sbin/bind/lib/lwres/man/lwres_getnameinfo.3
@@ -1,5 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -132,7 +131,5 @@ are\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_getnameinfo.docbook b/usr.sbin/bind/lib/lwres/man/lwres_getnameinfo.docbook
index 162f3bcbb7d..b046d1f7d1f 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_getnameinfo.docbook
+++ b/usr.sbin/bind/lib/lwres/man/lwres_getnameinfo.docbook
@@ -1,6 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -33,19 +32,17 @@
 
   <docinfo>
     <copyright>
+      <year>2000</year>
+      <year>2001</year>
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
   </docinfo>
 
   <refnamediv>
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_getnameinfo.html b/usr.sbin/bind/lib/lwres/man/lwres_getnameinfo.html
index 063d580ff12..5006eaa7f89 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_getnameinfo.html
+++ b/usr.sbin/bind/lib/lwres/man/lwres_getnameinfo.html
@@ -1,7 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_getrrsetbyname.3 b/usr.sbin/bind/lib/lwres/man/lwres_getrrsetbyname.3
index e5e3d801e64..47037c94b8d 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_getrrsetbyname.3
+++ b/usr.sbin/bind/lib/lwres/man/lwres_getrrsetbyname.3
@@ -1,5 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -175,7 +174,5 @@ other failure
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_getrrsetbyname.docbook b/usr.sbin/bind/lib/lwres/man/lwres_getrrsetbyname.docbook
index eb892d9141f..cfcd6cfa16c 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_getrrsetbyname.docbook
+++ b/usr.sbin/bind/lib/lwres/man/lwres_getrrsetbyname.docbook
@@ -1,6 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -33,19 +32,17 @@
 
   <docinfo>
     <copyright>
+      <year>2000</year>
+      <year>2001</year>
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
   </docinfo>
 
   <refnamediv>
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_getrrsetbyname.html b/usr.sbin/bind/lib/lwres/man/lwres_getrrsetbyname.html
index 1b87b9257a8..2c82f23bc12 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_getrrsetbyname.html
+++ b/usr.sbin/bind/lib/lwres/man/lwres_getrrsetbyname.html
@@ -1,7 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_gnba.3 b/usr.sbin/bind/lib/lwres/man/lwres_gnba.3
index a8ff9a81b67..61371705ac4 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_gnba.3
+++ b/usr.sbin/bind/lib/lwres/man/lwres_gnba.3
@@ -1,5 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -207,7 +206,5 @@ indicate that the packet is not a response to an earlier query\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_gnba.docbook b/usr.sbin/bind/lib/lwres/man/lwres_gnba.docbook
index 71f1b89cc5a..fac98b44162 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_gnba.docbook
+++ b/usr.sbin/bind/lib/lwres/man/lwres_gnba.docbook
@@ -1,8 +1,7 @@
 <!DOCTYPE book [
 <!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -35,19 +34,17 @@
 
   <docinfo>
     <copyright>
+      <year>2000</year>
+      <year>2001</year>
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
   </docinfo>
 
   <refnamediv>
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_gnba.html b/usr.sbin/bind/lib/lwres/man/lwres_gnba.html
index 729042f7e38..339c5b323a6 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_gnba.html
+++ b/usr.sbin/bind/lib/lwres/man/lwres_gnba.html
@@ -1,7 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_hstrerror.3 b/usr.sbin/bind/lib/lwres/man/lwres_hstrerror.3
index 8accf1bc3cc..ddf2a829f3d 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_hstrerror.3
+++ b/usr.sbin/bind/lib/lwres/man/lwres_hstrerror.3
@@ -1,5 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -115,7 +114,5 @@ is not a valid error code\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_hstrerror.docbook b/usr.sbin/bind/lib/lwres/man/lwres_hstrerror.docbook
index ad4725b74d9..a54aa53e232 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_hstrerror.docbook
+++ b/usr.sbin/bind/lib/lwres/man/lwres_hstrerror.docbook
@@ -1,6 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -33,19 +32,17 @@
 
   <docinfo>
     <copyright>
+      <year>2000</year>
+      <year>2001</year>
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
   </docinfo>
 
   <refnamediv>
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_hstrerror.html b/usr.sbin/bind/lib/lwres/man/lwres_hstrerror.html
index 887e611c0d7..0d729ff217d 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_hstrerror.html
+++ b/usr.sbin/bind/lib/lwres/man/lwres_hstrerror.html
@@ -1,7 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_inetntop.3 b/usr.sbin/bind/lib/lwres/man/lwres_inetntop.3
index 3cc71ba4547..11632efa355 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_inetntop.3
+++ b/usr.sbin/bind/lib/lwres/man/lwres_inetntop.3
@@ -1,5 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -93,7 +92,5 @@ is not supported\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_inetntop.docbook b/usr.sbin/bind/lib/lwres/man/lwres_inetntop.docbook
index c50695e88dd..43eb887cc9e 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_inetntop.docbook
+++ b/usr.sbin/bind/lib/lwres/man/lwres_inetntop.docbook
@@ -1,8 +1,7 @@
 <!DOCTYPE book [
 <!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -35,19 +34,17 @@
 
   <docinfo>
     <copyright>
+      <year>2000</year>
+      <year>2001</year>
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
   </docinfo>
 
   <refnamediv>
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_inetntop.html b/usr.sbin/bind/lib/lwres/man/lwres_inetntop.html
index f25feb4c8f7..7f8b6f3f9c6 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_inetntop.html
+++ b/usr.sbin/bind/lib/lwres/man/lwres_inetntop.html
@@ -1,7 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_noop.3 b/usr.sbin/bind/lib/lwres/man/lwres_noop.3
index 4f349a26dd2..cecfddde2a5 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_noop.3
+++ b/usr.sbin/bind/lib/lwres/man/lwres_noop.3
@@ -1,5 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -207,7 +206,5 @@ indicate that the packet is not a response to an earlier query\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_noop.docbook b/usr.sbin/bind/lib/lwres/man/lwres_noop.docbook
index 88df5c630d7..16efbb94679 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_noop.docbook
+++ b/usr.sbin/bind/lib/lwres/man/lwres_noop.docbook
@@ -1,8 +1,7 @@
 <!DOCTYPE book [
 <!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -35,19 +34,17 @@
 
   <docinfo>
     <copyright>
+      <year>2000</year>
+      <year>2001</year>
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
   </docinfo>
 
   <refnamediv>
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_noop.html b/usr.sbin/bind/lib/lwres/man/lwres_noop.html
index e0b16f7f4be..ee779fc2a9b 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_noop.html
+++ b/usr.sbin/bind/lib/lwres/man/lwres_noop.html
@@ -1,7 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_packet.3 b/usr.sbin/bind/lib/lwres/man/lwres_packet.3
index 56a6236bdaf..397bc12bf41 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_packet.3
+++ b/usr.sbin/bind/lib/lwres/man/lwres_packet.3
@@ -1,5 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -191,7 +190,5 @@ both functions return
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_packet.docbook b/usr.sbin/bind/lib/lwres/man/lwres_packet.docbook
index d8c8f53eeff..f59cecd12c3 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_packet.docbook
+++ b/usr.sbin/bind/lib/lwres/man/lwres_packet.docbook
@@ -1,6 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -33,19 +32,17 @@
 
   <docinfo>
     <copyright>
+      <year>2000</year>
+      <year>2001</year>
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
   </docinfo>
 
   <refnamediv>
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_packet.html b/usr.sbin/bind/lib/lwres/man/lwres_packet.html
index 0c181a5200b..10e7698ef8e 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_packet.html
+++ b/usr.sbin/bind/lib/lwres/man/lwres_packet.html
@@ -1,7 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_resutil.3 b/usr.sbin/bind/lib/lwres/man/lwres_resutil.3
index 81cd9811638..7b219bb91e2 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_resutil.3
+++ b/usr.sbin/bind/lib/lwres/man/lwres_resutil.3
@@ -1,5 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.\" Copyright (C) 2000, 2001 Internet Software Consortium.
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and/or distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -190,7 +189,5 @@ if the buffers used for sending queries and receiving replies are too small\&.
 \fBInternet Systems Consortium, Inc\&.\fR
 .SH "COPYRIGHT"
 .br
-Copyright \(co 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
-.br
-Copyright \(co 2000, 2001 Internet Software Consortium.
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
 .br
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_resutil.docbook b/usr.sbin/bind/lib/lwres/man/lwres_resutil.docbook
index f2286e84c82..e640add7c95 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_resutil.docbook
+++ b/usr.sbin/bind/lib/lwres/man/lwres_resutil.docbook
@@ -1,6 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016  Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001  Internet Software Consortium.
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  -
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
@@ -33,19 +32,17 @@
 
   <docinfo>
     <copyright>
+      <year>2000</year>
+      <year>2001</year>
       <year>2004</year>
       <year>2005</year>
       <year>2007</year>
       <year>2014</year>
       <year>2015</year>
       <year>2016</year>
+      <year>2018</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
-    <copyright>
-      <year>2000</year>
-      <year>2001</year>
-      <holder>Internet Software Consortium.</holder>
-    </copyright>
   </docinfo>
 
   <refnamediv>
diff --git a/usr.sbin/bind/lib/lwres/man/lwres_resutil.html b/usr.sbin/bind/lib/lwres/man/lwres_resutil.html
index 9f45b53861a..c0cdc4d41b2 100644
--- a/usr.sbin/bind/lib/lwres/man/lwres_resutil.html
+++ b/usr.sbin/bind/lib/lwres/man/lwres_resutil.html
@@ -1,7 +1,6 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <!--
- - Copyright (C) 2004, 2005, 2007, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000, 2001 Internet Software Consortium.
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")
  - 
  - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/lwres/print.c b/usr.sbin/bind/lib/lwres/print.c
index 6346c718c36..da0ff925698 100644
--- a/usr.sbin/bind/lib/lwres/print.c
+++ b/usr.sbin/bind/lib/lwres/print.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2011, 2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -506,7 +505,7 @@ lwres__print_vsnprintf(char *str, size_t size, const char *format, va_list ap) {
 #else
 			INSIST("long doubles are not supported" == NULL);
 #endif
-			/*FALLTHROUGH*/
+			/* FALLTHROUGH */
 		case 'e':
 		case 'E':
 		case 'f':
diff --git a/usr.sbin/bind/lib/lwres/print_p.h b/usr.sbin/bind/lib/lwres/print_p.h
index 12f289ce60f..ab97648dddb 100644
--- a/usr.sbin/bind/lib/lwres/print_p.h
+++ b/usr.sbin/bind/lib/lwres/print_p.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2007, 2010  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: print_p.h,v 1.2 2019/12/16 16:16:29 deraadt Exp $ */
+/* $Id: print_p.h,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 #ifndef LWRES_PRINT_P_H
 #define LWRES_PRINT_P_H 1
diff --git a/usr.sbin/bind/lib/lwres/unix/Makefile.in b/usr.sbin/bind/lib/lwres/unix/Makefile.in
index 56ac77cc207..d849982a70c 100644
--- a/usr.sbin/bind/lib/lwres/unix/Makefile.in
+++ b/usr.sbin/bind/lib/lwres/unix/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:29 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:39 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/lwres/unix/include/Makefile.in b/usr.sbin/bind/lib/lwres/unix/include/Makefile.in
index 4dabae2e4fe..fb05d830873 100644
--- a/usr.sbin/bind/lib/lwres/unix/include/Makefile.in
+++ b/usr.sbin/bind/lib/lwres/unix/include/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2007, 2012  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:29 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:39 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/lwres/unix/include/lwres/Makefile.in b/usr.sbin/bind/lib/lwres/unix/include/lwres/Makefile.in
index 50a1ef3f7e3..39ba2db5cf4 100644
--- a/usr.sbin/bind/lib/lwres/unix/include/lwres/Makefile.in
+++ b/usr.sbin/bind/lib/lwres/unix/include/lwres/Makefile.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004, 2007, 2012, 2016  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 2001  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -13,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2019/12/16 16:16:29 deraadt Exp $
+# $Id: Makefile.in,v 1.3 2019/12/17 01:46:39 sthen Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/usr.sbin/bind/lib/lwres/unix/include/lwres/net.h b/usr.sbin/bind/lib/lwres/unix/include/lwres/net.h
index d3747a1c0b7..58c382f50cc 100644
--- a/usr.sbin/bind/lib/lwres/unix/include/lwres/net.h
+++ b/usr.sbin/bind/lib/lwres/unix/include/lwres/net.h
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000-2002  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: net.h,v 1.2 2019/12/16 16:16:29 deraadt Exp $ */
+/* $Id: net.h,v 1.3 2019/12/17 01:46:39 sthen Exp $ */
 
 #ifndef LWRES_NET_H
 #define LWRES_NET_H 1
@@ -65,7 +64,7 @@
 #ifdef LWRES_PLATFORM_NEEDNETINET6IN6H
 #include <netinet6/in6.h>	/* Required on BSD/OS for in6_pktinfo. */
 #endif
-#include <net/if.h>	
+#include <net/if.h>
 
 #include <lwres/lang.h>
 
@@ -80,7 +79,7 @@
 /*!
  * Required for some pre RFC2133 implementations.
  * IN6ADDR_ANY_INIT and IN6ADDR_LOOPBACK_INIT were added in
- * draft-ietf-ipngwg-bsd-api-04.txt or draft-ietf-ipngwg-bsd-api-05.txt.  
+ * draft-ietf-ipngwg-bsd-api-04.txt or draft-ietf-ipngwg-bsd-api-05.txt.
  * If 's6_addr' is defined then assume that there is a union and three
  * levels otherwise assume two levels required.
  */
diff --git a/usr.sbin/bind/lib/lwres/version.c b/usr.sbin/bind/lib/lwres/version.c
index b4448da8700..3ac906b8529 100644
--- a/usr.sbin/bind/lib/lwres/version.c
+++ b/usr.sbin/bind/lib/lwres/version.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
- * Copyright (C) 2000, 2001  Internet Software Consortium.
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.2 2019/12/16 16:16:29 deraadt Exp $ */
+/* $Id: version.c,v 1.3 2019/12/17 01:46:38 sthen Exp $ */
 
 /*! \file */
 
diff --git a/usr.sbin/bind/lib/samples/Makefile-postinstall.in b/usr.sbin/bind/lib/samples/Makefile-postinstall.in
index 366c45707f1..7b2e1e2dcd0 100644
--- a/usr.sbin/bind/lib/samples/Makefile-postinstall.in
+++ b/usr.sbin/bind/lib/samples/Makefile-postinstall.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2009, 2012-2014  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile-postinstall.in,v 1.1 2019/12/16 16:31:37 deraadt Exp $
+# $Id: Makefile-postinstall.in,v 1.2 2019/12/17 01:46:39 sthen Exp $
 
 srcdir =	@srcdir@
 #prefix =	@prefix@
diff --git a/usr.sbin/bind/lib/samples/Makefile.in b/usr.sbin/bind/lib/samples/Makefile.in
index b2efa2218ff..f96530e1427 100644
--- a/usr.sbin/bind/lib/samples/Makefile.in
+++ b/usr.sbin/bind/lib/samples/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2009, 2012-2016  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -22,8 +22,8 @@ VERSION=@BIND9_VERSION@
 
 CINCLUDES =	-I${srcdir}/include -I../dns/include \
 		${DNS_INCLUDES} ${ISC_INCLUDES} \
-		@ISC_OPENSSL_INC@ -I${top_srcdir}/lib/irs/include \
-		-I../../lib/irs/include
+		-I${top_srcdir}/lib/irs/include \
+		-I../../lib/irs/include @ISC_OPENSSL_INC@
 
 CDEFINES =	@CRYPTO@ -DVERSION=\"${VERSION}\" \
 		-DSYSCONFDIR=\"${sysconfdir}\"
diff --git a/usr.sbin/bind/lib/samples/nsprobe.c b/usr.sbin/bind/lib/samples/nsprobe.c
index 9ffb6d3970a..673f090bdf4 100644
--- a/usr.sbin/bind/lib/samples/nsprobe.c
+++ b/usr.sbin/bind/lib/samples/nsprobe.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009-2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsprobe.c,v 1.1 2019/12/16 16:31:37 deraadt Exp $ */
+/* $Id: nsprobe.c,v 1.2 2019/12/17 01:46:39 sthen Exp $ */
 
 #include <config.h>
 
@@ -635,7 +635,7 @@ request_done(isc_task_t *task, isc_event_t *event) {
 	} else if (rev->result == ISC_R_TIMEDOUT)
 		*resultp = timedout;
 	else {
-		fprintf(stderr, "unexpected result: %d (domain=%s, server=",
+		fprintf(stderr, "unexpected result: %u (domain=%s, server=",
 			rev->result, trans->domain);
 		print_address(stderr, &server->address);
 		fputc('\n', stderr);
@@ -1068,14 +1068,14 @@ main(int argc, char *argv[]) {
 	isc_lib_register();
 	result = dns_lib_init();
 	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "dns_lib_init failed: %d\n", result);
+		fprintf(stderr, "dns_lib_init failed: %u\n", result);
 		exit(1);
 	}
 
 	result = ctxs_init(&mctx, &actx, &taskmgr, &socketmgr,
 			   &timermgr);
 	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "ctx create failed: %d\n", result);
+		fprintf(stderr, "ctx create failed: %u\n", result);
 		exit(1);
 	}
 
@@ -1084,7 +1084,7 @@ main(int argc, char *argv[]) {
 	result = dns_client_createx(mctx, actx, taskmgr, socketmgr,
 				    timermgr, 0, &client);
 	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "dns_client_createx failed: %d\n", result);
+		fprintf(stderr, "dns_client_createx failed: %u\n", result);
 		exit(1);
 	}
 
@@ -1114,7 +1114,7 @@ main(int argc, char *argv[]) {
 	result = dns_client_setservers(client, dns_rdataclass_in, NULL,
 				       &servers);
 	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "failed to set server: %d\n", result);
+		fprintf(stderr, "failed to set server: %u\n", result);
 		exit(1);
 	}
 
@@ -1122,7 +1122,7 @@ main(int argc, char *argv[]) {
 	probe_task = NULL;
 	result = isc_task_create(taskmgr, 0, &probe_task);
 	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "failed to create task: %d\n", result);
+		fprintf(stderr, "failed to create task: %u\n", result);
 		exit(1);
 	}
 
diff --git a/usr.sbin/bind/lib/samples/resolve.c b/usr.sbin/bind/lib/samples/resolve.c
index 19235c673b5..518ad2e5ef9 100644
--- a/usr.sbin/bind/lib/samples/resolve.c
+++ b/usr.sbin/bind/lib/samples/resolve.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2012-2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -183,7 +183,7 @@ set_key(dns_client_t *client, char *keynamestr, char *keystr,
 
 static void
 addserver(dns_client_t *client, const char *addrstr, const char *port,
-	  const char *namespace)
+	  const char *name_space)
 {
 	struct addrinfo hints, *res;
 	int gaierror;
@@ -214,15 +214,15 @@ addserver(dns_client_t *client, const char *addrstr, const char *port,
 	ISC_LIST_INIT(servers);
 	ISC_LIST_APPEND(servers, &sa, link);
 
-	if (namespace != NULL) {
-		namelen = strlen(namespace);
-		isc_buffer_constinit(&b, namespace, namelen);
+	if (name_space != NULL) {
+		namelen = strlen(name_space);
+		isc_buffer_constinit(&b, name_space, namelen);
 		isc_buffer_add(&b, namelen);
 		dns_fixedname_init(&fname);
 		name = dns_fixedname_name(&fname);
 		result = dns_name_fromtext(name, &b, dns_rootname, 0, NULL);
 		if (result != ISC_R_SUCCESS) {
-			fprintf(stderr, "failed to convert qname: %d\n",
+			fprintf(stderr, "failed to convert qname: %u\n",
 				result);
 			exit(1);
 		}
@@ -231,7 +231,7 @@ addserver(dns_client_t *client, const char *addrstr, const char *port,
 	result = dns_client_setservers(client, dns_rdataclass_in, name,
 				       &servers);
 	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "set server failed: %d\n", result);
+		fprintf(stderr, "set server failed: %u\n", result);
 		exit(1);
 	}
 }
@@ -371,7 +371,7 @@ main(int argc, char *argv[]) {
 	isc_lib_register();
 	result = dns_lib_init();
 	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "dns_lib_init failed: %d\n", result);
+		fprintf(stderr, "dns_lib_init failed: %u\n", result);
 		exit(1);
 	}
 
@@ -401,7 +401,7 @@ main(int argc, char *argv[]) {
 	result = dns_client_createx2(mctx, actx, taskmgr, socketmgr, timermgr,
 				    clientopt, &client, addr4, addr6);
 	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "dns_client_create failed: %d, %s\n", result,
+		fprintf(stderr, "dns_client_create failed: %u, %s\n", result,
 			isc_result_totext(result));
 		exit(1);
 	}
@@ -413,7 +413,7 @@ main(int argc, char *argv[]) {
 
 		result = irs_resconf_load(mctx, "/etc/resolv.conf", &resconf);
 		if (result != ISC_R_SUCCESS && result != ISC_R_FILENOTFOUND) {
-			fprintf(stderr, "irs_resconf_load failed: %d\n",
+			fprintf(stderr, "irs_resconf_load failed: %u\n",
 				result);
 			exit(1);
 		}
@@ -422,7 +422,7 @@ main(int argc, char *argv[]) {
 					       NULL, nameservers);
 		if (result != ISC_R_SUCCESS) {
 			irs_resconf_destroy(&resconf);
-			fprintf(stderr, "dns_client_setservers failed: %d\n",
+			fprintf(stderr, "dns_client_setservers failed: %u\n",
 				result);
 			exit(1);
 		}
@@ -454,7 +454,7 @@ main(int argc, char *argv[]) {
 	qname = dns_fixedname_name(&qname0);
 	result = dns_name_fromtext(qname, &b, dns_rootname, 0, NULL);
 	if (result != ISC_R_SUCCESS)
-		fprintf(stderr, "failed to convert qname: %d\n", result);
+		fprintf(stderr, "failed to convert qname: %u\n", result);
 
 	/* Perform resolution */
 	resopt = DNS_CLIENTRESOPT_ALLOWRUN;
diff --git a/usr.sbin/bind/lib/samples/rootkey.sh b/usr.sbin/bind/lib/samples/rootkey.sh
index 53b818a7ad3..8299c011e86 100644
--- a/usr.sbin/bind/lib/samples/rootkey.sh
+++ b/usr.sbin/bind/lib/samples/rootkey.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
diff --git a/usr.sbin/bind/lib/samples/sample-async.c b/usr.sbin/bind/lib/samples/sample-async.c
index bbf06cfdb14..367b240e506 100644
--- a/usr.sbin/bind/lib/samples/sample-async.c
+++ b/usr.sbin/bind/lib/samples/sample-async.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2013-2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sample-async.c,v 1.1 2019/12/16 16:31:37 deraadt Exp $ */
+/* $Id: sample-async.c,v 1.2 2019/12/17 01:46:39 sthen Exp $ */
 
 #include <config.h>
 
@@ -169,7 +169,7 @@ process_answer(isc_task_t *task, isc_event_t *event) {
 	printf("answer[%2d]\n", trans->id);
 
 	if (rev->result != ISC_R_SUCCESS)
-		printf("  failed: %d(%s)\n", rev->result,
+		printf("  failed: %u(%s)\n", rev->result,
 		       dns_result_totext(rev->result));
 
 	for (name = ISC_LIST_HEAD(rev->answerlist); name != NULL;
@@ -331,14 +331,14 @@ main(int argc, char *argv[]) {
 	isc_lib_register();
 	result = dns_lib_init();
 	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "dns_lib_init failed: %d\n", result);
+		fprintf(stderr, "dns_lib_init failed: %u\n", result);
 		exit(1);
 	}
 
 	result = ctxs_init(&mctx, &query_actx, &taskmgr, &socketmgr,
 			   &timermgr);
 	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "ctx create failed: %d\n", result);
+		fprintf(stderr, "ctx create failed: %u\n", result);
 		exit(1);
 	}
 
@@ -347,7 +347,7 @@ main(int argc, char *argv[]) {
 	result = dns_client_createx(mctx, query_actx, taskmgr, socketmgr,
 				    timermgr, 0, &client);
 	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "dns_client_createx failed: %d\n", result);
+		fprintf(stderr, "dns_client_createx failed: %u\n", result);
 		exit(1);
 	}
 
@@ -365,7 +365,7 @@ main(int argc, char *argv[]) {
 	result = dns_client_setservers(client, dns_rdataclass_in, NULL,
 				       &servers);
 	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "set server failed: %d\n", result);
+		fprintf(stderr, "set server failed: %u\n", result);
 		exit(1);
 	}
 
@@ -373,7 +373,7 @@ main(int argc, char *argv[]) {
 	query_task = NULL;
 	result = isc_task_create(taskmgr, 0, &query_task);
 	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "failed to create task: %d\n", result);
+		fprintf(stderr, "failed to create task: %u\n", result);
 		exit(1);
 	}
 
diff --git a/usr.sbin/bind/lib/samples/sample-gai.c b/usr.sbin/bind/lib/samples/sample-gai.c
index b3178905220..c529c7e5fa1 100644
--- a/usr.sbin/bind/lib/samples/sample-gai.c
+++ b/usr.sbin/bind/lib/samples/sample-gai.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2012-2015  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sample-gai.c,v 1.1 2019/12/16 16:31:37 deraadt Exp $ */
+/* $Id: sample-gai.c,v 1.2 2019/12/17 01:46:39 sthen Exp $ */
 
 #include <config.h>
 
diff --git a/usr.sbin/bind/lib/samples/sample-request.c b/usr.sbin/bind/lib/samples/sample-request.c
index 03978948ad0..81faeac2340 100644
--- a/usr.sbin/bind/lib/samples/sample-request.c
+++ b/usr.sbin/bind/lib/samples/sample-request.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2012-2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sample-request.c,v 1.1 2019/12/16 16:31:37 deraadt Exp $ */
+/* $Id: sample-request.c,v 1.2 2019/12/17 01:46:39 sthen Exp $ */
 
 #include <config.h>
 
@@ -93,7 +93,7 @@ make_querymessage(dns_message_t *message, const char *namestr,
 	qname0 = dns_fixedname_name(&fixedqname);
 	result = dns_name_fromtext(qname0, &b, dns_rootname, 0, NULL);
 	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "failed to convert qname: %d\n", result);
+		fprintf(stderr, "failed to convert qname: %u\n", result);
 		return (result);
 	}
 
@@ -183,13 +183,13 @@ main(int argc, char *argv[]) {
 	isc_lib_register();
 	result = dns_lib_init();
 	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "dns_lib_init failed: %d\n", result);
+		fprintf(stderr, "dns_lib_init failed: %u\n", result);
 		exit(1);
 	}
 
 	result = dns_client_create(&client, 0);
 	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "dns_client_create failed: %d\n", result);
+		fprintf(stderr, "dns_client_create failed: %u\n", result);
 		exit(1);
 	}
 
diff --git a/usr.sbin/bind/lib/samples/sample-update.c b/usr.sbin/bind/lib/samples/sample-update.c
index 4938b20f48c..541cb8d5347 100644
--- a/usr.sbin/bind/lib/samples/sample-update.c
+++ b/usr.sbin/bind/lib/samples/sample-update.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2010, 2012-2016  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sample-update.c,v 1.1 2019/12/16 16:31:37 deraadt Exp $ */
+/* $Id: sample-update.c,v 1.2 2019/12/17 01:46:39 sthen Exp $ */
 
 #include <config.h>
 
@@ -81,6 +81,7 @@ usage(void) ISC_PLATFORM_NORETURN_POST;
 static void
 usage(void) {
 	fprintf(stderr, "sample-update "
+		"-s "
 		"[-a auth_server] "
 		"[-k keyfile] "
 		"[-p prerequisite] "
@@ -90,6 +91,31 @@ usage(void) {
 	exit(1);
 }
 
+#ifdef _WIN32
+static void
+InitSockets(void) {
+	WORD wVersionRequested;
+	WSADATA wsaData;
+	int err;
+
+	wVersionRequested = MAKEWORD(2, 0);
+
+	err = WSAStartup(wVersionRequested, &wsaData);
+	if (err != 0) {
+		fprintf(stderr, "WSAStartup() failed: %d\n", err);
+		exit(1);
+	}
+}
+
+static void
+DestroySockets(void) {
+	WSACleanup();
+}
+#else
+#define InitSockets() ((void)0)
+#define DestroySockets() ((void)0)
+#endif
+
 static isc_boolean_t
 addserver(const char *server, isc_sockaddrlist_t *list,
 	   isc_sockaddr_t *sockaddr)
@@ -107,10 +133,12 @@ addserver(const char *server, isc_sockaddrlist_t *list,
 #ifdef AI_NUMERICSERV
 	hints.ai_flags |= AI_NUMERICSERV;
 #endif
+	InitSockets();
 	gaierror = getaddrinfo(server, port, &hints, &res);
 	if (gaierror != 0) {
 		fprintf(stderr, "getaddrinfo(%s) failed: %s\n",
 			server, gai_strerror(gaierror));
+		DestroySockets();
 		return (ISC_FALSE);
 	}
 	INSIST(res->ai_addrlen <= sizeof(sockaddr->type));
@@ -119,6 +147,7 @@ addserver(const char *server, isc_sockaddrlist_t *list,
 	ISC_LINK_INIT(sockaddr, link);
 	ISC_LIST_APPEND(*list, sockaddr, link);
 	freeaddrinfo(res);
+	DestroySockets();
 	return (ISC_TRUE);
 }
 
@@ -132,7 +161,7 @@ main(int argc, char *argv[]) {
 	isc_sockaddr_t sa_auth[10], sa_recursive[10];
 	unsigned int nsa_auth = 0, nsa_recursive = 0;
 	isc_sockaddrlist_t rec_servers;
-	isc_sockaddrlist_t auth_servers;
+	isc_sockaddrlist_t auth_servers, *auth_serversp = &auth_servers;
 	isc_result_t result;
 	isc_boolean_t isdelete;
 	isc_buffer_t b, *buf;
@@ -144,11 +173,14 @@ main(int argc, char *argv[]) {
 	dns_rdata_t *rdata;
 	dns_namelist_t updatelist, prereqlist, *prereqlistp = NULL;
 	isc_mem_t *umctx = NULL;
+	isc_boolean_t sendtwice = ISC_FALSE;
 
 	ISC_LIST_INIT(auth_servers);
 	ISC_LIST_INIT(rec_servers);
 
-	while ((ch = isc_commandline_parse(argc, argv, "a:k:p:P:r:z:")) != EOF) {
+	while ((ch = isc_commandline_parse(argc, argv,
+					   "a:k:p:P:r:sz:")) != EOF)
+	{
 		switch (ch) {
 		case 'k':
 			keyfilename = isc_commandline_argument;
@@ -172,6 +204,9 @@ main(int argc, char *argv[]) {
 				      &sa_recursive[nsa_recursive]))
 				nsa_recursive++;
 			break;
+		case 's':
+			sendtwice = ISC_TRUE;
+			break;
 		case 'z':
 			zonenamestr = isc_commandline_argument;
 			break;
@@ -209,7 +244,7 @@ main(int argc, char *argv[]) {
 	isc_lib_register();
 	result = dns_lib_init();
 	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "dns_lib_init failed: %d\n", result);
+		fprintf(stderr, "dns_lib_init failed: %u\n", result);
 		exit(1);
 	}
 	result = isc_mem_create(0, 0, &umctx);
@@ -220,7 +255,7 @@ main(int argc, char *argv[]) {
 
 	result = dns_client_create(&client, 0);
 	if (result != ISC_R_SUCCESS) {
-		fprintf(stderr, "dns_client_create failed: %d\n", result);
+		fprintf(stderr, "dns_client_create failed: %u\n", result);
 		exit(1);
 	}
 
@@ -234,7 +269,7 @@ main(int argc, char *argv[]) {
 		zname = dns_fixedname_name(&zname0);
 		result = dns_name_fromtext(zname, &b, dns_rootname, 0, NULL);
 		if (result != ISC_R_SUCCESS)
-			fprintf(stderr, "failed to convert zone name: %d\n",
+			fprintf(stderr, "failed to convert zone name: %u\n",
 				result);
 	}
 
@@ -258,18 +293,33 @@ main(int argc, char *argv[]) {
 	if (keyfilename != NULL)
 		setup_tsec(keyfilename, umctx);
 
+	if (ISC_LIST_HEAD(auth_servers) == NULL)
+		auth_serversp = NULL;
+
 	/* Perform update */
 	result = dns_client_update(client,
 				   default_rdataclass, /* XXX: fixed */
 				   zname, prereqlistp, &updatelist,
-				   (ISC_LIST_HEAD(auth_servers) == NULL) ?
-				    NULL : &auth_servers, tsec, 0);
+				   auth_serversp, tsec, 0);
 	if (result != ISC_R_SUCCESS) {
 		fprintf(stderr,
 			"update failed: %s\n", dns_result_totext(result));
 	} else
 		fprintf(stderr, "update succeeded\n");
 
+	if (sendtwice) {
+		/* Perform 2nd update */
+		result = dns_client_update(client,
+					   default_rdataclass, /* XXX: fixed */
+					   zname, prereqlistp, &updatelist,
+					   auth_serversp, tsec, 0);
+		if (result != ISC_R_SUCCESS) {
+			fprintf(stderr, "2nd update failed: %s\n",
+				dns_result_totext(result));
+		} else
+			fprintf(stderr, "2nd update succeeded\n");
+	}
+
 	/* Cleanup */
 	while ((pname = ISC_LIST_HEAD(prereqlist)) != NULL) {
 		while ((rdataset = ISC_LIST_HEAD(pname->list)) != NULL) {
diff --git a/usr.sbin/bind/ltmain.sh b/usr.sbin/bind/ltmain.sh
index 16ddbf884b6..0f0a2da3f9d 100644
--- a/usr.sbin/bind/ltmain.sh
+++ b/usr.sbin/bind/ltmain.sh
@@ -1,9 +1,12 @@
+#! /bin/sh
+## DO NOT EDIT - This file generated from ./build-aux/ltmain.in
+##               by inline-source v2014-01-03.01
 
-# libtool (GNU libtool) 2.4.2
+# libtool (GNU libtool) 2.4.6
+# Provide generalized library-building support services.
 # Written by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
 
-# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, 2006,
-# 2007, 2008, 2009, 2010, 2011 Free Software Foundation, Inc.
+# Copyright (C) 1996-2015 Free Software Foundation, Inc.
 # This is free software; see the source for copying conditions.  There is NO
 # warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 
@@ -23,881 +26,2112 @@
 # General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
-# along with GNU Libtool; see the file COPYING.  If not, a copy
-# can be downloaded from http://www.gnu.org/licenses/gpl.html,
-# or obtained by writing to the Free Software Foundation, Inc.,
-# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-# Usage: $progname [OPTION]... [MODE-ARG]...
-#
-# Provide generalized library-building support services.
-#
-#       --config             show all configuration variables
-#       --debug              enable verbose shell tracing
-#   -n, --dry-run            display commands without modifying any files
-#       --features           display basic configuration information and exit
-#       --mode=MODE          use operation mode MODE
-#       --preserve-dup-deps  don't remove duplicate dependency libraries
-#       --quiet, --silent    don't print informational messages
-#       --no-quiet, --no-silent
-#                            print informational messages (default)
-#       --no-warn            don't display warning messages
-#       --tag=TAG            use configuration variables from tag TAG
-#   -v, --verbose            print more informational messages than default
-#       --no-verbose         don't print the extra informational messages
-#       --version            print version information
-#   -h, --help, --help-all   print short, long, or detailed help message
-#
-# MODE must be one of the following:
-#
-#         clean              remove files from the build directory
-#         compile            compile a source file into a libtool object
-#         execute            automatically set library path, then run a program
-#         finish             complete the installation of libtool libraries
-#         install            install libraries or executables
-#         link               create a library or an executable
-#         uninstall          remove libraries from an installed directory
-#
-# MODE-ARGS vary depending on the MODE.  When passed as first option,
-# `--mode=MODE' may be abbreviated as `MODE' or a unique abbreviation of that.
-# Try `$progname --help --mode=MODE' for a more detailed description of MODE.
-#
-# When reporting a bug, please describe a test case to reproduce it and
-# include the following information:
-#
-#         host-triplet:	$host
-#         shell:		$SHELL
-#         compiler:		$LTCC
-#         compiler flags:		$LTCFLAGS
-#         linker:		$LD (gnu? $with_gnu_ld)
-#         $progname:	(GNU libtool) 2.4.2
-#         automake:	$automake_version
-#         autoconf:	$autoconf_version
-#
-# Report bugs to <bug-libtool@gnu.org>.
-# GNU libtool home page: <http://www.gnu.org/software/libtool/>.
-# General help using GNU software: <http://www.gnu.org/gethelp/>.
 
 PROGRAM=libtool
 PACKAGE=libtool
-VERSION=2.4.2
-TIMESTAMP=""
-package_revision=1.3337
+VERSION=2.4.6
+package_revision=2.4.6
 
-# Be Bourne compatible
-if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+
+## ------ ##
+## Usage. ##
+## ------ ##
+
+# Run './libtool --help' for help with using this script from the
+# command line.
+
+
+## ------------------------------- ##
+## User overridable command paths. ##
+## ------------------------------- ##
+
+# After configure completes, it has a better idea of some of the
+# shell tools we need than the defaults used by the functions shared
+# with bootstrap, so set those here where they can still be over-
+# ridden by the user, but otherwise take precedence.
+
+: ${AUTOCONF="autoconf"}
+: ${AUTOMAKE="automake"}
+
+
+## -------------------------- ##
+## Source external libraries. ##
+## -------------------------- ##
+
+# Much of our low-level functionality needs to be sourced from external
+# libraries, which are installed to $pkgauxdir.
+
+# Set a version string for this script.
+scriptversion=2015-01-20.17; # UTC
+
+# General shell script boiler plate, and helper functions.
+# Written by Gary V. Vaughan, 2004
+
+# Copyright (C) 2004-2015 Free Software Foundation, Inc.
+# This is free software; see the source for copying conditions.  There is NO
+# warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+
+# As a special exception to the GNU General Public License, if you distribute
+# this file as part of a program or library that is built using GNU Libtool,
+# you may include this file under the same distribution terms that you use
+# for the rest of that program.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNES FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+# Please report bugs or propose patches to gary@gnu.org.
+
+
+## ------ ##
+## Usage. ##
+## ------ ##
+
+# Evaluate this file near the top of your script to gain access to
+# the functions and variables defined here:
+#
+#   . `echo "$0" | ${SED-sed} 's|[^/]*$||'`/build-aux/funclib.sh
+#
+# If you need to override any of the default environment variable
+# settings, do that before evaluating this file.
+
+
+## -------------------- ##
+## Shell normalisation. ##
+## -------------------- ##
+
+# Some shells need a little help to be as Bourne compatible as possible.
+# Before doing anything else, make sure all that help has been provided!
+
+DUALCASE=1; export DUALCASE # for MKS sh
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then :
   emulate sh
   NULLCMD=:
-  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+  # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
   # is contrary to our usage.  Disable this feature.
   alias -g '${1+"$@"}'='"$@"'
   setopt NO_GLOB_SUBST
 else
-  case `(set -o) 2>/dev/null` in *posix*) set -o posix;; esac
+  case `(set -o) 2>/dev/null` in *posix*) set -o posix ;; esac
 fi
-BIN_SH=xpg4; export BIN_SH # for Tru64
-DUALCASE=1; export DUALCASE # for MKS sh
-
-# A function that is used when there is no print builtin or printf.
-func_fallback_echo ()
-{
-  eval 'cat <<_LTECHO_EOF
-$1
-_LTECHO_EOF'
-}
 
-# NLS nuisances: We save the old values to restore during execute mode.
-lt_user_locale=
-lt_safe_locale=
-for lt_var in LANG LANGUAGE LC_ALL LC_CTYPE LC_COLLATE LC_MESSAGES
+# NLS nuisances: We save the old values in case they are required later.
+_G_user_locale=
+_G_safe_locale=
+for _G_var in LANG LANGUAGE LC_ALL LC_CTYPE LC_COLLATE LC_MESSAGES
 do
-  eval "if test \"\${$lt_var+set}\" = set; then
-          save_$lt_var=\$$lt_var
-          $lt_var=C
-	  export $lt_var
-	  lt_user_locale=\"$lt_var=\\\$save_\$lt_var; \$lt_user_locale\"
-	  lt_safe_locale=\"$lt_var=C; \$lt_safe_locale\"
+  eval "if test set = \"\${$_G_var+set}\"; then
+          save_$_G_var=\$$_G_var
+          $_G_var=C
+	  export $_G_var
+	  _G_user_locale=\"$_G_var=\\\$save_\$_G_var; \$_G_user_locale\"
+	  _G_safe_locale=\"$_G_var=C; \$_G_safe_locale\"
 	fi"
 done
-LC_ALL=C
-LANGUAGE=C
-export LANGUAGE LC_ALL
 
-$lt_unset CDPATH
+# CDPATH.
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
 
+# Make sure IFS has a sensible default
+sp=' '
+nl='
+'
+IFS="$sp	$nl"
+
+# There are apparently some retarded systems that use ';' as a PATH separator!
+if test "${PATH_SEPARATOR+set}" != set; then
+  PATH_SEPARATOR=:
+  (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && {
+    (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 ||
+      PATH_SEPARATOR=';'
+  }
+fi
+
+
+
+## ------------------------- ##
+## Locate command utilities. ##
+## ------------------------- ##
+
+
+# func_executable_p FILE
+# ----------------------
+# Check that FILE is an executable regular file.
+func_executable_p ()
+{
+    test -f "$1" && test -x "$1"
+}
+
+
+# func_path_progs PROGS_LIST CHECK_FUNC [PATH]
+# --------------------------------------------
+# Search for either a program that responds to --version with output
+# containing "GNU", or else returned by CHECK_FUNC otherwise, by
+# trying all the directories in PATH with each of the elements of
+# PROGS_LIST.
+#
+# CHECK_FUNC should accept the path to a candidate program, and
+# set $func_check_prog_result if it truncates its output less than
+# $_G_path_prog_max characters.
+func_path_progs ()
+{
+    _G_progs_list=$1
+    _G_check_func=$2
+    _G_PATH=${3-"$PATH"}
+
+    _G_path_prog_max=0
+    _G_path_prog_found=false
+    _G_save_IFS=$IFS; IFS=${PATH_SEPARATOR-:}
+    for _G_dir in $_G_PATH; do
+      IFS=$_G_save_IFS
+      test -z "$_G_dir" && _G_dir=.
+      for _G_prog_name in $_G_progs_list; do
+        for _exeext in '' .EXE; do
+          _G_path_prog=$_G_dir/$_G_prog_name$_exeext
+          func_executable_p "$_G_path_prog" || continue
+          case `"$_G_path_prog" --version 2>&1` in
+            *GNU*) func_path_progs_result=$_G_path_prog _G_path_prog_found=: ;;
+            *)     $_G_check_func $_G_path_prog
+		   func_path_progs_result=$func_check_prog_result
+		   ;;
+          esac
+          $_G_path_prog_found && break 3
+        done
+      done
+    done
+    IFS=$_G_save_IFS
+    test -z "$func_path_progs_result" && {
+      echo "no acceptable sed could be found in \$PATH" >&2
+      exit 1
+    }
+}
 
-# Work around backward compatibility issue on IRIX 6.5. On IRIX 6.4+, sh
-# is ksh but when the shell is invoked as "sh" and the current value of
-# the _XPG environment variable is not equal to 1 (one), the special
-# positional parameter $0, within a function call, is the name of the
-# function.
-progpath="$0"
 
+# We want to be able to use the functions in this file before configure
+# has figured out where the best binaries are kept, which means we have
+# to search for them ourselves - except when the results are already set
+# where we skip the searches.
+
+# Unless the user overrides by setting SED, search the path for either GNU
+# sed, or the sed that truncates its output the least.
+test -z "$SED" && {
+  _G_sed_script=s/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb/
+  for _G_i in 1 2 3 4 5 6 7; do
+    _G_sed_script=$_G_sed_script$nl$_G_sed_script
+  done
+  echo "$_G_sed_script" 2>/dev/null | sed 99q >conftest.sed
+  _G_sed_script=
+
+  func_check_prog_sed ()
+  {
+    _G_path_prog=$1
+
+    _G_count=0
+    printf 0123456789 >conftest.in
+    while :
+    do
+      cat conftest.in conftest.in >conftest.tmp
+      mv conftest.tmp conftest.in
+      cp conftest.in conftest.nl
+      echo '' >> conftest.nl
+      "$_G_path_prog" -f conftest.sed <conftest.nl >conftest.out 2>/dev/null || break
+      diff conftest.out conftest.nl >/dev/null 2>&1 || break
+      _G_count=`expr $_G_count + 1`
+      if test "$_G_count" -gt "$_G_path_prog_max"; then
+        # Best one so far, save it but keep looking for a better one
+        func_check_prog_result=$_G_path_prog
+        _G_path_prog_max=$_G_count
+      fi
+      # 10*(2^10) chars as input seems more than enough
+      test 10 -lt "$_G_count" && break
+    done
+    rm -f conftest.in conftest.tmp conftest.nl conftest.out
+  }
+
+  func_path_progs "sed gsed" func_check_prog_sed $PATH:/usr/xpg4/bin
+  rm -f conftest.sed
+  SED=$func_path_progs_result
+}
+
+
+# Unless the user overrides by setting GREP, search the path for either GNU
+# grep, or the grep that truncates its output the least.
+test -z "$GREP" && {
+  func_check_prog_grep ()
+  {
+    _G_path_prog=$1
+
+    _G_count=0
+    _G_path_prog_max=0
+    printf 0123456789 >conftest.in
+    while :
+    do
+      cat conftest.in conftest.in >conftest.tmp
+      mv conftest.tmp conftest.in
+      cp conftest.in conftest.nl
+      echo 'GREP' >> conftest.nl
+      "$_G_path_prog" -e 'GREP$' -e '-(cannot match)-' <conftest.nl >conftest.out 2>/dev/null || break
+      diff conftest.out conftest.nl >/dev/null 2>&1 || break
+      _G_count=`expr $_G_count + 1`
+      if test "$_G_count" -gt "$_G_path_prog_max"; then
+        # Best one so far, save it but keep looking for a better one
+        func_check_prog_result=$_G_path_prog
+        _G_path_prog_max=$_G_count
+      fi
+      # 10*(2^10) chars as input seems more than enough
+      test 10 -lt "$_G_count" && break
+    done
+    rm -f conftest.in conftest.tmp conftest.nl conftest.out
+  }
+
+  func_path_progs "grep ggrep" func_check_prog_grep $PATH:/usr/xpg4/bin
+  GREP=$func_path_progs_result
+}
 
 
+## ------------------------------- ##
+## User overridable command paths. ##
+## ------------------------------- ##
+
+# All uppercase variable names are used for environment variables.  These
+# variables can be overridden by the user before calling a script that
+# uses them if a suitable command of that name is not already available
+# in the command search PATH.
+
 : ${CP="cp -f"}
-test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'}
+: ${ECHO="printf %s\n"}
+: ${EGREP="$GREP -E"}
+: ${FGREP="$GREP -F"}
+: ${LN_S="ln -s"}
 : ${MAKE="make"}
 : ${MKDIR="mkdir"}
 : ${MV="mv -f"}
 : ${RM="rm -f"}
 : ${SHELL="${CONFIG_SHELL-/bin/sh}"}
-: ${Xsed="$SED -e 1s/^X//"}
 
-# Global variables:
-EXIT_SUCCESS=0
-EXIT_FAILURE=1
-EXIT_MISMATCH=63  # $? = 63 is used to indicate version mismatch to missing.
-EXIT_SKIP=77	  # $? = 77 is used to indicate a skipped test to automake.
-
-exit_status=$EXIT_SUCCESS
 
-# Make sure IFS has a sensible default
-lt_nl='
-'
-IFS=" 	$lt_nl"
-
-dirname="s,/[^/]*$,,"
-basename="s,^.*/,,"
-
-# func_dirname file append nondir_replacement
-# Compute the dirname of FILE.  If nonempty, add APPEND to the result,
-# otherwise set result to NONDIR_REPLACEMENT.
-func_dirname ()
-{
-    func_dirname_result=`$ECHO "${1}" | $SED "$dirname"`
-    if test "X$func_dirname_result" = "X${1}"; then
-      func_dirname_result="${3}"
-    else
-      func_dirname_result="$func_dirname_result${2}"
-    fi
-} # func_dirname may be replaced by extended shell implementation
+## -------------------- ##
+## Useful sed snippets. ##
+## -------------------- ##
 
+sed_dirname='s|/[^/]*$||'
+sed_basename='s|^.*/||'
 
-# func_basename file
-func_basename ()
-{
-    func_basename_result=`$ECHO "${1}" | $SED "$basename"`
-} # func_basename may be replaced by extended shell implementation
+# Sed substitution that helps us do robust quoting.  It backslashifies
+# metacharacters that are still active within double-quoted strings.
+sed_quote_subst='s|\([`"$\\]\)|\\\1|g'
 
+# Same as above, but do not quote variable references.
+sed_double_quote_subst='s/\(["`\\]\)/\\\1/g'
 
-# func_dirname_and_basename file append nondir_replacement
-# perform func_basename and func_dirname in a single function
-# call:
-#   dirname:  Compute the dirname of FILE.  If nonempty,
-#             add APPEND to the result, otherwise set result
-#             to NONDIR_REPLACEMENT.
-#             value returned in "$func_dirname_result"
-#   basename: Compute filename of FILE.
-#             value retuned in "$func_basename_result"
-# Implementation must be kept synchronized with func_dirname
-# and func_basename. For efficiency, we do not delegate to
-# those functions but instead duplicate the functionality here.
-func_dirname_and_basename ()
-{
-    # Extract subdirectory from the argument.
-    func_dirname_result=`$ECHO "${1}" | $SED -e "$dirname"`
-    if test "X$func_dirname_result" = "X${1}"; then
-      func_dirname_result="${3}"
-    else
-      func_dirname_result="$func_dirname_result${2}"
-    fi
-    func_basename_result=`$ECHO "${1}" | $SED -e "$basename"`
-} # func_dirname_and_basename may be replaced by extended shell implementation
+# Sed substitution that turns a string into a regex matching for the
+# string literally.
+sed_make_literal_regex='s|[].[^$\\*\/]|\\&|g'
 
+# Sed substitution that converts a w32 file name or path
+# that contains forward slashes, into one that contains
+# (escaped) backslashes.  A very naive implementation.
+sed_naive_backslashify='s|\\\\*|\\|g;s|/|\\|g;s|\\|\\\\|g'
+
+# Re-'\' parameter expansions in output of sed_double_quote_subst that
+# were '\'-ed in input to the same.  If an odd number of '\' preceded a
+# '$' in input to sed_double_quote_subst, that '$' was protected from
+# expansion.  Since each input '\' is now two '\'s, look for any number
+# of runs of four '\'s followed by two '\'s and then a '$'.  '\' that '$'.
+_G_bs='\\'
+_G_bs2='\\\\'
+_G_bs4='\\\\\\\\'
+_G_dollar='\$'
+sed_double_backslash="\
+  s/$_G_bs4/&\\
+/g
+  s/^$_G_bs2$_G_dollar/$_G_bs&/
+  s/\\([^$_G_bs]\\)$_G_bs2$_G_dollar/\\1$_G_bs2$_G_bs$_G_dollar/g
+  s/\n//g"
 
-# func_stripname prefix suffix name
-# strip PREFIX and SUFFIX off of NAME.
-# PREFIX and SUFFIX must not contain globbing or regex special
-# characters, hashes, percent signs, but SUFFIX may contain a leading
-# dot (in which case that matches only a dot).
-# func_strip_suffix prefix name
-func_stripname ()
-{
-    case ${2} in
-      .*) func_stripname_result=`$ECHO "${3}" | $SED "s%^${1}%%; s%\\\\${2}\$%%"`;;
-      *)  func_stripname_result=`$ECHO "${3}" | $SED "s%^${1}%%; s%${2}\$%%"`;;
-    esac
-} # func_stripname may be replaced by extended shell implementation
 
+## ----------------- ##
+## Global variables. ##
+## ----------------- ##
 
-# These SED scripts presuppose an absolute path with a trailing slash.
-pathcar='s,^/\([^/]*\).*$,\1,'
-pathcdr='s,^/[^/]*,,'
-removedotparts=':dotsl
-		s@/\./@/@g
-		t dotsl
-		s,/\.$,/,'
-collapseslashes='s@/\{1,\}@/@g'
-finalslash='s,/*$,/,'
+# Except for the global variables explicitly listed below, the following
+# functions in the '^func_' namespace, and the '^require_' namespace
+# variables initialised in the 'Resource management' section, sourcing
+# this file will not pollute your global namespace with anything
+# else. There's no portable way to scope variables in Bourne shell
+# though, so actually running these functions will sometimes place
+# results into a variable named after the function, and often use
+# temporary variables in the '^_G_' namespace. If you are careful to
+# avoid using those namespaces casually in your sourcing script, things
+# should continue to work as you expect. And, of course, you can freely
+# overwrite any of the functions or variables defined here before
+# calling anything to customize them.
 
-# func_normal_abspath PATH
-# Remove doubled-up and trailing slashes, "." path components,
-# and cancel out any ".." path components in PATH after making
-# it an absolute path.
-#             value returned in "$func_normal_abspath_result"
-func_normal_abspath ()
-{
-  # Start from root dir and reassemble the path.
-  func_normal_abspath_result=
-  func_normal_abspath_tpath=$1
-  func_normal_abspath_altnamespace=
-  case $func_normal_abspath_tpath in
-    "")
-      # Empty path, that just means $cwd.
-      func_stripname '' '/' "`pwd`"
-      func_normal_abspath_result=$func_stripname_result
-      return
-    ;;
-    # The next three entries are used to spot a run of precisely
-    # two leading slashes without using negated character classes;
-    # we take advantage of case's first-match behaviour.
-    ///*)
-      # Unusual form of absolute path, do nothing.
-    ;;
-    //*)
-      # Not necessarily an ordinary path; POSIX reserves leading '//'
-      # and for example Cygwin uses it to access remote file shares
-      # over CIFS/SMB, so we conserve a leading double slash if found.
-      func_normal_abspath_altnamespace=/
-    ;;
-    /*)
-      # Absolute path, do nothing.
-    ;;
-    *)
-      # Relative path, prepend $cwd.
-      func_normal_abspath_tpath=`pwd`/$func_normal_abspath_tpath
-    ;;
-  esac
-  # Cancel out all the simple stuff to save iterations.  We also want
-  # the path to end with a slash for ease of parsing, so make sure
-  # there is one (and only one) here.
-  func_normal_abspath_tpath=`$ECHO "$func_normal_abspath_tpath" | $SED \
-        -e "$removedotparts" -e "$collapseslashes" -e "$finalslash"`
-  while :; do
-    # Processed it all yet?
-    if test "$func_normal_abspath_tpath" = / ; then
-      # If we ascended to the root using ".." the result may be empty now.
-      if test -z "$func_normal_abspath_result" ; then
-        func_normal_abspath_result=/
-      fi
-      break
-    fi
-    func_normal_abspath_tcomponent=`$ECHO "$func_normal_abspath_tpath" | $SED \
-        -e "$pathcar"`
-    func_normal_abspath_tpath=`$ECHO "$func_normal_abspath_tpath" | $SED \
-        -e "$pathcdr"`
-    # Figure out what to do with it
-    case $func_normal_abspath_tcomponent in
-      "")
-        # Trailing empty path component, ignore it.
-      ;;
-      ..)
-        # Parent dir; strip last assembled component from result.
-        func_dirname "$func_normal_abspath_result"
-        func_normal_abspath_result=$func_dirname_result
-      ;;
-      *)
-        # Actual path component, append it.
-        func_normal_abspath_result=$func_normal_abspath_result/$func_normal_abspath_tcomponent
-      ;;
-    esac
-  done
-  # Restore leading double-slash if one was found on entry.
-  func_normal_abspath_result=$func_normal_abspath_altnamespace$func_normal_abspath_result
-}
+EXIT_SUCCESS=0
+EXIT_FAILURE=1
+EXIT_MISMATCH=63  # $? = 63 is used to indicate version mismatch to missing.
+EXIT_SKIP=77	  # $? = 77 is used to indicate a skipped test to automake.
 
-# func_relative_path SRCDIR DSTDIR
-# generates a relative path from SRCDIR to DSTDIR, with a trailing
-# slash if non-empty, suitable for immediately appending a filename
-# without needing to append a separator.
-#             value returned in "$func_relative_path_result"
-func_relative_path ()
-{
-  func_relative_path_result=
-  func_normal_abspath "$1"
-  func_relative_path_tlibdir=$func_normal_abspath_result
-  func_normal_abspath "$2"
-  func_relative_path_tbindir=$func_normal_abspath_result
-
-  # Ascend the tree starting from libdir
-  while :; do
-    # check if we have found a prefix of bindir
-    case $func_relative_path_tbindir in
-      $func_relative_path_tlibdir)
-        # found an exact match
-        func_relative_path_tcancelled=
-        break
-        ;;
-      $func_relative_path_tlibdir*)
-        # found a matching prefix
-        func_stripname "$func_relative_path_tlibdir" '' "$func_relative_path_tbindir"
-        func_relative_path_tcancelled=$func_stripname_result
-        if test -z "$func_relative_path_result"; then
-          func_relative_path_result=.
-        fi
-        break
-        ;;
-      *)
-        func_dirname $func_relative_path_tlibdir
-        func_relative_path_tlibdir=${func_dirname_result}
-        if test "x$func_relative_path_tlibdir" = x ; then
-          # Have to descend all the way to the root!
-          func_relative_path_result=../$func_relative_path_result
-          func_relative_path_tcancelled=$func_relative_path_tbindir
-          break
-        fi
-        func_relative_path_result=../$func_relative_path_result
-        ;;
-    esac
-  done
+# Allow overriding, eg assuming that you follow the convention of
+# putting '$debug_cmd' at the start of all your functions, you can get
+# bash to show function call trace with:
+#
+#    debug_cmd='eval echo "${FUNCNAME[0]} $*" >&2' bash your-script-name
+debug_cmd=${debug_cmd-":"}
+exit_cmd=:
 
-  # Now calculate path; take care to avoid doubling-up slashes.
-  func_stripname '' '/' "$func_relative_path_result"
-  func_relative_path_result=$func_stripname_result
-  func_stripname '/' '/' "$func_relative_path_tcancelled"
-  if test "x$func_stripname_result" != x ; then
-    func_relative_path_result=${func_relative_path_result}/${func_stripname_result}
-  fi
+# By convention, finish your script with:
+#
+#    exit $exit_status
+#
+# so that you can set exit_status to non-zero if you want to indicate
+# something went wrong during execution without actually bailing out at
+# the point of failure.
+exit_status=$EXIT_SUCCESS
 
-  # Normalisation. If bindir is libdir, return empty string,
-  # else relative path ending with a slash; either way, target
-  # file name can be directly appended.
-  if test ! -z "$func_relative_path_result"; then
-    func_stripname './' '' "$func_relative_path_result/"
-    func_relative_path_result=$func_stripname_result
-  fi
-}
+# Work around backward compatibility issue on IRIX 6.5. On IRIX 6.4+, sh
+# is ksh but when the shell is invoked as "sh" and the current value of
+# the _XPG environment variable is not equal to 1 (one), the special
+# positional parameter $0, within a function call, is the name of the
+# function.
+progpath=$0
 
-# The name of this program:
-func_dirname_and_basename "$progpath"
-progname=$func_basename_result
+# The name of this program.
+progname=`$ECHO "$progpath" |$SED "$sed_basename"`
 
-# Make sure we have an absolute path for reexecution:
+# Make sure we have an absolute progpath for reexecution:
 case $progpath in
   [\\/]*|[A-Za-z]:\\*) ;;
   *[\\/]*)
-     progdir=$func_dirname_result
+     progdir=`$ECHO "$progpath" |$SED "$sed_dirname"`
      progdir=`cd "$progdir" && pwd`
-     progpath="$progdir/$progname"
+     progpath=$progdir/$progname
      ;;
   *)
-     save_IFS="$IFS"
+     _G_IFS=$IFS
      IFS=${PATH_SEPARATOR-:}
      for progdir in $PATH; do
-       IFS="$save_IFS"
+       IFS=$_G_IFS
        test -x "$progdir/$progname" && break
      done
-     IFS="$save_IFS"
+     IFS=$_G_IFS
      test -n "$progdir" || progdir=`pwd`
-     progpath="$progdir/$progname"
+     progpath=$progdir/$progname
      ;;
 esac
 
-# Sed substitution that helps us do robust quoting.  It backslashifies
-# metacharacters that are still active within double-quoted strings.
-Xsed="${SED}"' -e 1s/^X//'
-sed_quote_subst='s/\([`"$\\]\)/\\\1/g'
 
-# Same as above, but do not quote variable references.
-double_quote_subst='s/\(["`\\]\)/\\\1/g'
+## ----------------- ##
+## Standard options. ##
+## ----------------- ##
 
-# Sed substitution that turns a string into a regex matching for the
-# string literally.
-sed_make_literal_regex='s,[].[^$\\*\/],\\&,g'
-
-# Sed substitution that converts a w32 file name or path
-# which contains forward slashes, into one that contains
-# (escaped) backslashes.  A very naive implementation.
-lt_sed_naive_backslashify='s|\\\\*|\\|g;s|/|\\|g;s|\\|\\\\|g'
-
-# Re-`\' parameter expansions in output of double_quote_subst that were
-# `\'-ed in input to the same.  If an odd number of `\' preceded a '$'
-# in input to double_quote_subst, that '$' was protected from expansion.
-# Since each input `\' is now two `\'s, look for any number of runs of
-# four `\'s followed by two `\'s and then a '$'.  `\' that '$'.
-bs='\\'
-bs2='\\\\'
-bs4='\\\\\\\\'
-dollar='\$'
-sed_double_backslash="\
-  s/$bs4/&\\
-/g
-  s/^$bs2$dollar/$bs&/
-  s/\\([^$bs]\\)$bs2$dollar/\\1$bs2$bs$dollar/g
-  s/\n//g"
+# The following options affect the operation of the functions defined
+# below, and should be set appropriately depending on run-time para-
+# meters passed on the command line.
 
-# Standard options:
 opt_dry_run=false
-opt_help=false
 opt_quiet=false
 opt_verbose=false
-opt_warning=:
 
-# func_echo arg...
-# Echo program name prefixed message, along with the current mode
-# name if it has been set yet.
-func_echo ()
+# Categories 'all' and 'none' are always available.  Append any others
+# you will pass as the first argument to func_warning from your own
+# code.
+warning_categories=
+
+# By default, display warnings according to 'opt_warning_types'.  Set
+# 'warning_func'  to ':' to elide all warnings, or func_fatal_error to
+# treat the next displayed warning as a fatal error.
+warning_func=func_warn_and_continue
+
+# Set to 'all' to display all warnings, 'none' to suppress all
+# warnings, or a space delimited list of some subset of
+# 'warning_categories' to display only the listed warnings.
+opt_warning_types=all
+
+
+## -------------------- ##
+## Resource management. ##
+## -------------------- ##
+
+# This section contains definitions for functions that each ensure a
+# particular resource (a file, or a non-empty configuration variable for
+# example) is available, and if appropriate to extract default values
+# from pertinent package files. Call them using their associated
+# 'require_*' variable to ensure that they are executed, at most, once.
+#
+# It's entirely deliberate that calling these functions can set
+# variables that don't obey the namespace limitations obeyed by the rest
+# of this file, in order that that they be as useful as possible to
+# callers.
+
+
+# require_term_colors
+# -------------------
+# Allow display of bold text on terminals that support it.
+require_term_colors=func_require_term_colors
+func_require_term_colors ()
 {
-    $ECHO "$progname: ${opt_mode+$opt_mode: }$*"
+    $debug_cmd
+
+    test -t 1 && {
+      # COLORTERM and USE_ANSI_COLORS environment variables take
+      # precedence, because most terminfo databases neglect to describe
+      # whether color sequences are supported.
+      test -n "${COLORTERM+set}" && : ${USE_ANSI_COLORS="1"}
+
+      if test 1 = "$USE_ANSI_COLORS"; then
+        # Standard ANSI escape sequences
+        tc_reset=''
+        tc_bold='';   tc_standout=''
+        tc_red='';   tc_green=''
+        tc_blue='';  tc_cyan=''
+      else
+        # Otherwise trust the terminfo database after all.
+        test -n "`tput sgr0 2>/dev/null`" && {
+          tc_reset=`tput sgr0`
+          test -n "`tput bold 2>/dev/null`" && tc_bold=`tput bold`
+          tc_standout=$tc_bold
+          test -n "`tput smso 2>/dev/null`" && tc_standout=`tput smso`
+          test -n "`tput setaf 1 2>/dev/null`" && tc_red=`tput setaf 1`
+          test -n "`tput setaf 2 2>/dev/null`" && tc_green=`tput setaf 2`
+          test -n "`tput setaf 4 2>/dev/null`" && tc_blue=`tput setaf 4`
+          test -n "`tput setaf 5 2>/dev/null`" && tc_cyan=`tput setaf 5`
+        }
+      fi
+    }
+
+    require_term_colors=:
 }
 
-# func_verbose arg...
-# Echo program name prefixed message in verbose mode only.
-func_verbose ()
+
+## ----------------- ##
+## Function library. ##
+## ----------------- ##
+
+# This section contains a variety of useful functions to call in your
+# scripts. Take note of the portable wrappers for features provided by
+# some modern shells, which will fall back to slower equivalents on
+# less featureful shells.
+
+
+# func_append VAR VALUE
+# ---------------------
+# Append VALUE onto the existing contents of VAR.
+
+  # We should try to minimise forks, especially on Windows where they are
+  # unreasonably slow, so skip the feature probes when bash or zsh are
+  # being used:
+  if test set = "${BASH_VERSION+set}${ZSH_VERSION+set}"; then
+    : ${_G_HAVE_ARITH_OP="yes"}
+    : ${_G_HAVE_XSI_OPS="yes"}
+    # The += operator was introduced in bash 3.1
+    case $BASH_VERSION in
+      [12].* | 3.0 | 3.0*) ;;
+      *)
+        : ${_G_HAVE_PLUSEQ_OP="yes"}
+        ;;
+    esac
+  fi
+
+  # _G_HAVE_PLUSEQ_OP
+  # Can be empty, in which case the shell is probed, "yes" if += is
+  # useable or anything else if it does not work.
+  test -z "$_G_HAVE_PLUSEQ_OP" \
+    && (eval 'x=a; x+=" b"; test "a b" = "$x"') 2>/dev/null \
+    && _G_HAVE_PLUSEQ_OP=yes
+
+if test yes = "$_G_HAVE_PLUSEQ_OP"
+then
+  # This is an XSI compatible shell, allowing a faster implementation...
+  eval 'func_append ()
+  {
+    $debug_cmd
+
+    eval "$1+=\$2"
+  }'
+else
+  # ...otherwise fall back to using expr, which is often a shell builtin.
+  func_append ()
+  {
+    $debug_cmd
+
+    eval "$1=\$$1\$2"
+  }
+fi
+
+
+# func_append_quoted VAR VALUE
+# ----------------------------
+# Quote VALUE and append to the end of shell variable VAR, separated
+# by a space.
+if test yes = "$_G_HAVE_PLUSEQ_OP"; then
+  eval 'func_append_quoted ()
+  {
+    $debug_cmd
+
+    func_quote_for_eval "$2"
+    eval "$1+=\\ \$func_quote_for_eval_result"
+  }'
+else
+  func_append_quoted ()
+  {
+    $debug_cmd
+
+    func_quote_for_eval "$2"
+    eval "$1=\$$1\\ \$func_quote_for_eval_result"
+  }
+fi
+
+
+# func_append_uniq VAR VALUE
+# --------------------------
+# Append unique VALUE onto the existing contents of VAR, assuming
+# entries are delimited by the first character of VALUE.  For example:
+#
+#   func_append_uniq options " --another-option option-argument"
+#
+# will only append to $options if " --another-option option-argument "
+# is not already present somewhere in $options already (note spaces at
+# each end implied by leading space in second argument).
+func_append_uniq ()
 {
-    $opt_verbose && func_echo ${1+"$@"}
+    $debug_cmd
 
-    # A bug in bash halts the script if the last line of a function
-    # fails when set -e is in force, so we need another command to
-    # work around that:
-    :
+    eval _G_current_value='`$ECHO $'$1'`'
+    _G_delim=`expr "$2" : '\(.\)'`
+
+    case $_G_delim$_G_current_value$_G_delim in
+      *"$2$_G_delim"*) ;;
+      *) func_append "$@" ;;
+    esac
 }
 
-# func_echo_all arg...
+
+# func_arith TERM...
+# ------------------
+# Set func_arith_result to the result of evaluating TERMs.
+  test -z "$_G_HAVE_ARITH_OP" \
+    && (eval 'test 2 = $(( 1 + 1 ))') 2>/dev/null \
+    && _G_HAVE_ARITH_OP=yes
+
+if test yes = "$_G_HAVE_ARITH_OP"; then
+  eval 'func_arith ()
+  {
+    $debug_cmd
+
+    func_arith_result=$(( $* ))
+  }'
+else
+  func_arith ()
+  {
+    $debug_cmd
+
+    func_arith_result=`expr "$@"`
+  }
+fi
+
+
+# func_basename FILE
+# ------------------
+# Set func_basename_result to FILE with everything up to and including
+# the last / stripped.
+if test yes = "$_G_HAVE_XSI_OPS"; then
+  # If this shell supports suffix pattern removal, then use it to avoid
+  # forking. Hide the definitions single quotes in case the shell chokes
+  # on unsupported syntax...
+  _b='func_basename_result=${1##*/}'
+  _d='case $1 in
+        */*) func_dirname_result=${1%/*}$2 ;;
+        *  ) func_dirname_result=$3        ;;
+      esac'
+
+else
+  # ...otherwise fall back to using sed.
+  _b='func_basename_result=`$ECHO "$1" |$SED "$sed_basename"`'
+  _d='func_dirname_result=`$ECHO "$1"  |$SED "$sed_dirname"`
+      if test "X$func_dirname_result" = "X$1"; then
+        func_dirname_result=$3
+      else
+        func_append func_dirname_result "$2"
+      fi'
+fi
+
+eval 'func_basename ()
+{
+    $debug_cmd
+
+    '"$_b"'
+}'
+
+
+# func_dirname FILE APPEND NONDIR_REPLACEMENT
+# -------------------------------------------
+# Compute the dirname of FILE.  If nonempty, add APPEND to the result,
+# otherwise set result to NONDIR_REPLACEMENT.
+eval 'func_dirname ()
+{
+    $debug_cmd
+
+    '"$_d"'
+}'
+
+
+# func_dirname_and_basename FILE APPEND NONDIR_REPLACEMENT
+# --------------------------------------------------------
+# Perform func_basename and func_dirname in a single function
+# call:
+#   dirname:  Compute the dirname of FILE.  If nonempty,
+#             add APPEND to the result, otherwise set result
+#             to NONDIR_REPLACEMENT.
+#             value returned in "$func_dirname_result"
+#   basename: Compute filename of FILE.
+#             value retuned in "$func_basename_result"
+# For efficiency, we do not delegate to the functions above but instead
+# duplicate the functionality here.
+eval 'func_dirname_and_basename ()
+{
+    $debug_cmd
+
+    '"$_b"'
+    '"$_d"'
+}'
+
+
+# func_echo ARG...
+# ----------------
+# Echo program name prefixed message.
+func_echo ()
+{
+    $debug_cmd
+
+    _G_message=$*
+
+    func_echo_IFS=$IFS
+    IFS=$nl
+    for _G_line in $_G_message; do
+      IFS=$func_echo_IFS
+      $ECHO "$progname: $_G_line"
+    done
+    IFS=$func_echo_IFS
+}
+
+
+# func_echo_all ARG...
+# --------------------
 # Invoke $ECHO with all args, space-separated.
 func_echo_all ()
 {
     $ECHO "$*"
 }
 
-# func_error arg...
-# Echo program name prefixed message to standard error.
-func_error ()
+
+# func_echo_infix_1 INFIX ARG...
+# ------------------------------
+# Echo program name, followed by INFIX on the first line, with any
+# additional lines not showing INFIX.
+func_echo_infix_1 ()
 {
-    $ECHO "$progname: ${opt_mode+$opt_mode: }"${1+"$@"} 1>&2
+    $debug_cmd
+
+    $require_term_colors
+
+    _G_infix=$1; shift
+    _G_indent=$_G_infix
+    _G_prefix="$progname: $_G_infix: "
+    _G_message=$*
+
+    # Strip color escape sequences before counting printable length
+    for _G_tc in "$tc_reset" "$tc_bold" "$tc_standout" "$tc_red" "$tc_green" "$tc_blue" "$tc_cyan"
+    do
+      test -n "$_G_tc" && {
+        _G_esc_tc=`$ECHO "$_G_tc" | $SED "$sed_make_literal_regex"`
+        _G_indent=`$ECHO "$_G_indent" | $SED "s|$_G_esc_tc||g"`
+      }
+    done
+    _G_indent="$progname: "`echo "$_G_indent" | $SED 's|.| |g'`"  " ## exclude from sc_prohibit_nested_quotes
+
+    func_echo_infix_1_IFS=$IFS
+    IFS=$nl
+    for _G_line in $_G_message; do
+      IFS=$func_echo_infix_1_IFS
+      $ECHO "$_G_prefix$tc_bold$_G_line$tc_reset" >&2
+      _G_prefix=$_G_indent
+    done
+    IFS=$func_echo_infix_1_IFS
 }
 
-# func_warning arg...
-# Echo program name prefixed warning message to standard error.
-func_warning ()
+
+# func_error ARG...
+# -----------------
+# Echo program name prefixed message to standard error.
+func_error ()
 {
-    $opt_warning && $ECHO "$progname: ${opt_mode+$opt_mode: }warning: "${1+"$@"} 1>&2
+    $debug_cmd
 
-    # bash bug again:
-    :
+    $require_term_colors
+
+    func_echo_infix_1 "  $tc_standout${tc_red}error$tc_reset" "$*" >&2
 }
 
-# func_fatal_error arg...
+
+# func_fatal_error ARG...
+# -----------------------
 # Echo program name prefixed message to standard error, and exit.
 func_fatal_error ()
 {
-    func_error ${1+"$@"}
-    exit $EXIT_FAILURE
-}
+    $debug_cmd
 
-# func_fatal_help arg...
-# Echo program name prefixed message to standard error, followed by
-# a help hint, and exit.
-func_fatal_help ()
-{
-    func_error ${1+"$@"}
-    func_fatal_error "$help"
+    func_error "$*"
+    exit $EXIT_FAILURE
 }
-help="Try \`$progname --help' for more information."  ## default
 
 
-# func_grep expression filename
+# func_grep EXPRESSION FILENAME
+# -----------------------------
 # Check whether EXPRESSION matches any line of FILENAME, without output.
 func_grep ()
 {
+    $debug_cmd
+
     $GREP "$1" "$2" >/dev/null 2>&1
 }
 
 
-# func_mkdir_p directory-path
+# func_len STRING
+# ---------------
+# Set func_len_result to the length of STRING. STRING may not
+# start with a hyphen.
+  test -z "$_G_HAVE_XSI_OPS" \
+    && (eval 'x=a/b/c;
+      test 5aa/bb/cc = "${#x}${x%%/*}${x%/*}${x#*/}${x##*/}"') 2>/dev/null \
+    && _G_HAVE_XSI_OPS=yes
+
+if test yes = "$_G_HAVE_XSI_OPS"; then
+  eval 'func_len ()
+  {
+    $debug_cmd
+
+    func_len_result=${#1}
+  }'
+else
+  func_len ()
+  {
+    $debug_cmd
+
+    func_len_result=`expr "$1" : ".*" 2>/dev/null || echo $max_cmd_len`
+  }
+fi
+
+
+# func_mkdir_p DIRECTORY-PATH
+# ---------------------------
 # Make sure the entire path to DIRECTORY-PATH is available.
 func_mkdir_p ()
 {
-    my_directory_path="$1"
-    my_dir_list=
+    $debug_cmd
 
-    if test -n "$my_directory_path" && test "$opt_dry_run" != ":"; then
+    _G_directory_path=$1
+    _G_dir_list=
 
-      # Protect directory names starting with `-'
-      case $my_directory_path in
-        -*) my_directory_path="./$my_directory_path" ;;
+    if test -n "$_G_directory_path" && test : != "$opt_dry_run"; then
+
+      # Protect directory names starting with '-'
+      case $_G_directory_path in
+        -*) _G_directory_path=./$_G_directory_path ;;
       esac
 
       # While some portion of DIR does not yet exist...
-      while test ! -d "$my_directory_path"; do
+      while test ! -d "$_G_directory_path"; do
         # ...make a list in topmost first order.  Use a colon delimited
 	# list incase some portion of path contains whitespace.
-        my_dir_list="$my_directory_path:$my_dir_list"
+        _G_dir_list=$_G_directory_path:$_G_dir_list
 
         # If the last portion added has no slash in it, the list is done
-        case $my_directory_path in */*) ;; *) break ;; esac
+        case $_G_directory_path in */*) ;; *) break ;; esac
 
         # ...otherwise throw away the child directory and loop
-        my_directory_path=`$ECHO "$my_directory_path" | $SED -e "$dirname"`
+        _G_directory_path=`$ECHO "$_G_directory_path" | $SED -e "$sed_dirname"`
       done
-      my_dir_list=`$ECHO "$my_dir_list" | $SED 's,:*$,,'`
+      _G_dir_list=`$ECHO "$_G_dir_list" | $SED 's|:*$||'`
 
-      save_mkdir_p_IFS="$IFS"; IFS=':'
-      for my_dir in $my_dir_list; do
-	IFS="$save_mkdir_p_IFS"
-        # mkdir can fail with a `File exist' error if two processes
+      func_mkdir_p_IFS=$IFS; IFS=:
+      for _G_dir in $_G_dir_list; do
+	IFS=$func_mkdir_p_IFS
+        # mkdir can fail with a 'File exist' error if two processes
         # try to create one of the directories concurrently.  Don't
         # stop in that case!
-        $MKDIR "$my_dir" 2>/dev/null || :
+        $MKDIR "$_G_dir" 2>/dev/null || :
       done
-      IFS="$save_mkdir_p_IFS"
+      IFS=$func_mkdir_p_IFS
 
       # Bail out if we (or some other process) failed to create a directory.
-      test -d "$my_directory_path" || \
-        func_fatal_error "Failed to create \`$1'"
+      test -d "$_G_directory_path" || \
+        func_fatal_error "Failed to create '$1'"
     fi
 }
 
 
-# func_mktempdir [string]
+# func_mktempdir [BASENAME]
+# -------------------------
 # Make a temporary directory that won't clash with other running
 # libtool processes, and avoids race conditions if possible.  If
-# given, STRING is the basename for that directory.
+# given, BASENAME is the basename for that directory.
 func_mktempdir ()
 {
-    my_template="${TMPDIR-/tmp}/${1-$progname}"
+    $debug_cmd
+
+    _G_template=${TMPDIR-/tmp}/${1-$progname}
 
-    if test "$opt_dry_run" = ":"; then
+    if test : = "$opt_dry_run"; then
       # Return a directory name, but don't create it in dry-run mode
-      my_tmpdir="${my_template}-$$"
+      _G_tmpdir=$_G_template-$$
     else
 
       # If mktemp works, use that first and foremost
-      my_tmpdir=`mktemp -d "${my_template}-XXXXXXXX" 2>/dev/null`
+      _G_tmpdir=`mktemp -d "$_G_template-XXXXXXXX" 2>/dev/null`
 
-      if test ! -d "$my_tmpdir"; then
+      if test ! -d "$_G_tmpdir"; then
         # Failing that, at least try and use $RANDOM to avoid a race
-        my_tmpdir="${my_template}-${RANDOM-0}$$"
+        _G_tmpdir=$_G_template-${RANDOM-0}$$
 
-        save_mktempdir_umask=`umask`
+        func_mktempdir_umask=`umask`
         umask 0077
-        $MKDIR "$my_tmpdir"
-        umask $save_mktempdir_umask
+        $MKDIR "$_G_tmpdir"
+        umask $func_mktempdir_umask
       fi
 
       # If we're not in dry-run mode, bomb out on failure
-      test -d "$my_tmpdir" || \
-        func_fatal_error "cannot create temporary directory \`$my_tmpdir'"
+      test -d "$_G_tmpdir" || \
+        func_fatal_error "cannot create temporary directory '$_G_tmpdir'"
     fi
 
-    $ECHO "$my_tmpdir"
+    $ECHO "$_G_tmpdir"
 }
 
 
-# func_quote_for_eval arg
-# Aesthetically quote ARG to be evaled later.
-# This function returns two values: FUNC_QUOTE_FOR_EVAL_RESULT
-# is double-quoted, suitable for a subsequent eval, whereas
-# FUNC_QUOTE_FOR_EVAL_UNQUOTED_RESULT has merely all characters
-# which are still active within double quotes backslashified.
-func_quote_for_eval ()
+# func_normal_abspath PATH
+# ------------------------
+# Remove doubled-up and trailing slashes, "." path components,
+# and cancel out any ".." path components in PATH after making
+# it an absolute path.
+func_normal_abspath ()
 {
-    case $1 in
-      *[\\\`\"\$]*)
-	func_quote_for_eval_unquoted_result=`$ECHO "$1" | $SED "$sed_quote_subst"` ;;
-      *)
-        func_quote_for_eval_unquoted_result="$1" ;;
-    esac
+    $debug_cmd
 
-    case $func_quote_for_eval_unquoted_result in
-      # Double-quote args containing shell metacharacters to delay
-      # word splitting, command substitution and and variable
-      # expansion for a subsequent eval.
-      # Many Bourne shells cannot handle close brackets correctly
-      # in scan sets, so we specify it separately.
-      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-        func_quote_for_eval_result="\"$func_quote_for_eval_unquoted_result\""
+    # These SED scripts presuppose an absolute path with a trailing slash.
+    _G_pathcar='s|^/\([^/]*\).*$|\1|'
+    _G_pathcdr='s|^/[^/]*||'
+    _G_removedotparts=':dotsl
+		s|/\./|/|g
+		t dotsl
+		s|/\.$|/|'
+    _G_collapseslashes='s|/\{1,\}|/|g'
+    _G_finalslash='s|/*$|/|'
+
+    # Start from root dir and reassemble the path.
+    func_normal_abspath_result=
+    func_normal_abspath_tpath=$1
+    func_normal_abspath_altnamespace=
+    case $func_normal_abspath_tpath in
+      "")
+        # Empty path, that just means $cwd.
+        func_stripname '' '/' "`pwd`"
+        func_normal_abspath_result=$func_stripname_result
+        return
+        ;;
+      # The next three entries are used to spot a run of precisely
+      # two leading slashes without using negated character classes;
+      # we take advantage of case's first-match behaviour.
+      ///*)
+        # Unusual form of absolute path, do nothing.
+        ;;
+      //*)
+        # Not necessarily an ordinary path; POSIX reserves leading '//'
+        # and for example Cygwin uses it to access remote file shares
+        # over CIFS/SMB, so we conserve a leading double slash if found.
+        func_normal_abspath_altnamespace=/
+        ;;
+      /*)
+        # Absolute path, do nothing.
         ;;
       *)
-        func_quote_for_eval_result="$func_quote_for_eval_unquoted_result"
+        # Relative path, prepend $cwd.
+        func_normal_abspath_tpath=`pwd`/$func_normal_abspath_tpath
+        ;;
     esac
+
+    # Cancel out all the simple stuff to save iterations.  We also want
+    # the path to end with a slash for ease of parsing, so make sure
+    # there is one (and only one) here.
+    func_normal_abspath_tpath=`$ECHO "$func_normal_abspath_tpath" | $SED \
+          -e "$_G_removedotparts" -e "$_G_collapseslashes" -e "$_G_finalslash"`
+    while :; do
+      # Processed it all yet?
+      if test / = "$func_normal_abspath_tpath"; then
+        # If we ascended to the root using ".." the result may be empty now.
+        if test -z "$func_normal_abspath_result"; then
+          func_normal_abspath_result=/
+        fi
+        break
+      fi
+      func_normal_abspath_tcomponent=`$ECHO "$func_normal_abspath_tpath" | $SED \
+          -e "$_G_pathcar"`
+      func_normal_abspath_tpath=`$ECHO "$func_normal_abspath_tpath" | $SED \
+          -e "$_G_pathcdr"`
+      # Figure out what to do with it
+      case $func_normal_abspath_tcomponent in
+        "")
+          # Trailing empty path component, ignore it.
+          ;;
+        ..)
+          # Parent dir; strip last assembled component from result.
+          func_dirname "$func_normal_abspath_result"
+          func_normal_abspath_result=$func_dirname_result
+          ;;
+        *)
+          # Actual path component, append it.
+          func_append func_normal_abspath_result "/$func_normal_abspath_tcomponent"
+          ;;
+      esac
+    done
+    # Restore leading double-slash if one was found on entry.
+    func_normal_abspath_result=$func_normal_abspath_altnamespace$func_normal_abspath_result
+}
+
+
+# func_notquiet ARG...
+# --------------------
+# Echo program name prefixed message only when not in quiet mode.
+func_notquiet ()
+{
+    $debug_cmd
+
+    $opt_quiet || func_echo ${1+"$@"}
+
+    # A bug in bash halts the script if the last line of a function
+    # fails when set -e is in force, so we need another command to
+    # work around that:
+    :
+}
+
+
+# func_relative_path SRCDIR DSTDIR
+# --------------------------------
+# Set func_relative_path_result to the relative path from SRCDIR to DSTDIR.
+func_relative_path ()
+{
+    $debug_cmd
+
+    func_relative_path_result=
+    func_normal_abspath "$1"
+    func_relative_path_tlibdir=$func_normal_abspath_result
+    func_normal_abspath "$2"
+    func_relative_path_tbindir=$func_normal_abspath_result
+
+    # Ascend the tree starting from libdir
+    while :; do
+      # check if we have found a prefix of bindir
+      case $func_relative_path_tbindir in
+        $func_relative_path_tlibdir)
+          # found an exact match
+          func_relative_path_tcancelled=
+          break
+          ;;
+        $func_relative_path_tlibdir*)
+          # found a matching prefix
+          func_stripname "$func_relative_path_tlibdir" '' "$func_relative_path_tbindir"
+          func_relative_path_tcancelled=$func_stripname_result
+          if test -z "$func_relative_path_result"; then
+            func_relative_path_result=.
+          fi
+          break
+          ;;
+        *)
+          func_dirname $func_relative_path_tlibdir
+          func_relative_path_tlibdir=$func_dirname_result
+          if test -z "$func_relative_path_tlibdir"; then
+            # Have to descend all the way to the root!
+            func_relative_path_result=../$func_relative_path_result
+            func_relative_path_tcancelled=$func_relative_path_tbindir
+            break
+          fi
+          func_relative_path_result=../$func_relative_path_result
+          ;;
+      esac
+    done
+
+    # Now calculate path; take care to avoid doubling-up slashes.
+    func_stripname '' '/' "$func_relative_path_result"
+    func_relative_path_result=$func_stripname_result
+    func_stripname '/' '/' "$func_relative_path_tcancelled"
+    if test -n "$func_stripname_result"; then
+      func_append func_relative_path_result "/$func_stripname_result"
+    fi
+
+    # Normalisation. If bindir is libdir, return '.' else relative path.
+    if test -n "$func_relative_path_result"; then
+      func_stripname './' '' "$func_relative_path_result"
+      func_relative_path_result=$func_stripname_result
+    fi
+
+    test -n "$func_relative_path_result" || func_relative_path_result=.
+
+    :
 }
 
 
-# func_quote_for_expand arg
+# func_quote_for_eval ARG...
+# --------------------------
+# Aesthetically quote ARGs to be evaled later.
+# This function returns two values:
+#   i) func_quote_for_eval_result
+#      double-quoted, suitable for a subsequent eval
+#  ii) func_quote_for_eval_unquoted_result
+#      has all characters that are still active within double
+#      quotes backslashified.
+func_quote_for_eval ()
+{
+    $debug_cmd
+
+    func_quote_for_eval_unquoted_result=
+    func_quote_for_eval_result=
+    while test 0 -lt $#; do
+      case $1 in
+        *[\\\`\"\$]*)
+	  _G_unquoted_arg=`printf '%s\n' "$1" |$SED "$sed_quote_subst"` ;;
+        *)
+          _G_unquoted_arg=$1 ;;
+      esac
+      if test -n "$func_quote_for_eval_unquoted_result"; then
+	func_append func_quote_for_eval_unquoted_result " $_G_unquoted_arg"
+      else
+        func_append func_quote_for_eval_unquoted_result "$_G_unquoted_arg"
+      fi
+
+      case $_G_unquoted_arg in
+        # Double-quote args containing shell metacharacters to delay
+        # word splitting, command substitution and variable expansion
+        # for a subsequent eval.
+        # Many Bourne shells cannot handle close brackets correctly
+        # in scan sets, so we specify it separately.
+        *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+          _G_quoted_arg=\"$_G_unquoted_arg\"
+          ;;
+        *)
+          _G_quoted_arg=$_G_unquoted_arg
+	  ;;
+      esac
+
+      if test -n "$func_quote_for_eval_result"; then
+	func_append func_quote_for_eval_result " $_G_quoted_arg"
+      else
+        func_append func_quote_for_eval_result "$_G_quoted_arg"
+      fi
+      shift
+    done
+}
+
+
+# func_quote_for_expand ARG
+# -------------------------
 # Aesthetically quote ARG to be evaled later; same as above,
 # but do not quote variable references.
 func_quote_for_expand ()
 {
+    $debug_cmd
+
     case $1 in
       *[\\\`\"]*)
-	my_arg=`$ECHO "$1" | $SED \
-	    -e "$double_quote_subst" -e "$sed_double_backslash"` ;;
+	_G_arg=`$ECHO "$1" | $SED \
+	    -e "$sed_double_quote_subst" -e "$sed_double_backslash"` ;;
       *)
-        my_arg="$1" ;;
+        _G_arg=$1 ;;
     esac
 
-    case $my_arg in
+    case $_G_arg in
       # Double-quote args containing shell metacharacters to delay
       # word splitting and command substitution for a subsequent eval.
       # Many Bourne shells cannot handle close brackets correctly
       # in scan sets, so we specify it separately.
       *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
-        my_arg="\"$my_arg\""
+        _G_arg=\"$_G_arg\"
         ;;
     esac
 
-    func_quote_for_expand_result="$my_arg"
+    func_quote_for_expand_result=$_G_arg
 }
 
 
-# func_show_eval cmd [fail_exp]
-# Unless opt_silent is true, then output CMD.  Then, if opt_dryrun is
+# func_stripname PREFIX SUFFIX NAME
+# ---------------------------------
+# strip PREFIX and SUFFIX from NAME, and store in func_stripname_result.
+# PREFIX and SUFFIX must not contain globbing or regex special
+# characters, hashes, percent signs, but SUFFIX may contain a leading
+# dot (in which case that matches only a dot).
+if test yes = "$_G_HAVE_XSI_OPS"; then
+  eval 'func_stripname ()
+  {
+    $debug_cmd
+
+    # pdksh 5.2.14 does not do ${X%$Y} correctly if both X and Y are
+    # positional parameters, so assign one to ordinary variable first.
+    func_stripname_result=$3
+    func_stripname_result=${func_stripname_result#"$1"}
+    func_stripname_result=${func_stripname_result%"$2"}
+  }'
+else
+  func_stripname ()
+  {
+    $debug_cmd
+
+    case $2 in
+      .*) func_stripname_result=`$ECHO "$3" | $SED -e "s%^$1%%" -e "s%\\\\$2\$%%"`;;
+      *)  func_stripname_result=`$ECHO "$3" | $SED -e "s%^$1%%" -e "s%$2\$%%"`;;
+    esac
+  }
+fi
+
+
+# func_show_eval CMD [FAIL_EXP]
+# -----------------------------
+# Unless opt_quiet is true, then output CMD.  Then, if opt_dryrun is
 # not true, evaluate CMD.  If the evaluation of CMD fails, and FAIL_EXP
 # is given, then evaluate it.
 func_show_eval ()
 {
-    my_cmd="$1"
-    my_fail_exp="${2-:}"
+    $debug_cmd
 
-    ${opt_silent-false} || {
-      func_quote_for_expand "$my_cmd"
-      eval "func_echo $func_quote_for_expand_result"
-    }
+    _G_cmd=$1
+    _G_fail_exp=${2-':'}
 
-    if ${opt_dry_run-false}; then :; else
-      eval "$my_cmd"
-      my_status=$?
-      if test "$my_status" -eq 0; then :; else
-	eval "(exit $my_status); $my_fail_exp"
+    func_quote_for_expand "$_G_cmd"
+    eval "func_notquiet $func_quote_for_expand_result"
+
+    $opt_dry_run || {
+      eval "$_G_cmd"
+      _G_status=$?
+      if test 0 -ne "$_G_status"; then
+	eval "(exit $_G_status); $_G_fail_exp"
       fi
-    fi
+    }
 }
 
 
-# func_show_eval_locale cmd [fail_exp]
-# Unless opt_silent is true, then output CMD.  Then, if opt_dryrun is
+# func_show_eval_locale CMD [FAIL_EXP]
+# ------------------------------------
+# Unless opt_quiet is true, then output CMD.  Then, if opt_dryrun is
 # not true, evaluate CMD.  If the evaluation of CMD fails, and FAIL_EXP
 # is given, then evaluate it.  Use the saved locale for evaluation.
 func_show_eval_locale ()
 {
-    my_cmd="$1"
-    my_fail_exp="${2-:}"
+    $debug_cmd
 
-    ${opt_silent-false} || {
-      func_quote_for_expand "$my_cmd"
+    _G_cmd=$1
+    _G_fail_exp=${2-':'}
+
+    $opt_quiet || {
+      func_quote_for_expand "$_G_cmd"
       eval "func_echo $func_quote_for_expand_result"
     }
 
-    if ${opt_dry_run-false}; then :; else
-      eval "$lt_user_locale
-	    $my_cmd"
-      my_status=$?
-      eval "$lt_safe_locale"
-      if test "$my_status" -eq 0; then :; else
-	eval "(exit $my_status); $my_fail_exp"
+    $opt_dry_run || {
+      eval "$_G_user_locale
+	    $_G_cmd"
+      _G_status=$?
+      eval "$_G_safe_locale"
+      if test 0 -ne "$_G_status"; then
+	eval "(exit $_G_status); $_G_fail_exp"
       fi
-    fi
+    }
 }
 
+
 # func_tr_sh
+# ----------
 # Turn $1 into a string suitable for a shell variable name.
 # Result is stored in $func_tr_sh_result.  All characters
 # not in the set a-zA-Z0-9_ are replaced with '_'. Further,
 # if $1 begins with a digit, a '_' is prepended as well.
 func_tr_sh ()
 {
-  case $1 in
-  [0-9]* | *[!a-zA-Z0-9_]*)
-    func_tr_sh_result=`$ECHO "$1" | $SED 's/^\([0-9]\)/_\1/; s/[^a-zA-Z0-9_]/_/g'`
-    ;;
-  * )
-    func_tr_sh_result=$1
-    ;;
-  esac
+    $debug_cmd
+
+    case $1 in
+    [0-9]* | *[!a-zA-Z0-9_]*)
+      func_tr_sh_result=`$ECHO "$1" | $SED -e 's/^\([0-9]\)/_\1/' -e 's/[^a-zA-Z0-9_]/_/g'`
+      ;;
+    * )
+      func_tr_sh_result=$1
+      ;;
+    esac
 }
 
 
-# func_version
-# Echo version message to standard output and exit.
-func_version ()
+# func_verbose ARG...
+# -------------------
+# Echo program name prefixed message in verbose mode only.
+func_verbose ()
 {
-    $opt_debug
+    $debug_cmd
 
-    $SED -n '/(C)/!b go
-	:more
-	/\./!{
-	  N
-	  s/\n# / /
-	  b more
-	}
-	:go
-	/^# '$PROGRAM' (GNU /,/# warranty; / {
-        s/^# //
-	s/^# *$//
-        s/\((C)\)[ 0-9,-]*\( [1-9][0-9]*\)/\1\2/
-        p
-     }' < "$progpath"
-     exit $?
+    $opt_verbose && func_echo "$*"
+
+    :
 }
 
-# func_usage
-# Echo short help message to standard output and exit.
-func_usage ()
+
+# func_warn_and_continue ARG...
+# -----------------------------
+# Echo program name prefixed warning message to standard error.
+func_warn_and_continue ()
 {
-    $opt_debug
+    $debug_cmd
 
-    $SED -n '/^# Usage:/,/^#  *.*--help/ {
-        s/^# //
-	s/^# *$//
-	s/\$progname/'$progname'/
-	p
-    }' < "$progpath"
-    echo
-    $ECHO "run \`$progname --help | more' for full usage"
-    exit $?
+    $require_term_colors
+
+    func_echo_infix_1 "${tc_red}warning$tc_reset" "$*" >&2
+}
+
+
+# func_warning CATEGORY ARG...
+# ----------------------------
+# Echo program name prefixed warning message to standard error. Warning
+# messages can be filtered according to CATEGORY, where this function
+# elides messages where CATEGORY is not listed in the global variable
+# 'opt_warning_types'.
+func_warning ()
+{
+    $debug_cmd
+
+    # CATEGORY must be in the warning_categories list!
+    case " $warning_categories " in
+      *" $1 "*) ;;
+      *) func_internal_error "invalid warning category '$1'" ;;
+    esac
+
+    _G_category=$1
+    shift
+
+    case " $opt_warning_types " in
+      *" $_G_category "*) $warning_func ${1+"$@"} ;;
+    esac
+}
+
+
+# func_sort_ver VER1 VER2
+# -----------------------
+# 'sort -V' is not generally available.
+# Note this deviates from the version comparison in automake
+# in that it treats 1.5 < 1.5.0, and treats 1.4.4a < 1.4-p3a
+# but this should suffice as we won't be specifying old
+# version formats or redundant trailing .0 in bootstrap.conf.
+# If we did want full compatibility then we should probably
+# use m4_version_compare from autoconf.
+func_sort_ver ()
+{
+    $debug_cmd
+
+    printf '%s\n%s\n' "$1" "$2" \
+      | sort -t. -k 1,1n -k 2,2n -k 3,3n -k 4,4n -k 5,5n -k 6,6n -k 7,7n -k 8,8n -k 9,9n
+}
+
+# func_lt_ver PREV CURR
+# ---------------------
+# Return true if PREV and CURR are in the correct order according to
+# func_sort_ver, otherwise false.  Use it like this:
+#
+#  func_lt_ver "$prev_ver" "$proposed_ver" || func_fatal_error "..."
+func_lt_ver ()
+{
+    $debug_cmd
+
+    test "x$1" = x`func_sort_ver "$1" "$2" | $SED 1q`
+}
+
+
+# Local variables:
+# mode: shell-script
+# sh-indentation: 2
+# eval: (add-hook 'before-save-hook 'time-stamp)
+# time-stamp-pattern: "10/scriptversion=%:y-%02m-%02d.%02H; # UTC"
+# time-stamp-time-zone: "UTC"
+# End:
+#! /bin/sh
+
+# Set a version string for this script.
+scriptversion=2014-01-07.03; # UTC
+
+# A portable, pluggable option parser for Bourne shell.
+# Written by Gary V. Vaughan, 2010
+
+# Copyright (C) 2010-2015 Free Software Foundation, Inc.
+# This is free software; see the source for copying conditions.  There is NO
+# warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# Please report bugs or propose patches to gary@gnu.org.
+
+
+## ------ ##
+## Usage. ##
+## ------ ##
+
+# This file is a library for parsing options in your shell scripts along
+# with assorted other useful supporting features that you can make use
+# of too.
+#
+# For the simplest scripts you might need only:
+#
+#   #!/bin/sh
+#   . relative/path/to/funclib.sh
+#   . relative/path/to/options-parser
+#   scriptversion=1.0
+#   func_options ${1+"$@"}
+#   eval set dummy "$func_options_result"; shift
+#   ...rest of your script...
+#
+# In order for the '--version' option to work, you will need to have a
+# suitably formatted comment like the one at the top of this file
+# starting with '# Written by ' and ending with '# warranty; '.
+#
+# For '-h' and '--help' to work, you will also need a one line
+# description of your script's purpose in a comment directly above the
+# '# Written by ' line, like the one at the top of this file.
+#
+# The default options also support '--debug', which will turn on shell
+# execution tracing (see the comment above debug_cmd below for another
+# use), and '--verbose' and the func_verbose function to allow your script
+# to display verbose messages only when your user has specified
+# '--verbose'.
+#
+# After sourcing this file, you can plug processing for additional
+# options by amending the variables from the 'Configuration' section
+# below, and following the instructions in the 'Option parsing'
+# section further down.
+
+## -------------- ##
+## Configuration. ##
+## -------------- ##
+
+# You should override these variables in your script after sourcing this
+# file so that they reflect the customisations you have added to the
+# option parser.
+
+# The usage line for option parsing errors and the start of '-h' and
+# '--help' output messages. You can embed shell variables for delayed
+# expansion at the time the message is displayed, but you will need to
+# quote other shell meta-characters carefully to prevent them being
+# expanded when the contents are evaled.
+usage='$progpath [OPTION]...'
+
+# Short help message in response to '-h' and '--help'.  Add to this or
+# override it after sourcing this library to reflect the full set of
+# options your script accepts.
+usage_message="\
+       --debug        enable verbose shell tracing
+   -W, --warnings=CATEGORY
+                      report the warnings falling in CATEGORY [all]
+   -v, --verbose      verbosely report processing
+       --version      print version information and exit
+   -h, --help         print short or long help message and exit
+"
+
+# Additional text appended to 'usage_message' in response to '--help'.
+long_help_message="
+Warning categories include:
+       'all'          show all warnings
+       'none'         turn off all the warnings
+       'error'        warnings are treated as fatal errors"
+
+# Help message printed before fatal option parsing errors.
+fatal_help="Try '\$progname --help' for more information."
+
+
+
+## ------------------------- ##
+## Hook function management. ##
+## ------------------------- ##
+
+# This section contains functions for adding, removing, and running hooks
+# to the main code.  A hook is just a named list of of function, that can
+# be run in order later on.
+
+# func_hookable FUNC_NAME
+# -----------------------
+# Declare that FUNC_NAME will run hooks added with
+# 'func_add_hook FUNC_NAME ...'.
+func_hookable ()
+{
+    $debug_cmd
+
+    func_append hookable_fns " $1"
+}
+
+
+# func_add_hook FUNC_NAME HOOK_FUNC
+# ---------------------------------
+# Request that FUNC_NAME call HOOK_FUNC before it returns.  FUNC_NAME must
+# first have been declared "hookable" by a call to 'func_hookable'.
+func_add_hook ()
+{
+    $debug_cmd
+
+    case " $hookable_fns " in
+      *" $1 "*) ;;
+      *) func_fatal_error "'$1' does not accept hook functions." ;;
+    esac
+
+    eval func_append ${1}_hooks '" $2"'
+}
+
+
+# func_remove_hook FUNC_NAME HOOK_FUNC
+# ------------------------------------
+# Remove HOOK_FUNC from the list of functions called by FUNC_NAME.
+func_remove_hook ()
+{
+    $debug_cmd
+
+    eval ${1}_hooks='`$ECHO "\$'$1'_hooks" |$SED "s| '$2'||"`'
+}
+
+
+# func_run_hooks FUNC_NAME [ARG]...
+# ---------------------------------
+# Run all hook functions registered to FUNC_NAME.
+# It is assumed that the list of hook functions contains nothing more
+# than a whitespace-delimited list of legal shell function names, and
+# no effort is wasted trying to catch shell meta-characters or preserve
+# whitespace.
+func_run_hooks ()
+{
+    $debug_cmd
+
+    case " $hookable_fns " in
+      *" $1 "*) ;;
+      *) func_fatal_error "'$1' does not support hook funcions.n" ;;
+    esac
+
+    eval _G_hook_fns=\$$1_hooks; shift
+
+    for _G_hook in $_G_hook_fns; do
+      eval $_G_hook '"$@"'
+
+      # store returned options list back into positional
+      # parameters for next 'cmd' execution.
+      eval _G_hook_result=\$${_G_hook}_result
+      eval set dummy "$_G_hook_result"; shift
+    done
+
+    func_quote_for_eval ${1+"$@"}
+    func_run_hooks_result=$func_quote_for_eval_result
+}
+
+
+
+## --------------- ##
+## Option parsing. ##
+## --------------- ##
+
+# In order to add your own option parsing hooks, you must accept the
+# full positional parameter list in your hook function, remove any
+# options that you action, and then pass back the remaining unprocessed
+# options in '<hooked_function_name>_result', escaped suitably for
+# 'eval'.  Like this:
+#
+#    my_options_prep ()
+#    {
+#        $debug_cmd
+#
+#        # Extend the existing usage message.
+#        usage_message=$usage_message'
+#      -s, --silent       don'\''t print informational messages
+#    '
+#
+#        func_quote_for_eval ${1+"$@"}
+#        my_options_prep_result=$func_quote_for_eval_result
+#    }
+#    func_add_hook func_options_prep my_options_prep
+#
+#
+#    my_silent_option ()
+#    {
+#        $debug_cmd
+#
+#        # Note that for efficiency, we parse as many options as we can
+#        # recognise in a loop before passing the remainder back to the
+#        # caller on the first unrecognised argument we encounter.
+#        while test $# -gt 0; do
+#          opt=$1; shift
+#          case $opt in
+#            --silent|-s) opt_silent=: ;;
+#            # Separate non-argument short options:
+#            -s*)         func_split_short_opt "$_G_opt"
+#                         set dummy "$func_split_short_opt_name" \
+#                             "-$func_split_short_opt_arg" ${1+"$@"}
+#                         shift
+#                         ;;
+#            *)            set dummy "$_G_opt" "$*"; shift; break ;;
+#          esac
+#        done
+#
+#        func_quote_for_eval ${1+"$@"}
+#        my_silent_option_result=$func_quote_for_eval_result
+#    }
+#    func_add_hook func_parse_options my_silent_option
+#
+#
+#    my_option_validation ()
+#    {
+#        $debug_cmd
+#
+#        $opt_silent && $opt_verbose && func_fatal_help "\
+#    '--silent' and '--verbose' options are mutually exclusive."
+#
+#        func_quote_for_eval ${1+"$@"}
+#        my_option_validation_result=$func_quote_for_eval_result
+#    }
+#    func_add_hook func_validate_options my_option_validation
+#
+# You'll alse need to manually amend $usage_message to reflect the extra
+# options you parse.  It's preferable to append if you can, so that
+# multiple option parsing hooks can be added safely.
+
+
+# func_options [ARG]...
+# ---------------------
+# All the functions called inside func_options are hookable. See the
+# individual implementations for details.
+func_hookable func_options
+func_options ()
+{
+    $debug_cmd
+
+    func_options_prep ${1+"$@"}
+    eval func_parse_options \
+        ${func_options_prep_result+"$func_options_prep_result"}
+    eval func_validate_options \
+        ${func_parse_options_result+"$func_parse_options_result"}
+
+    eval func_run_hooks func_options \
+        ${func_validate_options_result+"$func_validate_options_result"}
+
+    # save modified positional parameters for caller
+    func_options_result=$func_run_hooks_result
+}
+
+
+# func_options_prep [ARG]...
+# --------------------------
+# All initialisations required before starting the option parse loop.
+# Note that when calling hook functions, we pass through the list of
+# positional parameters.  If a hook function modifies that list, and
+# needs to propogate that back to rest of this script, then the complete
+# modified list must be put in 'func_run_hooks_result' before
+# returning.
+func_hookable func_options_prep
+func_options_prep ()
+{
+    $debug_cmd
+
+    # Option defaults:
+    opt_verbose=false
+    opt_warning_types=
+
+    func_run_hooks func_options_prep ${1+"$@"}
+
+    # save modified positional parameters for caller
+    func_options_prep_result=$func_run_hooks_result
+}
+
+
+# func_parse_options [ARG]...
+# ---------------------------
+# The main option parsing loop.
+func_hookable func_parse_options
+func_parse_options ()
+{
+    $debug_cmd
+
+    func_parse_options_result=
+
+    # this just eases exit handling
+    while test $# -gt 0; do
+      # Defer to hook functions for initial option parsing, so they
+      # get priority in the event of reusing an option name.
+      func_run_hooks func_parse_options ${1+"$@"}
+
+      # Adjust func_parse_options positional parameters to match
+      eval set dummy "$func_run_hooks_result"; shift
+
+      # Break out of the loop if we already parsed every option.
+      test $# -gt 0 || break
+
+      _G_opt=$1
+      shift
+      case $_G_opt in
+        --debug|-x)   debug_cmd='set -x'
+                      func_echo "enabling shell trace mode"
+                      $debug_cmd
+                      ;;
+
+        --no-warnings|--no-warning|--no-warn)
+                      set dummy --warnings none ${1+"$@"}
+                      shift
+		      ;;
+
+        --warnings|--warning|-W)
+                      test $# = 0 && func_missing_arg $_G_opt && break
+                      case " $warning_categories $1" in
+                        *" $1 "*)
+                          # trailing space prevents matching last $1 above
+                          func_append_uniq opt_warning_types " $1"
+                          ;;
+                        *all)
+                          opt_warning_types=$warning_categories
+                          ;;
+                        *none)
+                          opt_warning_types=none
+                          warning_func=:
+                          ;;
+                        *error)
+                          opt_warning_types=$warning_categories
+                          warning_func=func_fatal_error
+                          ;;
+                        *)
+                          func_fatal_error \
+                             "unsupported warning category: '$1'"
+                          ;;
+                      esac
+                      shift
+                      ;;
+
+        --verbose|-v) opt_verbose=: ;;
+        --version)    func_version ;;
+        -\?|-h)       func_usage ;;
+        --help)       func_help ;;
+
+	# Separate optargs to long options (plugins may need this):
+	--*=*)        func_split_equals "$_G_opt"
+	              set dummy "$func_split_equals_lhs" \
+                          "$func_split_equals_rhs" ${1+"$@"}
+                      shift
+                      ;;
+
+       # Separate optargs to short options:
+        -W*)
+                      func_split_short_opt "$_G_opt"
+                      set dummy "$func_split_short_opt_name" \
+                          "$func_split_short_opt_arg" ${1+"$@"}
+                      shift
+                      ;;
+
+        # Separate non-argument short options:
+        -\?*|-h*|-v*|-x*)
+                      func_split_short_opt "$_G_opt"
+                      set dummy "$func_split_short_opt_name" \
+                          "-$func_split_short_opt_arg" ${1+"$@"}
+                      shift
+                      ;;
+
+        --)           break ;;
+        -*)           func_fatal_help "unrecognised option: '$_G_opt'" ;;
+        *)            set dummy "$_G_opt" ${1+"$@"}; shift; break ;;
+      esac
+    done
+
+    # save modified positional parameters for caller
+    func_quote_for_eval ${1+"$@"}
+    func_parse_options_result=$func_quote_for_eval_result
+}
+
+
+# func_validate_options [ARG]...
+# ------------------------------
+# Perform any sanity checks on option settings and/or unconsumed
+# arguments.
+func_hookable func_validate_options
+func_validate_options ()
+{
+    $debug_cmd
+
+    # Display all warnings if -W was not given.
+    test -n "$opt_warning_types" || opt_warning_types=" $warning_categories"
+
+    func_run_hooks func_validate_options ${1+"$@"}
+
+    # Bail if the options were screwed!
+    $exit_cmd $EXIT_FAILURE
+
+    # save modified positional parameters for caller
+    func_validate_options_result=$func_run_hooks_result
+}
+
+
+
+## ----------------- ##
+## Helper functions. ##
+## ----------------- ##
+
+# This section contains the helper functions used by the rest of the
+# hookable option parser framework in ascii-betical order.
+
+
+# func_fatal_help ARG...
+# ----------------------
+# Echo program name prefixed message to standard error, followed by
+# a help hint, and exit.
+func_fatal_help ()
+{
+    $debug_cmd
+
+    eval \$ECHO \""Usage: $usage"\"
+    eval \$ECHO \""$fatal_help"\"
+    func_error ${1+"$@"}
+    exit $EXIT_FAILURE
 }
 
-# func_help [NOEXIT]
-# Echo long help message to standard output and exit,
-# unless 'noexit' is passed as argument.
+
+# func_help
+# ---------
+# Echo long help message to standard output and exit.
 func_help ()
 {
-    $opt_debug
-
-    $SED -n '/^# Usage:/,/# Report bugs to/ {
-	:print
-        s/^# //
-	s/^# *$//
-	s*\$progname*'$progname'*
-	s*\$host*'"$host"'*
-	s*\$SHELL*'"$SHELL"'*
-	s*\$LTCC*'"$LTCC"'*
-	s*\$LTCFLAGS*'"$LTCFLAGS"'*
-	s*\$LD*'"$LD"'*
-	s/\$with_gnu_ld/'"$with_gnu_ld"'/
-	s/\$automake_version/'"`(${AUTOMAKE-automake} --version) 2>/dev/null |$SED 1q`"'/
-	s/\$autoconf_version/'"`(${AUTOCONF-autoconf} --version) 2>/dev/null |$SED 1q`"'/
-	p
-	d
-     }
-     /^# .* home page:/b print
-     /^# General help using/b print
-     ' < "$progpath"
-    ret=$?
-    if test -z "$1"; then
-      exit $ret
-    fi
+    $debug_cmd
+
+    func_usage_message
+    $ECHO "$long_help_message"
+    exit 0
 }
 
-# func_missing_arg argname
+
+# func_missing_arg ARGNAME
+# ------------------------
 # Echo program name prefixed message to standard error and set global
 # exit_cmd.
 func_missing_arg ()
 {
-    $opt_debug
+    $debug_cmd
 
-    func_error "missing argument for $1."
+    func_error "Missing argument for '$1'."
     exit_cmd=exit
 }
 
 
-# func_split_short_opt shortopt
+# func_split_equals STRING
+# ------------------------
+# Set func_split_equals_lhs and func_split_equals_rhs shell variables after
+# splitting STRING at the '=' sign.
+test -z "$_G_HAVE_XSI_OPS" \
+    && (eval 'x=a/b/c;
+      test 5aa/bb/cc = "${#x}${x%%/*}${x%/*}${x#*/}${x##*/}"') 2>/dev/null \
+    && _G_HAVE_XSI_OPS=yes
+
+if test yes = "$_G_HAVE_XSI_OPS"
+then
+  # This is an XSI compatible shell, allowing a faster implementation...
+  eval 'func_split_equals ()
+  {
+      $debug_cmd
+
+      func_split_equals_lhs=${1%%=*}
+      func_split_equals_rhs=${1#*=}
+      test "x$func_split_equals_lhs" = "x$1" \
+        && func_split_equals_rhs=
+  }'
+else
+  # ...otherwise fall back to using expr, which is often a shell builtin.
+  func_split_equals ()
+  {
+      $debug_cmd
+
+      func_split_equals_lhs=`expr "x$1" : 'x\([^=]*\)'`
+      func_split_equals_rhs=
+      test "x$func_split_equals_lhs" = "x$1" \
+        || func_split_equals_rhs=`expr "x$1" : 'x[^=]*=\(.*\)$'`
+  }
+fi #func_split_equals
+
+
+# func_split_short_opt SHORTOPT
+# -----------------------------
 # Set func_split_short_opt_name and func_split_short_opt_arg shell
 # variables after splitting SHORTOPT after the 2nd character.
-func_split_short_opt ()
+if test yes = "$_G_HAVE_XSI_OPS"
+then
+  # This is an XSI compatible shell, allowing a faster implementation...
+  eval 'func_split_short_opt ()
+  {
+      $debug_cmd
+
+      func_split_short_opt_arg=${1#??}
+      func_split_short_opt_name=${1%"$func_split_short_opt_arg"}
+  }'
+else
+  # ...otherwise fall back to using expr, which is often a shell builtin.
+  func_split_short_opt ()
+  {
+      $debug_cmd
+
+      func_split_short_opt_name=`expr "x$1" : 'x-\(.\)'`
+      func_split_short_opt_arg=`expr "x$1" : 'x-.\(.*\)$'`
+  }
+fi #func_split_short_opt
+
+
+# func_usage
+# ----------
+# Echo short help message to standard output and exit.
+func_usage ()
 {
-    my_sed_short_opt='1s/^\(..\).*$/\1/;q'
-    my_sed_short_rest='1s/^..\(.*\)$/\1/;q'
+    $debug_cmd
 
-    func_split_short_opt_name=`$ECHO "$1" | $SED "$my_sed_short_opt"`
-    func_split_short_opt_arg=`$ECHO "$1" | $SED "$my_sed_short_rest"`
-} # func_split_short_opt may be replaced by extended shell implementation
+    func_usage_message
+    $ECHO "Run '$progname --help |${PAGER-more}' for full usage"
+    exit 0
+}
 
 
-# func_split_long_opt longopt
-# Set func_split_long_opt_name and func_split_long_opt_arg shell
-# variables after splitting LONGOPT at the `=' sign.
-func_split_long_opt ()
+# func_usage_message
+# ------------------
+# Echo short help message to standard output.
+func_usage_message ()
 {
-    my_sed_long_opt='1s/^\(--[^=]*\)=.*/\1/;q'
-    my_sed_long_arg='1s/^--[^=]*=//'
+    $debug_cmd
 
-    func_split_long_opt_name=`$ECHO "$1" | $SED "$my_sed_long_opt"`
-    func_split_long_opt_arg=`$ECHO "$1" | $SED "$my_sed_long_arg"`
-} # func_split_long_opt may be replaced by extended shell implementation
+    eval \$ECHO \""Usage: $usage"\"
+    echo
+    $SED -n 's|^# ||
+        /^Written by/{
+          x;p;x
+        }
+	h
+	/^Written by/q' < "$progpath"
+    echo
+    eval \$ECHO \""$usage_message"\"
+}
 
-exit_cmd=:
 
+# func_version
+# ------------
+# Echo version message to standard output and exit.
+func_version ()
+{
+    $debug_cmd
 
+    printf '%s\n' "$progname $scriptversion"
+    $SED -n '
+        /(C)/!b go
+        :more
+        /\./!{
+          N
+          s|\n# | |
+          b more
+        }
+        :go
+        /^# Written by /,/# warranty; / {
+          s|^# ||
+          s|^# *$||
+          s|\((C)\)[ 0-9,-]*[ ,-]\([1-9][0-9]* \)|\1 \2|
+          p
+        }
+        /^# Written by / {
+          s|^# ||
+          p
+        }
+        /^warranty; /q' < "$progpath"
 
+    exit $?
+}
 
 
-magic="%%%MAGIC variable%%%"
-magic_exe="%%%MAGIC EXE variable%%%"
+# Local variables:
+# mode: shell-script
+# sh-indentation: 2
+# eval: (add-hook 'before-save-hook 'time-stamp)
+# time-stamp-pattern: "10/scriptversion=%:y-%02m-%02d.%02H; # UTC"
+# time-stamp-time-zone: "UTC"
+# End:
 
-# Global variables.
-nonopt=
-preserve_args=
-lo2o="s/\\.lo\$/.${objext}/"
-o2lo="s/\\.${objext}\$/.lo/"
-extracted_archives=
-extracted_serial=0
+# Set a version string.
+scriptversion='(GNU libtool) 2.4.6'
 
-# If this variable is set in any of the actions, the command in it
-# will be execed at the end.  This prevents here-documents from being
-# left over by shells.
-exec_cmd=
 
-# func_append var value
-# Append VALUE to the end of shell variable VAR.
-func_append ()
+# func_echo ARG...
+# ----------------
+# Libtool also displays the current mode in messages, so override
+# funclib.sh func_echo with this custom definition.
+func_echo ()
 {
-    eval "${1}=\$${1}\${2}"
-} # func_append may be replaced by extended shell implementation
+    $debug_cmd
 
-# func_append_quoted var value
-# Quote VALUE and append to the end of shell variable VAR, separated
-# by a space.
-func_append_quoted ()
-{
-    func_quote_for_eval "${2}"
-    eval "${1}=\$${1}\\ \$func_quote_for_eval_result"
-} # func_append_quoted may be replaced by extended shell implementation
+    _G_message=$*
 
+    func_echo_IFS=$IFS
+    IFS=$nl
+    for _G_line in $_G_message; do
+      IFS=$func_echo_IFS
+      $ECHO "$progname${opt_mode+: $opt_mode}: $_G_line"
+    done
+    IFS=$func_echo_IFS
+}
 
-# func_arith arithmetic-term...
-func_arith ()
+
+# func_warning ARG...
+# -------------------
+# Libtool warnings are not categorized, so override funclib.sh
+# func_warning with this simpler definition.
+func_warning ()
 {
-    func_arith_result=`expr "${@}"`
-} # func_arith may be replaced by extended shell implementation
+    $debug_cmd
 
+    $warning_func ${1+"$@"}
+}
 
-# func_len string
-# STRING may not start with a hyphen.
-func_len ()
-{
-    func_len_result=`expr "${1}" : ".*" 2>/dev/null || echo $max_cmd_len`
-} # func_len may be replaced by extended shell implementation
 
+## ---------------- ##
+## Options parsing. ##
+## ---------------- ##
+
+# Hook in the functions to make sure our own options are parsed during
+# the option parsing loop.
+
+usage='$progpath [OPTION]... [MODE-ARG]...'
+
+# Short help message in response to '-h'.
+usage_message="Options:
+       --config             show all configuration variables
+       --debug              enable verbose shell tracing
+   -n, --dry-run            display commands without modifying any files
+       --features           display basic configuration information and exit
+       --mode=MODE          use operation mode MODE
+       --no-warnings        equivalent to '-Wnone'
+       --preserve-dup-deps  don't remove duplicate dependency libraries
+       --quiet, --silent    don't print informational messages
+       --tag=TAG            use configuration variables from tag TAG
+   -v, --verbose            print more informational messages than default
+       --version            print version information
+   -W, --warnings=CATEGORY  report the warnings falling in CATEGORY [all]
+   -h, --help, --help-all   print short, long, or detailed help message
+"
 
-# func_lo2o object
-func_lo2o ()
+# Additional text appended to 'usage_message' in response to '--help'.
+func_help ()
 {
-    func_lo2o_result=`$ECHO "${1}" | $SED "$lo2o"`
-} # func_lo2o may be replaced by extended shell implementation
+    $debug_cmd
+
+    func_usage_message
+    $ECHO "$long_help_message
+
+MODE must be one of the following:
+
+       clean           remove files from the build directory
+       compile         compile a source file into a libtool object
+       execute         automatically set library path, then run a program
+       finish          complete the installation of libtool libraries
+       install         install libraries or executables
+       link            create a library or an executable
+       uninstall       remove libraries from an installed directory
+
+MODE-ARGS vary depending on the MODE.  When passed as first option,
+'--mode=MODE' may be abbreviated as 'MODE' or a unique abbreviation of that.
+Try '$progname --help --mode=MODE' for a more detailed description of MODE.
+
+When reporting a bug, please describe a test case to reproduce it and
+include the following information:
+
+       host-triplet:   $host
+       shell:          $SHELL
+       compiler:       $LTCC
+       compiler flags: $LTCFLAGS
+       linker:         $LD (gnu? $with_gnu_ld)
+       version:        $progname (GNU libtool) 2.4.6
+       automake:       `($AUTOMAKE --version) 2>/dev/null |$SED 1q`
+       autoconf:       `($AUTOCONF --version) 2>/dev/null |$SED 1q`
+
+Report bugs to <bug-libtool@gnu.org>.
+GNU libtool home page: <http://www.gnu.org/software/libtool/>.
+General help using GNU software: <http://www.gnu.org/gethelp/>."
+    exit 0
+}
 
 
-# func_xform libobj-or-source
-func_xform ()
-{
-    func_xform_result=`$ECHO "${1}" | $SED 's/\.[^.]*$/.lo/'`
-} # func_xform may be replaced by extended shell implementation
+# func_lo2o OBJECT-NAME
+# ---------------------
+# Transform OBJECT-NAME from a '.lo' suffix to the platform specific
+# object suffix.
 
+lo2o=s/\\.lo\$/.$objext/
+o2lo=s/\\.$objext\$/.lo/
 
-# func_fatal_configuration arg...
+if test yes = "$_G_HAVE_XSI_OPS"; then
+  eval 'func_lo2o ()
+  {
+    case $1 in
+      *.lo) func_lo2o_result=${1%.lo}.$objext ;;
+      *   ) func_lo2o_result=$1               ;;
+    esac
+  }'
+
+  # func_xform LIBOBJ-OR-SOURCE
+  # ---------------------------
+  # Transform LIBOBJ-OR-SOURCE from a '.o' or '.c' (or otherwise)
+  # suffix to a '.lo' libtool-object suffix.
+  eval 'func_xform ()
+  {
+    func_xform_result=${1%.*}.lo
+  }'
+else
+  # ...otherwise fall back to using sed.
+  func_lo2o ()
+  {
+    func_lo2o_result=`$ECHO "$1" | $SED "$lo2o"`
+  }
+
+  func_xform ()
+  {
+    func_xform_result=`$ECHO "$1" | $SED 's|\.[^.]*$|.lo|'`
+  }
+fi
+
+
+# func_fatal_configuration ARG...
+# -------------------------------
 # Echo program name prefixed message to standard error, followed by
 # a configuration failure hint, and exit.
 func_fatal_configuration ()
 {
-    func_error ${1+"$@"}
-    func_error "See the $PACKAGE documentation for more information."
-    func_fatal_error "Fatal configuration error."
+    func__fatal_error ${1+"$@"} \
+      "See the $PACKAGE documentation for more information." \
+      "Fatal configuration error."
 }
 
 
 # func_config
+# -----------
 # Display the configuration for all the tags in this script.
 func_config ()
 {
@@ -915,17 +2149,19 @@ func_config ()
     exit $?
 }
 
+
 # func_features
+# -------------
 # Display the features supported by this script.
 func_features ()
 {
     echo "host: $host"
-    if test "$build_libtool_libs" = yes; then
+    if test yes = "$build_libtool_libs"; then
       echo "enable shared libraries"
     else
       echo "disable shared libraries"
     fi
-    if test "$build_old_libs" = yes; then
+    if test yes = "$build_old_libs"; then
       echo "enable static libraries"
     else
       echo "disable static libraries"
@@ -934,314 +2170,350 @@ func_features ()
     exit $?
 }
 
-# func_enable_tag tagname
+
+# func_enable_tag TAGNAME
+# -----------------------
 # Verify that TAGNAME is valid, and either flag an error and exit, or
 # enable the TAGNAME tag.  We also add TAGNAME to the global $taglist
 # variable here.
 func_enable_tag ()
 {
-  # Global variable:
-  tagname="$1"
+    # Global variable:
+    tagname=$1
 
-  re_begincf="^# ### BEGIN LIBTOOL TAG CONFIG: $tagname\$"
-  re_endcf="^# ### END LIBTOOL TAG CONFIG: $tagname\$"
-  sed_extractcf="/$re_begincf/,/$re_endcf/p"
+    re_begincf="^# ### BEGIN LIBTOOL TAG CONFIG: $tagname\$"
+    re_endcf="^# ### END LIBTOOL TAG CONFIG: $tagname\$"
+    sed_extractcf=/$re_begincf/,/$re_endcf/p
 
-  # Validate tagname.
-  case $tagname in
-    *[!-_A-Za-z0-9,/]*)
-      func_fatal_error "invalid tag name: $tagname"
-      ;;
-  esac
+    # Validate tagname.
+    case $tagname in
+      *[!-_A-Za-z0-9,/]*)
+        func_fatal_error "invalid tag name: $tagname"
+        ;;
+    esac
 
-  # Don't test for the "default" C tag, as we know it's
-  # there but not specially marked.
-  case $tagname in
-    CC) ;;
+    # Don't test for the "default" C tag, as we know it's
+    # there but not specially marked.
+    case $tagname in
+        CC) ;;
     *)
-      if $GREP "$re_begincf" "$progpath" >/dev/null 2>&1; then
-	taglist="$taglist $tagname"
-
-	# Evaluate the configuration.  Be careful to quote the path
-	# and the sed script, to avoid splitting on whitespace, but
-	# also don't use non-portable quotes within backquotes within
-	# quotes we have to do it in 2 steps:
-	extractedcf=`$SED -n -e "$sed_extractcf" < "$progpath"`
-	eval "$extractedcf"
-      else
-	func_error "ignoring unknown tag $tagname"
-      fi
-      ;;
-  esac
+        if $GREP "$re_begincf" "$progpath" >/dev/null 2>&1; then
+	  taglist="$taglist $tagname"
+
+	  # Evaluate the configuration.  Be careful to quote the path
+	  # and the sed script, to avoid splitting on whitespace, but
+	  # also don't use non-portable quotes within backquotes within
+	  # quotes we have to do it in 2 steps:
+	  extractedcf=`$SED -n -e "$sed_extractcf" < "$progpath"`
+	  eval "$extractedcf"
+        else
+	  func_error "ignoring unknown tag $tagname"
+        fi
+        ;;
+    esac
 }
 
+
 # func_check_version_match
+# ------------------------
 # Ensure that we are using m4 macros, and libtool script from the same
 # release of libtool.
 func_check_version_match ()
 {
-  if test "$package_revision" != "$macro_revision"; then
-    if test "$VERSION" != "$macro_version"; then
-      if test -z "$macro_version"; then
-        cat >&2 <<_LT_EOF
+    if test "$package_revision" != "$macro_revision"; then
+      if test "$VERSION" != "$macro_version"; then
+        if test -z "$macro_version"; then
+          cat >&2 <<_LT_EOF
 $progname: Version mismatch error.  This is $PACKAGE $VERSION, but the
 $progname: definition of this LT_INIT comes from an older release.
 $progname: You should recreate aclocal.m4 with macros from $PACKAGE $VERSION
 $progname: and run autoconf again.
 _LT_EOF
-      else
-        cat >&2 <<_LT_EOF
+        else
+          cat >&2 <<_LT_EOF
 $progname: Version mismatch error.  This is $PACKAGE $VERSION, but the
 $progname: definition of this LT_INIT comes from $PACKAGE $macro_version.
 $progname: You should recreate aclocal.m4 with macros from $PACKAGE $VERSION
 $progname: and run autoconf again.
 _LT_EOF
-      fi
-    else
-      cat >&2 <<_LT_EOF
+        fi
+      else
+        cat >&2 <<_LT_EOF
 $progname: Version mismatch error.  This is $PACKAGE $VERSION, revision $package_revision,
 $progname: but the definition of this LT_INIT comes from revision $macro_revision.
 $progname: You should recreate aclocal.m4 with macros from revision $package_revision
 $progname: of $PACKAGE $VERSION and run autoconf again.
 _LT_EOF
-    fi
+      fi
 
-    exit $EXIT_MISMATCH
-  fi
+      exit $EXIT_MISMATCH
+    fi
 }
 
 
-# Shorthand for --mode=foo, only valid as the first argument
-case $1 in
-clean|clea|cle|cl)
-  shift; set dummy --mode clean ${1+"$@"}; shift
-  ;;
-compile|compil|compi|comp|com|co|c)
-  shift; set dummy --mode compile ${1+"$@"}; shift
-  ;;
-execute|execut|execu|exec|exe|ex|e)
-  shift; set dummy --mode execute ${1+"$@"}; shift
-  ;;
-finish|finis|fini|fin|fi|f)
-  shift; set dummy --mode finish ${1+"$@"}; shift
-  ;;
-install|instal|insta|inst|ins|in|i)
-  shift; set dummy --mode install ${1+"$@"}; shift
-  ;;
-link|lin|li|l)
-  shift; set dummy --mode link ${1+"$@"}; shift
-  ;;
-uninstall|uninstal|uninsta|uninst|unins|unin|uni|un|u)
-  shift; set dummy --mode uninstall ${1+"$@"}; shift
-  ;;
-esac
+# libtool_options_prep [ARG]...
+# -----------------------------
+# Preparation for options parsed by libtool.
+libtool_options_prep ()
+{
+    $debug_mode
 
+    # Option defaults:
+    opt_config=false
+    opt_dlopen=
+    opt_dry_run=false
+    opt_help=false
+    opt_mode=
+    opt_preserve_dup_deps=false
+    opt_quiet=false
 
+    nonopt=
+    preserve_args=
 
-# Option defaults:
-opt_debug=:
-opt_dry_run=false
-opt_config=false
-opt_preserve_dup_deps=false
-opt_features=false
-opt_finish=false
-opt_help=false
-opt_help_all=false
-opt_silent=:
-opt_warning=:
-opt_verbose=:
-opt_silent=false
-opt_verbose=false
+    # Shorthand for --mode=foo, only valid as the first argument
+    case $1 in
+    clean|clea|cle|cl)
+      shift; set dummy --mode clean ${1+"$@"}; shift
+      ;;
+    compile|compil|compi|comp|com|co|c)
+      shift; set dummy --mode compile ${1+"$@"}; shift
+      ;;
+    execute|execut|execu|exec|exe|ex|e)
+      shift; set dummy --mode execute ${1+"$@"}; shift
+      ;;
+    finish|finis|fini|fin|fi|f)
+      shift; set dummy --mode finish ${1+"$@"}; shift
+      ;;
+    install|instal|insta|inst|ins|in|i)
+      shift; set dummy --mode install ${1+"$@"}; shift
+      ;;
+    link|lin|li|l)
+      shift; set dummy --mode link ${1+"$@"}; shift
+      ;;
+    uninstall|uninstal|uninsta|uninst|unins|unin|uni|un|u)
+      shift; set dummy --mode uninstall ${1+"$@"}; shift
+      ;;
+    esac
 
+    # Pass back the list of options.
+    func_quote_for_eval ${1+"$@"}
+    libtool_options_prep_result=$func_quote_for_eval_result
+}
+func_add_hook func_options_prep libtool_options_prep
 
-# Parse options once, thoroughly.  This comes as soon as possible in the
-# script to make things like `--version' happen as quickly as we can.
+
+# libtool_parse_options [ARG]...
+# ---------------------------------
+# Provide handling for libtool specific options.
+libtool_parse_options ()
 {
-  # this just eases exit handling
-  while test $# -gt 0; do
-    opt="$1"
-    shift
-    case $opt in
-      --debug|-x)	opt_debug='set -x'
-			func_echo "enabling shell trace mode"
-			$opt_debug
-			;;
-      --dry-run|--dryrun|-n)
-			opt_dry_run=:
-			;;
-      --config)
-			opt_config=:
-func_config
-			;;
-      --dlopen|-dlopen)
-			optarg="$1"
-			opt_dlopen="${opt_dlopen+$opt_dlopen
-}$optarg"
-			shift
-			;;
-      --preserve-dup-deps)
-			opt_preserve_dup_deps=:
-			;;
-      --features)
-			opt_features=:
-func_features
-			;;
-      --finish)
-			opt_finish=:
-set dummy --mode finish ${1+"$@"}; shift
-			;;
-      --help)
-			opt_help=:
-			;;
-      --help-all)
-			opt_help_all=:
-opt_help=': help-all'
-			;;
-      --mode)
-			test $# = 0 && func_missing_arg $opt && break
-			optarg="$1"
-			opt_mode="$optarg"
-case $optarg in
-  # Valid mode arguments:
-  clean|compile|execute|finish|install|link|relink|uninstall) ;;
-
-  # Catch anything else as an error
-  *) func_error "invalid argument for $opt"
-     exit_cmd=exit
-     break
-     ;;
-esac
-			shift
-			;;
-      --no-silent|--no-quiet)
-			opt_silent=false
-func_append preserve_args " $opt"
-			;;
-      --no-warning|--no-warn)
-			opt_warning=false
-func_append preserve_args " $opt"
-			;;
-      --no-verbose)
-			opt_verbose=false
-func_append preserve_args " $opt"
-			;;
-      --silent|--quiet)
-			opt_silent=:
-func_append preserve_args " $opt"
-        opt_verbose=false
-			;;
-      --verbose|-v)
-			opt_verbose=:
-func_append preserve_args " $opt"
-opt_silent=false
-			;;
-      --tag)
-			test $# = 0 && func_missing_arg $opt && break
-			optarg="$1"
-			opt_tag="$optarg"
-func_append preserve_args " $opt $optarg"
-func_enable_tag "$optarg"
-			shift
-			;;
-
-      -\?|-h)		func_usage				;;
-      --help)		func_help				;;
-      --version)	func_version				;;
-
-      # Separate optargs to long options:
-      --*=*)
-			func_split_long_opt "$opt"
-			set dummy "$func_split_long_opt_name" "$func_split_long_opt_arg" ${1+"$@"}
-			shift
-			;;
-
-      # Separate non-argument short options:
-      -\?*|-h*|-n*|-v*)
-			func_split_short_opt "$opt"
-			set dummy "$func_split_short_opt_name" "-$func_split_short_opt_arg" ${1+"$@"}
-			shift
-			;;
-
-      --)		break					;;
-      -*)		func_fatal_help "unrecognized option \`$opt'" ;;
-      *)		set dummy "$opt" ${1+"$@"};	shift; break  ;;
-    esac
-  done
+    $debug_cmd
 
-  # Validate options:
+    # Perform our own loop to consume as many options as possible in
+    # each iteration.
+    while test $# -gt 0; do
+      _G_opt=$1
+      shift
+      case $_G_opt in
+        --dry-run|--dryrun|-n)
+                        opt_dry_run=:
+                        ;;
+
+        --config)       func_config ;;
+
+        --dlopen|-dlopen)
+                        opt_dlopen="${opt_dlopen+$opt_dlopen
+}$1"
+                        shift
+                        ;;
+
+        --preserve-dup-deps)
+                        opt_preserve_dup_deps=: ;;
+
+        --features)     func_features ;;
+
+        --finish)       set dummy --mode finish ${1+"$@"}; shift ;;
+
+        --help)         opt_help=: ;;
+
+        --help-all)     opt_help=': help-all' ;;
+
+        --mode)         test $# = 0 && func_missing_arg $_G_opt && break
+                        opt_mode=$1
+                        case $1 in
+                          # Valid mode arguments:
+                          clean|compile|execute|finish|install|link|relink|uninstall) ;;
+
+                          # Catch anything else as an error
+                          *) func_error "invalid argument for $_G_opt"
+                             exit_cmd=exit
+                             break
+                             ;;
+                        esac
+                        shift
+                        ;;
+
+        --no-silent|--no-quiet)
+                        opt_quiet=false
+                        func_append preserve_args " $_G_opt"
+                        ;;
+
+        --no-warnings|--no-warning|--no-warn)
+                        opt_warning=false
+                        func_append preserve_args " $_G_opt"
+                        ;;
+
+        --no-verbose)
+                        opt_verbose=false
+                        func_append preserve_args " $_G_opt"
+                        ;;
+
+        --silent|--quiet)
+                        opt_quiet=:
+                        opt_verbose=false
+                        func_append preserve_args " $_G_opt"
+                        ;;
+
+        --tag)          test $# = 0 && func_missing_arg $_G_opt && break
+                        opt_tag=$1
+                        func_append preserve_args " $_G_opt $1"
+                        func_enable_tag "$1"
+                        shift
+                        ;;
+
+        --verbose|-v)   opt_quiet=false
+                        opt_verbose=:
+                        func_append preserve_args " $_G_opt"
+                        ;;
+
+	# An option not handled by this hook function:
+        *)		set dummy "$_G_opt" ${1+"$@"};	shift; break  ;;
+      esac
+    done
 
-  # save first non-option argument
-  if test "$#" -gt 0; then
-    nonopt="$opt"
-    shift
-  fi
 
-  # preserve --debug
-  test "$opt_debug" = : || func_append preserve_args " --debug"
+    # save modified positional parameters for caller
+    func_quote_for_eval ${1+"$@"}
+    libtool_parse_options_result=$func_quote_for_eval_result
+}
+func_add_hook func_parse_options libtool_parse_options
 
-  case $host in
-    *cygwin* | *mingw* | *pw32* | *cegcc*)
-      # don't eliminate duplications in $postdeps and $predeps
-      opt_duplicate_compiler_generated_deps=:
-      ;;
-    *)
-      opt_duplicate_compiler_generated_deps=$opt_preserve_dup_deps
-      ;;
-  esac
 
-  $opt_help || {
-    # Sanity checks first:
-    func_check_version_match
 
-    if test "$build_libtool_libs" != yes && test "$build_old_libs" != yes; then
-      func_fatal_configuration "not configured to build any kind of library"
+# libtool_validate_options [ARG]...
+# ---------------------------------
+# Perform any sanity checks on option settings and/or unconsumed
+# arguments.
+libtool_validate_options ()
+{
+    # save first non-option argument
+    if test 0 -lt $#; then
+      nonopt=$1
+      shift
     fi
 
-    # Darwin sucks
-    eval std_shrext=\"$shrext_cmds\"
+    # preserve --debug
+    test : = "$debug_cmd" || func_append preserve_args " --debug"
 
-    # Only execute mode is allowed to have -dlopen flags.
-    if test -n "$opt_dlopen" && test "$opt_mode" != execute; then
-      func_error "unrecognized option \`-dlopen'"
-      $ECHO "$help" 1>&2
-      exit $EXIT_FAILURE
-    fi
+    case $host in
+      # Solaris2 added to fix http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16452
+      # see also: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59788
+      *cygwin* | *mingw* | *pw32* | *cegcc* | *solaris2* | *os2*)
+        # don't eliminate duplications in $postdeps and $predeps
+        opt_duplicate_compiler_generated_deps=:
+        ;;
+      *)
+        opt_duplicate_compiler_generated_deps=$opt_preserve_dup_deps
+        ;;
+    esac
 
-    # Change the help message to a mode-specific one.
-    generic_help="$help"
-    help="Try \`$progname --help --mode=$opt_mode' for more information."
-  }
+    $opt_help || {
+      # Sanity checks first:
+      func_check_version_match
+
+      test yes != "$build_libtool_libs" \
+        && test yes != "$build_old_libs" \
+        && func_fatal_configuration "not configured to build any kind of library"
 
+      # Darwin sucks
+      eval std_shrext=\"$shrext_cmds\"
+
+      # Only execute mode is allowed to have -dlopen flags.
+      if test -n "$opt_dlopen" && test execute != "$opt_mode"; then
+        func_error "unrecognized option '-dlopen'"
+        $ECHO "$help" 1>&2
+        exit $EXIT_FAILURE
+      fi
+
+      # Change the help message to a mode-specific one.
+      generic_help=$help
+      help="Try '$progname --help --mode=$opt_mode' for more information."
+    }
 
-  # Bail if the options were screwed
-  $exit_cmd $EXIT_FAILURE
+    # Pass back the unparsed argument list
+    func_quote_for_eval ${1+"$@"}
+    libtool_validate_options_result=$func_quote_for_eval_result
 }
+func_add_hook func_validate_options libtool_validate_options
 
 
+# Process options as early as possible so that --help and --version
+# can return quickly.
+func_options ${1+"$@"}
+eval set dummy "$func_options_result"; shift
+
 
 
 ## ----------- ##
 ##    Main.    ##
 ## ----------- ##
 
+magic='%%%MAGIC variable%%%'
+magic_exe='%%%MAGIC EXE variable%%%'
+
+# Global variables.
+extracted_archives=
+extracted_serial=0
+
+# If this variable is set in any of the actions, the command in it
+# will be execed at the end.  This prevents here-documents from being
+# left over by shells.
+exec_cmd=
+
+
+# A function that is used when there is no print builtin or printf.
+func_fallback_echo ()
+{
+  eval 'cat <<_LTECHO_EOF
+$1
+_LTECHO_EOF'
+}
+
+# func_generated_by_libtool
+# True iff stdin has been generated by Libtool. This function is only
+# a basic sanity check; it will hardly flush out determined imposters.
+func_generated_by_libtool_p ()
+{
+  $GREP "^# Generated by .*$PACKAGE" > /dev/null 2>&1
+}
+
 # func_lalib_p file
-# True iff FILE is a libtool `.la' library or `.lo' object file.
+# True iff FILE is a libtool '.la' library or '.lo' object file.
 # This function is only a basic sanity check; it will hardly flush out
 # determined imposters.
 func_lalib_p ()
 {
     test -f "$1" &&
-      $SED -e 4q "$1" 2>/dev/null \
-        | $GREP "^# Generated by .*$PACKAGE" > /dev/null 2>&1
+      $SED -e 4q "$1" 2>/dev/null | func_generated_by_libtool_p
 }
 
 # func_lalib_unsafe_p file
-# True iff FILE is a libtool `.la' library or `.lo' object file.
+# True iff FILE is a libtool '.la' library or '.lo' object file.
 # This function implements the same check as func_lalib_p without
 # resorting to external programs.  To this end, it redirects stdin and
 # closes it afterwards, without saving the original file descriptor.
 # As a safety measure, use it only where a negative result would be
-# fatal anyway.  Works if `file' does not exist.
+# fatal anyway.  Works if 'file' does not exist.
 func_lalib_unsafe_p ()
 {
     lalib_p=no
@@ -1249,13 +2521,13 @@ func_lalib_unsafe_p ()
 	for lalib_p_l in 1 2 3 4
 	do
 	    read lalib_p_line
-	    case "$lalib_p_line" in
+	    case $lalib_p_line in
 		\#\ Generated\ by\ *$PACKAGE* ) lalib_p=yes; break;;
 	    esac
 	done
 	exec 0<&5 5<&-
     fi
-    test "$lalib_p" = yes
+    test yes = "$lalib_p"
 }
 
 # func_ltwrapper_script_p file
@@ -1264,7 +2536,8 @@ func_lalib_unsafe_p ()
 # determined imposters.
 func_ltwrapper_script_p ()
 {
-    func_lalib_p "$1"
+    test -f "$1" &&
+      $lt_truncate_bin < "$1" 2>/dev/null | func_generated_by_libtool_p
 }
 
 # func_ltwrapper_executable_p file
@@ -1289,7 +2562,7 @@ func_ltwrapper_scriptname ()
 {
     func_dirname_and_basename "$1" "" "."
     func_stripname '' '.exe' "$func_basename_result"
-    func_ltwrapper_scriptname_result="$func_dirname_result/$objdir/${func_stripname_result}_ltshwrapper"
+    func_ltwrapper_scriptname_result=$func_dirname_result/$objdir/${func_stripname_result}_ltshwrapper
 }
 
 # func_ltwrapper_p file
@@ -1308,11 +2581,13 @@ func_ltwrapper_p ()
 # FAIL_CMD may read-access the current command in variable CMD!
 func_execute_cmds ()
 {
-    $opt_debug
+    $debug_cmd
+
     save_ifs=$IFS; IFS='~'
     for cmd in $1; do
-      IFS=$save_ifs
+      IFS=$sp$nl
       eval cmd=\"$cmd\"
+      IFS=$save_ifs
       func_show_eval "$cmd" "${2-:}"
     done
     IFS=$save_ifs
@@ -1324,10 +2599,11 @@ func_execute_cmds ()
 # Note that it is not necessary on cygwin/mingw to append a dot to
 # FILE even if both FILE and FILE.exe exist: automatic-append-.exe
 # behavior happens only for exec(3), not for open(2)!  Also, sourcing
-# `FILE.' does not work on cygwin managed mounts.
+# 'FILE.' does not work on cygwin managed mounts.
 func_source ()
 {
-    $opt_debug
+    $debug_cmd
+
     case $1 in
     */* | *\\*)	. "$1" ;;
     *)		. "./$1" ;;
@@ -1354,10 +2630,10 @@ func_resolve_sysroot ()
 # store the result into func_replace_sysroot_result.
 func_replace_sysroot ()
 {
-  case "$lt_sysroot:$1" in
+  case $lt_sysroot:$1 in
   ?*:"$lt_sysroot"*)
     func_stripname "$lt_sysroot" '' "$1"
-    func_replace_sysroot_result="=$func_stripname_result"
+    func_replace_sysroot_result='='$func_stripname_result
     ;;
   *)
     # Including no sysroot.
@@ -1374,21 +2650,7 @@ func_replace_sysroot ()
 # arg is usually of the form 'gcc ...'
 func_infer_tag ()
 {
-    $opt_debug
-
-    # FreeBSD-specific: where we install compilers with non-standard names
-    tag_compilers_CC="*cc cc* *gcc gcc* clang"
-    tag_compilers_CXX="*c++ c++* *g++ g++* clang++"
-    base_compiler=`set -- "$@"; echo $1`
-
-    # If $tagname isn't set, then try to infer if the default "CC" tag applies
-    if test -z "$tagname"; then
-      for zp in $tag_compilers_CC; do
-        case $base_compiler in
-	 $zp) tagname="CC"; break;;
-	esac
-      done
-    fi
+    $debug_cmd
 
     if test -n "$available_tags" && test -z "$tagname"; then
       CC_quoted=
@@ -1408,7 +2670,7 @@ func_infer_tag ()
 	for z in $available_tags; do
 	  if $GREP "^# ### BEGIN LIBTOOL TAG CONFIG: $z$" < "$progpath" > /dev/null; then
 	    # Evaluate the configuration.
-	    eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$z'$/,/^# ### END LIBTOOL TAG CONFIG: '$z'$/p' < $progpath`"
+	    eval "`$SED -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$z'$/,/^# ### END LIBTOOL TAG CONFIG: '$z'$/p' < $progpath`"
 	    CC_quoted=
 	    for arg in $CC; do
 	      # Double-quote args containing other shell metacharacters.
@@ -1426,29 +2688,14 @@ func_infer_tag ()
 	      break
 	      ;;
 	    esac
-
-	    # FreeBSD-specific: try compilers based on inferred tag
-	    if test -z "$tagname"; then
-	      eval "tag_compilers=\$tag_compilers_${z}"
-	      if test -n "$tag_compilers"; then
-		for zp in $tag_compilers; do
-		  case $base_compiler in   
-		    $zp) tagname=$z; break;;
-		  esac
-		done
-		if test -n "$tagname"; then
-		  break
-		fi
-	      fi
-            fi
-          fi
+	  fi
 	done
 	# If $tagname still isn't set, then no tagged configuration
 	# was found and let the user know that the "--tag" command
 	# line option must be used.
 	if test -z "$tagname"; then
 	  func_echo "unable to infer tagged configuration"
-	  func_fatal_error "specify a tag with \`--tag'"
+	  func_fatal_error "specify a tag with '--tag'"
 #	else
 #	  func_verbose "using $tagname tagged configuration"
 	fi
@@ -1464,15 +2711,15 @@ func_infer_tag ()
 # but don't create it if we're doing a dry run.
 func_write_libtool_object ()
 {
-    write_libobj=${1}
-    if test "$build_libtool_libs" = yes; then
-      write_lobj=\'${2}\'
+    write_libobj=$1
+    if test yes = "$build_libtool_libs"; then
+      write_lobj=\'$2\'
     else
       write_lobj=none
     fi
 
-    if test "$build_old_libs" = yes; then
-      write_oldobj=\'${3}\'
+    if test yes = "$build_old_libs"; then
+      write_oldobj=\'$3\'
     else
       write_oldobj=none
     fi
@@ -1480,7 +2727,7 @@ func_write_libtool_object ()
     $opt_dry_run || {
       cat >${write_libobj}T <<EOF
 # $write_libobj - a libtool object file
-# Generated by $PROGRAM (GNU $PACKAGE$TIMESTAMP) $VERSION
+# Generated by $PROGRAM (GNU $PACKAGE) $VERSION
 #
 # Please DO NOT delete this file!
 # It is necessary for linking the library.
@@ -1492,7 +2739,7 @@ pic_object=$write_lobj
 non_pic_object=$write_oldobj
 
 EOF
-      $MV "${write_libobj}T" "${write_libobj}"
+      $MV "${write_libobj}T" "$write_libobj"
     }
 }
 
@@ -1512,8 +2759,9 @@ EOF
 # be empty on error (or when ARG is empty)
 func_convert_core_file_wine_to_w32 ()
 {
-  $opt_debug
-  func_convert_core_file_wine_to_w32_result="$1"
+  $debug_cmd
+
+  func_convert_core_file_wine_to_w32_result=$1
   if test -n "$1"; then
     # Unfortunately, winepath does not exit with a non-zero error code, so we
     # are forced to check the contents of stdout. On the other hand, if the
@@ -1521,9 +2769,9 @@ func_convert_core_file_wine_to_w32 ()
     # *an error message* to stdout. So we must check for both error code of
     # zero AND non-empty stdout, which explains the odd construction:
     func_convert_core_file_wine_to_w32_tmp=`winepath -w "$1" 2>/dev/null`
-    if test "$?" -eq 0 && test -n "${func_convert_core_file_wine_to_w32_tmp}"; then
+    if test "$?" -eq 0 && test -n "$func_convert_core_file_wine_to_w32_tmp"; then
       func_convert_core_file_wine_to_w32_result=`$ECHO "$func_convert_core_file_wine_to_w32_tmp" |
-        $SED -e "$lt_sed_naive_backslashify"`
+        $SED -e "$sed_naive_backslashify"`
     else
       func_convert_core_file_wine_to_w32_result=
     fi
@@ -1544,18 +2792,19 @@ func_convert_core_file_wine_to_w32 ()
 # are convertible, then the result may be empty.
 func_convert_core_path_wine_to_w32 ()
 {
-  $opt_debug
+  $debug_cmd
+
   # unfortunately, winepath doesn't convert paths, only file names
-  func_convert_core_path_wine_to_w32_result=""
+  func_convert_core_path_wine_to_w32_result=
   if test -n "$1"; then
     oldIFS=$IFS
     IFS=:
     for func_convert_core_path_wine_to_w32_f in $1; do
       IFS=$oldIFS
       func_convert_core_file_wine_to_w32 "$func_convert_core_path_wine_to_w32_f"
-      if test -n "$func_convert_core_file_wine_to_w32_result" ; then
+      if test -n "$func_convert_core_file_wine_to_w32_result"; then
         if test -z "$func_convert_core_path_wine_to_w32_result"; then
-          func_convert_core_path_wine_to_w32_result="$func_convert_core_file_wine_to_w32_result"
+          func_convert_core_path_wine_to_w32_result=$func_convert_core_file_wine_to_w32_result
         else
           func_append func_convert_core_path_wine_to_w32_result ";$func_convert_core_file_wine_to_w32_result"
         fi
@@ -1584,7 +2833,8 @@ func_convert_core_path_wine_to_w32 ()
 # environment variable; do not put it in $PATH.
 func_cygpath ()
 {
-  $opt_debug
+  $debug_cmd
+
   if test -n "$LT_CYGPATH" && test -f "$LT_CYGPATH"; then
     func_cygpath_result=`$LT_CYGPATH "$@" 2>/dev/null`
     if test "$?" -ne 0; then
@@ -1593,7 +2843,7 @@ func_cygpath ()
     fi
   else
     func_cygpath_result=
-    func_error "LT_CYGPATH is empty or specifies non-existent file: \`$LT_CYGPATH'"
+    func_error "LT_CYGPATH is empty or specifies non-existent file: '$LT_CYGPATH'"
   fi
 }
 #end: func_cygpath
@@ -1604,10 +2854,11 @@ func_cygpath ()
 # result in func_convert_core_msys_to_w32_result.
 func_convert_core_msys_to_w32 ()
 {
-  $opt_debug
+  $debug_cmd
+
   # awkward: cmd appends spaces to result
   func_convert_core_msys_to_w32_result=`( cmd //c echo "$1" ) 2>/dev/null |
-    $SED -e 's/[ ]*$//' -e "$lt_sed_naive_backslashify"`
+    $SED -e 's/[ ]*$//' -e "$sed_naive_backslashify"`
 }
 #end: func_convert_core_msys_to_w32
 
@@ -1618,13 +2869,14 @@ func_convert_core_msys_to_w32 ()
 # func_to_host_file_result to ARG1).
 func_convert_file_check ()
 {
-  $opt_debug
-  if test -z "$2" && test -n "$1" ; then
+  $debug_cmd
+
+  if test -z "$2" && test -n "$1"; then
     func_error "Could not determine host file name corresponding to"
-    func_error "  \`$1'"
+    func_error "  '$1'"
     func_error "Continuing, but uninstalled executables may not work."
     # Fallback:
-    func_to_host_file_result="$1"
+    func_to_host_file_result=$1
   fi
 }
 # end func_convert_file_check
@@ -1636,10 +2888,11 @@ func_convert_file_check ()
 # func_to_host_file_result to a simplistic fallback value (see below).
 func_convert_path_check ()
 {
-  $opt_debug
+  $debug_cmd
+
   if test -z "$4" && test -n "$3"; then
     func_error "Could not determine the host path corresponding to"
-    func_error "  \`$3'"
+    func_error "  '$3'"
     func_error "Continuing, but uninstalled executables may not work."
     # Fallback.  This is a deliberately simplistic "conversion" and
     # should not be "improved".  See libtool.info.
@@ -1648,7 +2901,7 @@ func_convert_path_check ()
       func_to_host_path_result=`echo "$3" |
         $SED -e "$lt_replace_pathsep_chars"`
     else
-      func_to_host_path_result="$3"
+      func_to_host_path_result=$3
     fi
   fi
 }
@@ -1660,9 +2913,10 @@ func_convert_path_check ()
 # and appending REPL if ORIG matches BACKPAT.
 func_convert_path_front_back_pathsep ()
 {
-  $opt_debug
+  $debug_cmd
+
   case $4 in
-  $1 ) func_to_host_path_result="$3$func_to_host_path_result"
+  $1 ) func_to_host_path_result=$3$func_to_host_path_result
     ;;
   esac
   case $4 in
@@ -1676,7 +2930,7 @@ func_convert_path_front_back_pathsep ()
 ##################################################
 # $build to $host FILE NAME CONVERSION FUNCTIONS #
 ##################################################
-# invoked via `$to_host_file_cmd ARG'
+# invoked via '$to_host_file_cmd ARG'
 #
 # In each case, ARG is the path to be converted from $build to $host format.
 # Result will be available in $func_to_host_file_result.
@@ -1687,7 +2941,8 @@ func_convert_path_front_back_pathsep ()
 # in func_to_host_file_result.
 func_to_host_file ()
 {
-  $opt_debug
+  $debug_cmd
+
   $to_host_file_cmd "$1"
 }
 # end func_to_host_file
@@ -1699,7 +2954,8 @@ func_to_host_file ()
 # in (the comma separated) LAZY, no conversion takes place.
 func_to_tool_file ()
 {
-  $opt_debug
+  $debug_cmd
+
   case ,$2, in
     *,"$to_tool_file_cmd",*)
       func_to_tool_file_result=$1
@@ -1717,7 +2973,7 @@ func_to_tool_file ()
 # Copy ARG to func_to_host_file_result.
 func_convert_file_noop ()
 {
-  func_to_host_file_result="$1"
+  func_to_host_file_result=$1
 }
 # end func_convert_file_noop
 
@@ -1728,11 +2984,12 @@ func_convert_file_noop ()
 # func_to_host_file_result.
 func_convert_file_msys_to_w32 ()
 {
-  $opt_debug
-  func_to_host_file_result="$1"
+  $debug_cmd
+
+  func_to_host_file_result=$1
   if test -n "$1"; then
     func_convert_core_msys_to_w32 "$1"
-    func_to_host_file_result="$func_convert_core_msys_to_w32_result"
+    func_to_host_file_result=$func_convert_core_msys_to_w32_result
   fi
   func_convert_file_check "$1" "$func_to_host_file_result"
 }
@@ -1744,8 +3001,9 @@ func_convert_file_msys_to_w32 ()
 # func_to_host_file_result.
 func_convert_file_cygwin_to_w32 ()
 {
-  $opt_debug
-  func_to_host_file_result="$1"
+  $debug_cmd
+
+  func_to_host_file_result=$1
   if test -n "$1"; then
     # because $build is cygwin, we call "the" cygpath in $PATH; no need to use
     # LT_CYGPATH in this case.
@@ -1761,11 +3019,12 @@ func_convert_file_cygwin_to_w32 ()
 # and a working winepath. Returns result in func_to_host_file_result.
 func_convert_file_nix_to_w32 ()
 {
-  $opt_debug
-  func_to_host_file_result="$1"
+  $debug_cmd
+
+  func_to_host_file_result=$1
   if test -n "$1"; then
     func_convert_core_file_wine_to_w32 "$1"
-    func_to_host_file_result="$func_convert_core_file_wine_to_w32_result"
+    func_to_host_file_result=$func_convert_core_file_wine_to_w32_result
   fi
   func_convert_file_check "$1" "$func_to_host_file_result"
 }
@@ -1777,12 +3036,13 @@ func_convert_file_nix_to_w32 ()
 # Returns result in func_to_host_file_result.
 func_convert_file_msys_to_cygwin ()
 {
-  $opt_debug
-  func_to_host_file_result="$1"
+  $debug_cmd
+
+  func_to_host_file_result=$1
   if test -n "$1"; then
     func_convert_core_msys_to_w32 "$1"
     func_cygpath -u "$func_convert_core_msys_to_w32_result"
-    func_to_host_file_result="$func_cygpath_result"
+    func_to_host_file_result=$func_cygpath_result
   fi
   func_convert_file_check "$1" "$func_to_host_file_result"
 }
@@ -1795,13 +3055,14 @@ func_convert_file_msys_to_cygwin ()
 # in func_to_host_file_result.
 func_convert_file_nix_to_cygwin ()
 {
-  $opt_debug
-  func_to_host_file_result="$1"
+  $debug_cmd
+
+  func_to_host_file_result=$1
   if test -n "$1"; then
     # convert from *nix to w32, then use cygpath to convert from w32 to cygwin.
     func_convert_core_file_wine_to_w32 "$1"
     func_cygpath -u "$func_convert_core_file_wine_to_w32_result"
-    func_to_host_file_result="$func_cygpath_result"
+    func_to_host_file_result=$func_cygpath_result
   fi
   func_convert_file_check "$1" "$func_to_host_file_result"
 }
@@ -1811,7 +3072,7 @@ func_convert_file_nix_to_cygwin ()
 #############################################
 # $build to $host PATH CONVERSION FUNCTIONS #
 #############################################
-# invoked via `$to_host_path_cmd ARG'
+# invoked via '$to_host_path_cmd ARG'
 #
 # In each case, ARG is the path to be converted from $build to $host format.
 # The result will be available in $func_to_host_path_result.
@@ -1835,10 +3096,11 @@ func_convert_file_nix_to_cygwin ()
 to_host_path_cmd=
 func_init_to_host_path_cmd ()
 {
-  $opt_debug
+  $debug_cmd
+
   if test -z "$to_host_path_cmd"; then
     func_stripname 'func_convert_file_' '' "$to_host_file_cmd"
-    to_host_path_cmd="func_convert_path_${func_stripname_result}"
+    to_host_path_cmd=func_convert_path_$func_stripname_result
   fi
 }
 
@@ -1848,7 +3110,8 @@ func_init_to_host_path_cmd ()
 # in func_to_host_path_result.
 func_to_host_path ()
 {
-  $opt_debug
+  $debug_cmd
+
   func_init_to_host_path_cmd
   $to_host_path_cmd "$1"
 }
@@ -1859,7 +3122,7 @@ func_to_host_path ()
 # Copy ARG to func_to_host_path_result.
 func_convert_path_noop ()
 {
-  func_to_host_path_result="$1"
+  func_to_host_path_result=$1
 }
 # end func_convert_path_noop
 
@@ -1870,8 +3133,9 @@ func_convert_path_noop ()
 # func_to_host_path_result.
 func_convert_path_msys_to_w32 ()
 {
-  $opt_debug
-  func_to_host_path_result="$1"
+  $debug_cmd
+
+  func_to_host_path_result=$1
   if test -n "$1"; then
     # Remove leading and trailing path separator characters from ARG.  MSYS
     # behavior is inconsistent here; cygpath turns them into '.;' and ';.';
@@ -1879,7 +3143,7 @@ func_convert_path_msys_to_w32 ()
     func_stripname : : "$1"
     func_to_host_path_tmp1=$func_stripname_result
     func_convert_core_msys_to_w32 "$func_to_host_path_tmp1"
-    func_to_host_path_result="$func_convert_core_msys_to_w32_result"
+    func_to_host_path_result=$func_convert_core_msys_to_w32_result
     func_convert_path_check : ";" \
       "$func_to_host_path_tmp1" "$func_to_host_path_result"
     func_convert_path_front_back_pathsep ":*" "*:" ";" "$1"
@@ -1893,8 +3157,9 @@ func_convert_path_msys_to_w32 ()
 # func_to_host_file_result.
 func_convert_path_cygwin_to_w32 ()
 {
-  $opt_debug
-  func_to_host_path_result="$1"
+  $debug_cmd
+
+  func_to_host_path_result=$1
   if test -n "$1"; then
     # See func_convert_path_msys_to_w32:
     func_stripname : : "$1"
@@ -1913,14 +3178,15 @@ func_convert_path_cygwin_to_w32 ()
 # a working winepath.  Returns result in func_to_host_file_result.
 func_convert_path_nix_to_w32 ()
 {
-  $opt_debug
-  func_to_host_path_result="$1"
+  $debug_cmd
+
+  func_to_host_path_result=$1
   if test -n "$1"; then
     # See func_convert_path_msys_to_w32:
     func_stripname : : "$1"
     func_to_host_path_tmp1=$func_stripname_result
     func_convert_core_path_wine_to_w32 "$func_to_host_path_tmp1"
-    func_to_host_path_result="$func_convert_core_path_wine_to_w32_result"
+    func_to_host_path_result=$func_convert_core_path_wine_to_w32_result
     func_convert_path_check : ";" \
       "$func_to_host_path_tmp1" "$func_to_host_path_result"
     func_convert_path_front_back_pathsep ":*" "*:" ";" "$1"
@@ -1934,15 +3200,16 @@ func_convert_path_nix_to_w32 ()
 # Returns result in func_to_host_file_result.
 func_convert_path_msys_to_cygwin ()
 {
-  $opt_debug
-  func_to_host_path_result="$1"
+  $debug_cmd
+
+  func_to_host_path_result=$1
   if test -n "$1"; then
     # See func_convert_path_msys_to_w32:
     func_stripname : : "$1"
     func_to_host_path_tmp1=$func_stripname_result
     func_convert_core_msys_to_w32 "$func_to_host_path_tmp1"
     func_cygpath -u -p "$func_convert_core_msys_to_w32_result"
-    func_to_host_path_result="$func_cygpath_result"
+    func_to_host_path_result=$func_cygpath_result
     func_convert_path_check : : \
       "$func_to_host_path_tmp1" "$func_to_host_path_result"
     func_convert_path_front_back_pathsep ":*" "*:" : "$1"
@@ -1957,8 +3224,9 @@ func_convert_path_msys_to_cygwin ()
 # func_to_host_file_result.
 func_convert_path_nix_to_cygwin ()
 {
-  $opt_debug
-  func_to_host_path_result="$1"
+  $debug_cmd
+
+  func_to_host_path_result=$1
   if test -n "$1"; then
     # Remove leading and trailing path separator characters from
     # ARG. msys behavior is inconsistent here, cygpath turns them
@@ -1967,7 +3235,7 @@ func_convert_path_nix_to_cygwin ()
     func_to_host_path_tmp1=$func_stripname_result
     func_convert_core_path_wine_to_w32 "$func_to_host_path_tmp1"
     func_cygpath -u -p "$func_convert_core_path_wine_to_w32_result"
-    func_to_host_path_result="$func_cygpath_result"
+    func_to_host_path_result=$func_cygpath_result
     func_convert_path_check : : \
       "$func_to_host_path_tmp1" "$func_to_host_path_result"
     func_convert_path_front_back_pathsep ":*" "*:" : "$1"
@@ -1976,13 +3244,31 @@ func_convert_path_nix_to_cygwin ()
 # end func_convert_path_nix_to_cygwin
 
 
+# func_dll_def_p FILE
+# True iff FILE is a Windows DLL '.def' file.
+# Keep in sync with _LT_DLL_DEF_P in libtool.m4
+func_dll_def_p ()
+{
+  $debug_cmd
+
+  func_dll_def_p_tmp=`$SED -n \
+    -e 's/^[	 ]*//' \
+    -e '/^\(;.*\)*$/d' \
+    -e 's/^\(EXPORTS\|LIBRARY\)\([	 ].*\)*$/DEF/p' \
+    -e q \
+    "$1"`
+  test DEF = "$func_dll_def_p_tmp"
+}
+
+
 # func_mode_compile arg...
 func_mode_compile ()
 {
-    $opt_debug
+    $debug_cmd
+
     # Get the compilation command and the source file.
     base_compile=
-    srcfile="$nonopt"  #  always keep a non-empty value in "srcfile"
+    srcfile=$nonopt  #  always keep a non-empty value in "srcfile"
     suppress_opt=yes
     suppress_output=
     arg_mode=normal
@@ -1995,12 +3281,12 @@ func_mode_compile ()
       case $arg_mode in
       arg  )
 	# do not "continue".  Instead, add this to base_compile
-	lastarg="$arg"
+	lastarg=$arg
 	arg_mode=normal
 	;;
 
       target )
-	libobj="$arg"
+	libobj=$arg
 	arg_mode=normal
 	continue
 	;;
@@ -2010,7 +3296,7 @@ func_mode_compile ()
 	case $arg in
 	-o)
 	  test -n "$libobj" && \
-	    func_fatal_error "you cannot specify \`-o' more than once"
+	    func_fatal_error "you cannot specify '-o' more than once"
 	  arg_mode=target
 	  continue
 	  ;;
@@ -2039,12 +3325,12 @@ func_mode_compile ()
 	  func_stripname '-Wc,' '' "$arg"
 	  args=$func_stripname_result
 	  lastarg=
-	  save_ifs="$IFS"; IFS=','
+	  save_ifs=$IFS; IFS=,
 	  for arg in $args; do
-	    IFS="$save_ifs"
+	    IFS=$save_ifs
 	    func_append_quoted lastarg "$arg"
 	  done
-	  IFS="$save_ifs"
+	  IFS=$save_ifs
 	  func_stripname ' ' '' "$lastarg"
 	  lastarg=$func_stripname_result
 
@@ -2057,8 +3343,8 @@ func_mode_compile ()
 	  # Accept the current argument as the source file.
 	  # The previous "srcfile" becomes the current argument.
 	  #
-	  lastarg="$srcfile"
-	  srcfile="$arg"
+	  lastarg=$srcfile
+	  srcfile=$arg
 	  ;;
 	esac  #  case $arg
 	;;
@@ -2073,13 +3359,13 @@ func_mode_compile ()
       func_fatal_error "you must specify an argument for -Xcompile"
       ;;
     target)
-      func_fatal_error "you must specify a target with \`-o'"
+      func_fatal_error "you must specify a target with '-o'"
       ;;
     *)
       # Get the name of the library object.
       test -z "$libobj" && {
 	func_basename "$srcfile"
-	libobj="$func_basename_result"
+	libobj=$func_basename_result
       }
       ;;
     esac
@@ -2099,7 +3385,7 @@ func_mode_compile ()
     case $libobj in
     *.lo) func_lo2o "$libobj"; obj=$func_lo2o_result ;;
     *)
-      func_fatal_error "cannot determine name of library object from \`$libobj'"
+      func_fatal_error "cannot determine name of library object from '$libobj'"
       ;;
     esac
 
@@ -2108,8 +3394,8 @@ func_mode_compile ()
     for arg in $later; do
       case $arg in
       -shared)
-	test "$build_libtool_libs" != yes && \
-	  func_fatal_configuration "can not build a shared library"
+	test yes = "$build_libtool_libs" \
+	  || func_fatal_configuration "cannot build a shared library"
 	build_old_libs=no
 	continue
 	;;
@@ -2135,17 +3421,17 @@ func_mode_compile ()
     func_quote_for_eval "$libobj"
     test "X$libobj" != "X$func_quote_for_eval_result" \
       && $ECHO "X$libobj" | $GREP '[]~#^*{};<>?"'"'"'	 &()|`$[]' \
-      && func_warning "libobj name \`$libobj' may not contain shell special characters."
+      && func_warning "libobj name '$libobj' may not contain shell special characters."
     func_dirname_and_basename "$obj" "/" ""
-    objname="$func_basename_result"
-    xdir="$func_dirname_result"
-    lobj=${xdir}$objdir/$objname
+    objname=$func_basename_result
+    xdir=$func_dirname_result
+    lobj=$xdir$objdir/$objname
 
     test -z "$base_compile" && \
       func_fatal_help "you must specify a compilation command"
 
     # Delete any leftover library objects.
-    if test "$build_old_libs" = yes; then
+    if test yes = "$build_old_libs"; then
       removelist="$obj $lobj $libobj ${libobj}T"
     else
       removelist="$lobj $libobj ${libobj}T"
@@ -2157,16 +3443,16 @@ func_mode_compile ()
       pic_mode=default
       ;;
     esac
-    if test "$pic_mode" = no && test "$deplibs_check_method" != pass_all; then
+    if test no = "$pic_mode" && test pass_all != "$deplibs_check_method"; then
       # non-PIC code in shared libraries is not supported
       pic_mode=default
     fi
 
     # Calculate the filename of the output object if compiler does
     # not support -o with -c
-    if test "$compiler_c_o" = no; then
-      output_obj=`$ECHO "$srcfile" | $SED 's%^.*/%%; s%\.[^.]*$%%'`.${objext}
-      lockfile="$output_obj.lock"
+    if test no = "$compiler_c_o"; then
+      output_obj=`$ECHO "$srcfile" | $SED 's%^.*/%%; s%\.[^.]*$%%'`.$objext
+      lockfile=$output_obj.lock
     else
       output_obj=
       need_locks=no
@@ -2175,12 +3461,12 @@ func_mode_compile ()
 
     # Lock this critical section if it is needed
     # We use this script file to make the link, it avoids creating a new file
-    if test "$need_locks" = yes; then
+    if test yes = "$need_locks"; then
       until $opt_dry_run || ln "$progpath" "$lockfile" 2>/dev/null; do
 	func_echo "Waiting for $lockfile to be removed"
 	sleep 2
       done
-    elif test "$need_locks" = warn; then
+    elif test warn = "$need_locks"; then
       if test -f "$lockfile"; then
 	$ECHO "\
 *** ERROR, $lockfile exists and contains:
@@ -2188,7 +3474,7 @@ func_mode_compile ()
 
 This indicates that another process is trying to use the same
 temporary object file, and libtool could not work around it because
-your compiler does not support \`-c' and \`-o' together.  If you
+your compiler does not support '-c' and '-o' together.  If you
 repeat this compilation, it may succeed, by chance, but you had better
 avoid parallel builds (make -j) in this platform, or get a better
 compiler."
@@ -2210,11 +3496,11 @@ compiler."
     qsrcfile=$func_quote_for_eval_result
 
     # Only build a PIC object if we are building libtool libraries.
-    if test "$build_libtool_libs" = yes; then
+    if test yes = "$build_libtool_libs"; then
       # Without this assignment, base_compile gets emptied.
       fbsd_hideous_sh_bug=$base_compile
 
-      if test "$pic_mode" != no; then
+      if test no != "$pic_mode"; then
 	command="$base_compile $qsrcfile $pic_flag"
       else
 	# Don't build PIC code
@@ -2231,7 +3517,7 @@ compiler."
       func_show_eval_locale "$command"	\
           'test -n "$output_obj" && $RM $removelist; exit $EXIT_FAILURE'
 
-      if test "$need_locks" = warn &&
+      if test warn = "$need_locks" &&
 	 test "X`cat $lockfile 2>/dev/null`" != "X$srcfile"; then
 	$ECHO "\
 *** ERROR, $lockfile contains:
@@ -2242,7 +3528,7 @@ $srcfile
 
 This indicates that another process is trying to use the same
 temporary object file, and libtool could not work around it because
-your compiler does not support \`-c' and \`-o' together.  If you
+your compiler does not support '-c' and '-o' together.  If you
 repeat this compilation, it may succeed, by chance, but you had better
 avoid parallel builds (make -j) in this platform, or get a better
 compiler."
@@ -2258,20 +3544,20 @@ compiler."
       fi
 
       # Allow error messages only from the first compilation.
-      if test "$suppress_opt" = yes; then
+      if test yes = "$suppress_opt"; then
 	suppress_output=' >/dev/null 2>&1'
       fi
     fi
 
     # Only build a position-dependent object if we build old libraries.
-    if test "$build_old_libs" = yes; then
-      if test "$pic_mode" != yes; then
+    if test yes = "$build_old_libs"; then
+      if test yes != "$pic_mode"; then
 	# Don't build PIC code
 	command="$base_compile $qsrcfile$pie_flag"
       else
 	command="$base_compile $qsrcfile $pic_flag"
       fi
-      if test "$compiler_c_o" = yes; then
+      if test yes = "$compiler_c_o"; then
 	func_append command " -o $obj"
       fi
 
@@ -2280,7 +3566,7 @@ compiler."
       func_show_eval_locale "$command" \
         '$opt_dry_run || $RM $removelist; exit $EXIT_FAILURE'
 
-      if test "$need_locks" = warn &&
+      if test warn = "$need_locks" &&
 	 test "X`cat $lockfile 2>/dev/null`" != "X$srcfile"; then
 	$ECHO "\
 *** ERROR, $lockfile contains:
@@ -2291,7 +3577,7 @@ $srcfile
 
 This indicates that another process is trying to use the same
 temporary object file, and libtool could not work around it because
-your compiler does not support \`-c' and \`-o' together.  If you
+your compiler does not support '-c' and '-o' together.  If you
 repeat this compilation, it may succeed, by chance, but you had better
 avoid parallel builds (make -j) in this platform, or get a better
 compiler."
@@ -2311,7 +3597,7 @@ compiler."
       func_write_libtool_object "$libobj" "$objdir/$objname" "$objname"
 
       # Unlock the critical section if it was locked
-      if test "$need_locks" != no; then
+      if test no != "$need_locks"; then
 	removelist=$lockfile
         $RM "$lockfile"
       fi
@@ -2321,7 +3607,7 @@ compiler."
 }
 
 $opt_help || {
-  test "$opt_mode" = compile && func_mode_compile ${1+"$@"}
+  test compile = "$opt_mode" && func_mode_compile ${1+"$@"}
 }
 
 func_mode_help ()
@@ -2341,7 +3627,7 @@ func_mode_help ()
 Remove files from the build directory.
 
 RM is the name of the program to use to delete files associated with each FILE
-(typically \`/bin/rm').  RM-OPTIONS are options (such as \`-f') to be passed
+(typically '/bin/rm').  RM-OPTIONS are options (such as '-f') to be passed
 to RM.
 
 If FILE is a libtool library, object or program, all the files associated
@@ -2360,16 +3646,16 @@ This mode accepts the following additional options:
   -no-suppress      do not suppress compiler output for multiple passes
   -prefer-pic       try to build PIC objects only
   -prefer-non-pic   try to build non-PIC objects only
-  -shared           do not build a \`.o' file suitable for static linking
-  -static           only build a \`.o' file suitable for static linking
+  -shared           do not build a '.o' file suitable for static linking
+  -static           only build a '.o' file suitable for static linking
   -Wc,FLAG          pass FLAG directly to the compiler
 
-COMPILE-COMMAND is a command to be used in creating a \`standard' object file
+COMPILE-COMMAND is a command to be used in creating a 'standard' object file
 from the given SOURCEFILE.
 
 The output file name is determined by removing the directory component from
-SOURCEFILE, then substituting the C source code suffix \`.c' with the
-library object suffix, \`.lo'."
+SOURCEFILE, then substituting the C source code suffix '.c' with the
+library object suffix, '.lo'."
         ;;
 
       execute)
@@ -2382,7 +3668,7 @@ This mode accepts the following additional options:
 
   -dlopen FILE      add the directory containing FILE to the library path
 
-This mode sets the library path environment variable according to \`-dlopen'
+This mode sets the library path environment variable according to '-dlopen'
 flags.
 
 If any of the ARGS are libtool executable wrappers, then they are translated
@@ -2401,7 +3687,7 @@ Complete the installation of libtool libraries.
 Each LIBDIR is a directory that contains libtool libraries.
 
 The commands that this mode executes may require superuser privileges.  Use
-the \`--dry-run' option if you just want to see what would be executed."
+the '--dry-run' option if you just want to see what would be executed."
         ;;
 
       install)
@@ -2411,7 +3697,7 @@ the \`--dry-run' option if you just want to see what would be executed."
 Install executables or libraries.
 
 INSTALL-COMMAND is the installation command.  The first component should be
-either the \`install' or \`cp' program.
+either the 'install' or 'cp' program.
 
 The following components of INSTALL-COMMAND are treated specially:
 
@@ -2437,7 +3723,7 @@ The following components of LINK-COMMAND are treated specially:
   -avoid-version    do not add a version suffix if possible
   -bindir BINDIR    specify path to binaries directory (for systems where
                     libraries must be found in the PATH setting at runtime)
-  -dlopen FILE      \`-dlpreopen' FILE if it cannot be dlopened at runtime
+  -dlopen FILE      '-dlpreopen' FILE if it cannot be dlopened at runtime
   -dlpreopen FILE   link in FILE and add its symbols to lt_preloaded_symbols
   -export-dynamic   allow symbols from OUTPUT-FILE to be resolved with dlsym(3)
   -export-symbols SYMFILE
@@ -2451,7 +3737,8 @@ The following components of LINK-COMMAND are treated specially:
   -no-install       link a not-installable executable
   -no-undefined     declare that a library does not refer to external symbols
   -o OUTPUT-FILE    create OUTPUT-FILE from the specified objects
-  -objectlist FILE  Use a list of object files found in FILE to specify objects
+  -objectlist FILE  use a list of object files found in FILE to specify objects
+  -os2dllname NAME  force a short DLL name on OS/2 (no effect on other OSes)
   -precious-files-regex REGEX
                     don't remove output files matching REGEX
   -release RELEASE  specify package release information
@@ -2471,20 +3758,20 @@ The following components of LINK-COMMAND are treated specially:
   -Xlinker FLAG     pass linker-specific FLAG directly to the linker
   -XCClinker FLAG   pass link-specific FLAG to the compiler driver (CC)
 
-All other options (arguments beginning with \`-') are ignored.
+All other options (arguments beginning with '-') are ignored.
 
-Every other argument is treated as a filename.  Files ending in \`.la' are
+Every other argument is treated as a filename.  Files ending in '.la' are
 treated as uninstalled libtool libraries, other files are standard or library
 object files.
 
-If the OUTPUT-FILE ends in \`.la', then a libtool library is created,
-only library objects (\`.lo' files) may be specified, and \`-rpath' is
+If the OUTPUT-FILE ends in '.la', then a libtool library is created,
+only library objects ('.lo' files) may be specified, and '-rpath' is
 required, except when creating a convenience library.
 
-If OUTPUT-FILE ends in \`.a' or \`.lib', then a standard library is created
-using \`ar' and \`ranlib', or on Windows using \`lib'.
+If OUTPUT-FILE ends in '.a' or '.lib', then a standard library is created
+using 'ar' and 'ranlib', or on Windows using 'lib'.
 
-If OUTPUT-FILE ends in \`.lo' or \`.${objext}', then a reloadable object file
+If OUTPUT-FILE ends in '.lo' or '.$objext', then a reloadable object file
 is created, otherwise an executable program is created."
         ;;
 
@@ -2495,7 +3782,7 @@ is created, otherwise an executable program is created."
 Remove libraries from an installation directory.
 
 RM is the name of the program to use to delete files associated with each FILE
-(typically \`/bin/rm').  RM-OPTIONS are options (such as \`-f') to be passed
+(typically '/bin/rm').  RM-OPTIONS are options (such as '-f') to be passed
 to RM.
 
 If FILE is a libtool library, all the files associated with it are deleted.
@@ -2503,17 +3790,17 @@ Otherwise, only FILE itself is deleted using RM."
         ;;
 
       *)
-        func_fatal_help "invalid operation mode \`$opt_mode'"
+        func_fatal_help "invalid operation mode '$opt_mode'"
         ;;
     esac
 
     echo
-    $ECHO "Try \`$progname --help' for more information about other modes."
+    $ECHO "Try '$progname --help' for more information about other modes."
 }
 
 # Now that we've collected a possible --mode arg, show help if necessary
 if $opt_help; then
-  if test "$opt_help" = :; then
+  if test : = "$opt_help"; then
     func_mode_help
   else
     {
@@ -2521,7 +3808,7 @@ if $opt_help; then
       for opt_mode in compile link execute install finish uninstall clean; do
 	func_mode_help
       done
-    } | sed -n '1p; 2,$s/^Usage:/  or: /p'
+    } | $SED -n '1p; 2,$s/^Usage:/  or: /p'
     {
       func_help noexit
       for opt_mode in compile link execute install finish uninstall clean; do
@@ -2529,7 +3816,7 @@ if $opt_help; then
 	func_mode_help
       done
     } |
-    sed '1d
+    $SED '1d
       /^When reporting/,/^Report/{
 	H
 	d
@@ -2546,16 +3833,17 @@ fi
 # func_mode_execute arg...
 func_mode_execute ()
 {
-    $opt_debug
+    $debug_cmd
+
     # The first argument is the command name.
-    cmd="$nonopt"
+    cmd=$nonopt
     test -z "$cmd" && \
       func_fatal_help "you must specify a COMMAND"
 
     # Handle -dlopen flags immediately.
     for file in $opt_dlopen; do
       test -f "$file" \
-	|| func_fatal_help "\`$file' is not a file"
+	|| func_fatal_help "'$file' is not a file"
 
       dir=
       case $file in
@@ -2565,7 +3853,7 @@ func_mode_execute ()
 
 	# Check to see that this really is a libtool archive.
 	func_lalib_unsafe_p "$file" \
-	  || func_fatal_help "\`$lib' is not a valid libtool archive"
+	  || func_fatal_help "'$lib' is not a valid libtool archive"
 
 	# Read the libtool library.
 	dlname=
@@ -2576,18 +3864,18 @@ func_mode_execute ()
 	if test -z "$dlname"; then
 	  # Warn if it was a shared library.
 	  test -n "$library_names" && \
-	    func_warning "\`$file' was not linked with \`-export-dynamic'"
+	    func_warning "'$file' was not linked with '-export-dynamic'"
 	  continue
 	fi
 
 	func_dirname "$file" "" "."
-	dir="$func_dirname_result"
+	dir=$func_dirname_result
 
 	if test -f "$dir/$objdir/$dlname"; then
 	  func_append dir "/$objdir"
 	else
 	  if test ! -f "$dir/$dlname"; then
-	    func_fatal_error "cannot find \`$dlname' in \`$dir' or \`$dir/$objdir'"
+	    func_fatal_error "cannot find '$dlname' in '$dir' or '$dir/$objdir'"
 	  fi
 	fi
 	;;
@@ -2595,18 +3883,18 @@ func_mode_execute ()
       *.lo)
 	# Just add the directory containing the .lo file.
 	func_dirname "$file" "" "."
-	dir="$func_dirname_result"
+	dir=$func_dirname_result
 	;;
 
       *)
-	func_warning "\`-dlopen' is ignored for non-libtool libraries and objects"
+	func_warning "'-dlopen' is ignored for non-libtool libraries and objects"
 	continue
 	;;
       esac
 
       # Get the absolute pathname.
       absdir=`cd "$dir" && pwd`
-      test -n "$absdir" && dir="$absdir"
+      test -n "$absdir" && dir=$absdir
 
       # Now add the directory to shlibpath_var.
       if eval "test -z \"\$$shlibpath_var\""; then
@@ -2618,7 +3906,7 @@ func_mode_execute ()
 
     # This variable tells wrapper scripts just to set shlibpath_var
     # rather than running their programs.
-    libtool_execute_magic="$magic"
+    libtool_execute_magic=$magic
 
     # Check if any of the arguments is a wrapper script.
     args=
@@ -2631,12 +3919,12 @@ func_mode_execute ()
 	if func_ltwrapper_script_p "$file"; then
 	  func_source "$file"
 	  # Transform arg to wrapped name.
-	  file="$progdir/$program"
+	  file=$progdir/$program
 	elif func_ltwrapper_executable_p "$file"; then
 	  func_ltwrapper_scriptname "$file"
 	  func_source "$func_ltwrapper_scriptname_result"
 	  # Transform arg to wrapped name.
-	  file="$progdir/$program"
+	  file=$progdir/$program
 	fi
 	;;
       esac
@@ -2644,7 +3932,15 @@ func_mode_execute ()
       func_append_quoted args "$file"
     done
 
-    if test "X$opt_dry_run" = Xfalse; then
+    if $opt_dry_run; then
+      # Display what would be done.
+      if test -n "$shlibpath_var"; then
+	eval "\$ECHO \"\$shlibpath_var=\$$shlibpath_var\""
+	echo "export $shlibpath_var"
+      fi
+      $ECHO "$cmd$args"
+      exit $EXIT_SUCCESS
+    else
       if test -n "$shlibpath_var"; then
 	# Export the shlibpath_var.
 	eval "export $shlibpath_var"
@@ -2661,25 +3957,18 @@ func_mode_execute ()
       done
 
       # Now prepare to actually exec the command.
-      exec_cmd="\$cmd$args"
-    else
-      # Display what would be done.
-      if test -n "$shlibpath_var"; then
-	eval "\$ECHO \"\$shlibpath_var=\$$shlibpath_var\""
-	echo "export $shlibpath_var"
-      fi
-      $ECHO "$cmd$args"
-      exit $EXIT_SUCCESS
+      exec_cmd=\$cmd$args
     fi
 }
 
-test "$opt_mode" = execute && func_mode_execute ${1+"$@"}
+test execute = "$opt_mode" && func_mode_execute ${1+"$@"}
 
 
 # func_mode_finish arg...
 func_mode_finish ()
 {
-    $opt_debug
+    $debug_cmd
+
     libs=
     libdirs=
     admincmds=
@@ -2693,11 +3982,11 @@ func_mode_finish ()
 	if func_lalib_unsafe_p "$opt"; then
 	  func_append libs " $opt"
 	else
-	  func_warning "\`$opt' is not a valid libtool archive"
+	  func_warning "'$opt' is not a valid libtool archive"
 	fi
 
       else
-	func_fatal_error "invalid argument \`$opt'"
+	func_fatal_error "invalid argument '$opt'"
       fi
     done
 
@@ -2712,12 +4001,12 @@ func_mode_finish ()
       # Remove sysroot references
       if $opt_dry_run; then
         for lib in $libs; do
-          echo "removing references to $lt_sysroot and \`=' prefixes from $lib"
+          echo "removing references to $lt_sysroot and '=' prefixes from $lib"
         done
       else
         tmpdir=`func_mktempdir`
         for lib in $libs; do
-	  sed -e "${sysroot_cmd} s/\([ ']-[LR]\)=/\1/g; s/\([ ']\)=/\1/g" $lib \
+	  $SED -e "$sysroot_cmd s/\([ ']-[LR]\)=/\1/g; s/\([ ']\)=/\1/g" $lib \
 	    > $tmpdir/tmp-la
 	  mv -f $tmpdir/tmp-la $lib
 	done
@@ -2742,7 +4031,7 @@ func_mode_finish ()
     fi
 
     # Exit here if they wanted silent mode.
-    $opt_silent && exit $EXIT_SUCCESS
+    $opt_quiet && exit $EXIT_SUCCESS
 
     if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then
       echo "----------------------------------------------------------------------"
@@ -2753,27 +4042,27 @@ func_mode_finish ()
       echo
       echo "If you ever happen to want to link against installed libraries"
       echo "in a given directory, LIBDIR, you must either use libtool, and"
-      echo "specify the full pathname of the library, or use the \`-LLIBDIR'"
+      echo "specify the full pathname of the library, or use the '-LLIBDIR'"
       echo "flag during linking and do at least one of the following:"
       if test -n "$shlibpath_var"; then
-	echo "   - add LIBDIR to the \`$shlibpath_var' environment variable"
+	echo "   - add LIBDIR to the '$shlibpath_var' environment variable"
 	echo "     during execution"
       fi
       if test -n "$runpath_var"; then
-	echo "   - add LIBDIR to the \`$runpath_var' environment variable"
+	echo "   - add LIBDIR to the '$runpath_var' environment variable"
 	echo "     during linking"
       fi
       if test -n "$hardcode_libdir_flag_spec"; then
 	libdir=LIBDIR
 	eval flag=\"$hardcode_libdir_flag_spec\"
 
-	$ECHO "   - use the \`$flag' linker flag"
+	$ECHO "   - use the '$flag' linker flag"
       fi
       if test -n "$admincmds"; then
 	$ECHO "   - have your system administrator run these commands:$admincmds"
       fi
       if test -f /etc/ld.so.conf; then
-	echo "   - have your system administrator add LIBDIR to \`/etc/ld.so.conf'"
+	echo "   - have your system administrator add LIBDIR to '/etc/ld.so.conf'"
       fi
       echo
 
@@ -2792,18 +4081,20 @@ func_mode_finish ()
     exit $EXIT_SUCCESS
 }
 
-test "$opt_mode" = finish && func_mode_finish ${1+"$@"}
+test finish = "$opt_mode" && func_mode_finish ${1+"$@"}
 
 
 # func_mode_install arg...
 func_mode_install ()
 {
-    $opt_debug
+    $debug_cmd
+
     # There may be an optional sh(1) argument at the beginning of
     # install_prog (especially on Windows NT).
-    if test "$nonopt" = "$SHELL" || test "$nonopt" = /bin/sh ||
+    if test "$SHELL" = "$nonopt" || test /bin/sh = "$nonopt" ||
        # Allow the use of GNU shtool's install command.
-       case $nonopt in *shtool*) :;; *) false;; esac; then
+       case $nonopt in *shtool*) :;; *) false;; esac
+    then
       # Aesthetically quote it.
       func_quote_for_eval "$nonopt"
       install_prog="$func_quote_for_eval_result "
@@ -2830,7 +4121,7 @@ func_mode_install ()
     opts=
     prev=
     install_type=
-    isdir=no
+    isdir=false
     stripme=
     no_mode=:
     for arg
@@ -2843,7 +4134,7 @@ func_mode_install ()
       fi
 
       case $arg in
-      -d) isdir=yes ;;
+      -d) isdir=: ;;
       -f)
 	if $install_cp; then :; else
 	  prev=$arg
@@ -2861,7 +4152,7 @@ func_mode_install ()
       *)
 	# If the previous option needed an argument, then skip it.
 	if test -n "$prev"; then
-	  if test "x$prev" = x-m && test -n "$install_override_mode"; then
+	  if test X-m = "X$prev" && test -n "$install_override_mode"; then
 	    arg2=$install_override_mode
 	    no_mode=false
 	  fi
@@ -2886,7 +4177,7 @@ func_mode_install ()
       func_fatal_help "you must specify an install program"
 
     test -n "$prev" && \
-      func_fatal_help "the \`$prev' option requires an argument"
+      func_fatal_help "the '$prev' option requires an argument"
 
     if test -n "$install_override_mode" && $no_mode; then
       if $install_cp; then :; else
@@ -2908,19 +4199,19 @@ func_mode_install ()
     dest=$func_stripname_result
 
     # Check to see that the destination is a directory.
-    test -d "$dest" && isdir=yes
-    if test "$isdir" = yes; then
-      destdir="$dest"
+    test -d "$dest" && isdir=:
+    if $isdir; then
+      destdir=$dest
       destname=
     else
       func_dirname_and_basename "$dest" "" "."
-      destdir="$func_dirname_result"
-      destname="$func_basename_result"
+      destdir=$func_dirname_result
+      destname=$func_basename_result
 
       # Not a directory, so check to see that there is only one file specified.
       set dummy $files; shift
       test "$#" -gt 1 && \
-	func_fatal_help "\`$dest' is not a directory"
+	func_fatal_help "'$dest' is not a directory"
     fi
     case $destdir in
     [\\/]* | [A-Za-z]:[\\/]*) ;;
@@ -2929,7 +4220,7 @@ func_mode_install ()
 	case $file in
 	*.lo) ;;
 	*)
-	  func_fatal_help "\`$destdir' must be an absolute directory name"
+	  func_fatal_help "'$destdir' must be an absolute directory name"
 	  ;;
 	esac
       done
@@ -2938,7 +4229,7 @@ func_mode_install ()
 
     # This variable tells wrapper scripts just to set variables rather
     # than running their programs.
-    libtool_install_magic="$magic"
+    libtool_install_magic=$magic
 
     staticlibs=
     future_libdirs=
@@ -2958,7 +4249,7 @@ func_mode_install ()
 
 	# Check to see that this really is a libtool archive.
 	func_lalib_unsafe_p "$file" \
-	  || func_fatal_help "\`$file' is not a valid libtool archive"
+	  || func_fatal_help "'$file' is not a valid libtool archive"
 
 	library_names=
 	old_library=
@@ -2980,7 +4271,7 @@ func_mode_install ()
 	fi
 
 	func_dirname "$file" "/" ""
-	dir="$func_dirname_result"
+	dir=$func_dirname_result
 	func_append dir "$objdir"
 
 	if test -n "$relink_command"; then
@@ -2994,7 +4285,7 @@ func_mode_install ()
 	  # are installed into $libdir/../bin (currently, that works fine)
 	  # but it's something to keep an eye on.
 	  test "$inst_prefix_dir" = "$destdir" && \
-	    func_fatal_error "error: cannot install \`$file' to a directory not ending in $libdir"
+	    func_fatal_error "error: cannot install '$file' to a directory not ending in $libdir"
 
 	  if test -n "$inst_prefix_dir"; then
 	    # Stick the inst_prefix_dir data into the link command.
@@ -3003,29 +4294,36 @@ func_mode_install ()
 	    relink_command=`$ECHO "$relink_command" | $SED "s%@inst_prefix_dir@%%"`
 	  fi
 
-	  func_warning "relinking \`$file'"
+	  func_warning "relinking '$file'"
 	  func_show_eval "$relink_command" \
-	    'func_fatal_error "error: relink \`$file'\'' with the above command before installing it"'
+	    'func_fatal_error "error: relink '\''$file'\'' with the above command before installing it"'
 	fi
 
 	# See the names of the shared library.
 	set dummy $library_names; shift
 	if test -n "$1"; then
-	  realname="$1"
+	  realname=$1
 	  shift
 
-	  srcname="$realname"
-	  test -n "$relink_command" && srcname="$realname"T
+	  srcname=$realname
+	  test -n "$relink_command" && srcname=${realname}T
 
 	  # Install the shared library and build the symlinks.
 	  func_show_eval "$install_shared_prog $dir/$srcname $destdir/$realname" \
 	      'exit $?'
-	  tstripme="$stripme"
+	  tstripme=$stripme
 	  case $host_os in
 	  cygwin* | mingw* | pw32* | cegcc*)
 	    case $realname in
 	    *.dll.a)
-	      tstripme=""
+	      tstripme=
+	      ;;
+	    esac
+	    ;;
+	  os2*)
+	    case $realname in
+	    *_dll.a)
+	      tstripme=
 	      ;;
 	    esac
 	    ;;
@@ -3036,7 +4334,7 @@ func_mode_install ()
 
 	  if test "$#" -gt 0; then
 	    # Delete the old symlinks, and create new ones.
-	    # Try `ln -sf' first, because the `ln' binary might depend on
+	    # Try 'ln -sf' first, because the 'ln' binary might depend on
 	    # the symlink we replace!  Solaris /bin/ln does not understand -f,
 	    # so we also need to try rm && ln -s.
 	    for linkname
@@ -3047,14 +4345,14 @@ func_mode_install ()
 	  fi
 
 	  # Do each command in the postinstall commands.
-	  lib="$destdir/$realname"
+	  lib=$destdir/$realname
 	  func_execute_cmds "$postinstall_cmds" 'exit $?'
 	fi
 
 	# Install the pseudo-library for information purposes.
 	func_basename "$file"
-	name="$func_basename_result"
-	instname="$dir/$name"i
+	name=$func_basename_result
+	instname=$dir/${name}i
 	func_show_eval "$install_prog $instname $destdir/$name" 'exit $?'
 
 	# Maybe install the static library, too.
@@ -3066,11 +4364,11 @@ func_mode_install ()
 
 	# Figure out destination file name, if it wasn't already specified.
 	if test -n "$destname"; then
-	  destfile="$destdir/$destname"
+	  destfile=$destdir/$destname
 	else
 	  func_basename "$file"
-	  destfile="$func_basename_result"
-	  destfile="$destdir/$destfile"
+	  destfile=$func_basename_result
+	  destfile=$destdir/$destfile
 	fi
 
 	# Deduce the name of the destination old-style object file.
@@ -3080,11 +4378,11 @@ func_mode_install ()
 	  staticdest=$func_lo2o_result
 	  ;;
 	*.$objext)
-	  staticdest="$destfile"
+	  staticdest=$destfile
 	  destfile=
 	  ;;
 	*)
-	  func_fatal_help "cannot copy a libtool object to \`$destfile'"
+	  func_fatal_help "cannot copy a libtool object to '$destfile'"
 	  ;;
 	esac
 
@@ -3093,7 +4391,7 @@ func_mode_install ()
 	  func_show_eval "$install_prog $file $destfile" 'exit $?'
 
 	# Install the old object if enabled.
-	if test "$build_old_libs" = yes; then
+	if test yes = "$build_old_libs"; then
 	  # Deduce the name of the old-style object file.
 	  func_lo2o "$file"
 	  staticobj=$func_lo2o_result
@@ -3105,23 +4403,23 @@ func_mode_install ()
       *)
 	# Figure out destination file name, if it wasn't already specified.
 	if test -n "$destname"; then
-	  destfile="$destdir/$destname"
+	  destfile=$destdir/$destname
 	else
 	  func_basename "$file"
-	  destfile="$func_basename_result"
-	  destfile="$destdir/$destfile"
+	  destfile=$func_basename_result
+	  destfile=$destdir/$destfile
 	fi
 
 	# If the file is missing, and there is a .exe on the end, strip it
 	# because it is most likely a libtool script we actually want to
 	# install
-	stripped_ext=""
+	stripped_ext=
 	case $file in
 	  *.exe)
 	    if test ! -f "$file"; then
 	      func_stripname '' '.exe' "$file"
 	      file=$func_stripname_result
-	      stripped_ext=".exe"
+	      stripped_ext=.exe
 	    fi
 	    ;;
 	esac
@@ -3149,19 +4447,19 @@ func_mode_install ()
 
 	  # Check the variables that should have been set.
 	  test -z "$generated_by_libtool_version" && \
-	    func_fatal_error "invalid libtool wrapper script \`$wrapper'"
+	    func_fatal_error "invalid libtool wrapper script '$wrapper'"
 
-	  finalize=yes
+	  finalize=:
 	  for lib in $notinst_deplibs; do
 	    # Check to see that each library is installed.
 	    libdir=
 	    if test -f "$lib"; then
 	      func_source "$lib"
 	    fi
-	    libfile="$libdir/"`$ECHO "$lib" | $SED 's%^.*/%%g'` ### testsuite: skip nested quoting test
+	    libfile=$libdir/`$ECHO "$lib" | $SED 's%^.*/%%g'`
 	    if test -n "$libdir" && test ! -f "$libfile"; then
-	      func_warning "\`$lib' has not been installed in \`$libdir'"
-	      finalize=no
+	      func_warning "'$lib' has not been installed in '$libdir'"
+	      finalize=false
 	    fi
 	  done
 
@@ -3169,29 +4467,29 @@ func_mode_install ()
 	  func_source "$wrapper"
 
 	  outputname=
-	  if test "$fast_install" = no && test -n "$relink_command"; then
+	  if test no = "$fast_install" && test -n "$relink_command"; then
 	    $opt_dry_run || {
-	      if test "$finalize" = yes; then
+	      if $finalize; then
 	        tmpdir=`func_mktempdir`
 		func_basename "$file$stripped_ext"
-		file="$func_basename_result"
-	        outputname="$tmpdir/$file"
+		file=$func_basename_result
+	        outputname=$tmpdir/$file
 	        # Replace the output file specification.
 	        relink_command=`$ECHO "$relink_command" | $SED 's%@OUTPUT@%'"$outputname"'%g'`
 
-	        $opt_silent || {
+	        $opt_quiet || {
 	          func_quote_for_expand "$relink_command"
 		  eval "func_echo $func_quote_for_expand_result"
 	        }
 	        if eval "$relink_command"; then :
 	          else
-		  func_error "error: relink \`$file' with the above command before installing it"
+		  func_error "error: relink '$file' with the above command before installing it"
 		  $opt_dry_run || ${RM}r "$tmpdir"
 		  continue
 	        fi
-	        file="$outputname"
+	        file=$outputname
 	      else
-	        func_warning "cannot relink \`$file'"
+	        func_warning "cannot relink '$file'"
 	      fi
 	    }
 	  else
@@ -3228,10 +4526,10 @@ func_mode_install ()
 
     for file in $staticlibs; do
       func_basename "$file"
-      name="$func_basename_result"
+      name=$func_basename_result
 
       # Set up the ranlib parameters.
-      oldlib="$destdir/$name"
+      oldlib=$destdir/$name
       func_to_tool_file "$oldlib" func_convert_file_msys_to_w32
       tool_oldlib=$func_to_tool_file_result
 
@@ -3246,18 +4544,18 @@ func_mode_install ()
     done
 
     test -n "$future_libdirs" && \
-      func_warning "remember to run \`$progname --finish$future_libdirs'"
+      func_warning "remember to run '$progname --finish$future_libdirs'"
 
     if test -n "$current_libdirs"; then
       # Maybe just do a dry run.
       $opt_dry_run && current_libdirs=" -n$current_libdirs"
-      exec_cmd='$SHELL $progpath $preserve_args --finish$current_libdirs'
+      exec_cmd='$SHELL "$progpath" $preserve_args --finish$current_libdirs'
     else
       exit $EXIT_SUCCESS
     fi
 }
 
-test "$opt_mode" = install && func_mode_install ${1+"$@"}
+test install = "$opt_mode" && func_mode_install ${1+"$@"}
 
 
 # func_generate_dlsyms outputname originator pic_p
@@ -3265,16 +4563,17 @@ test "$opt_mode" = install && func_mode_install ${1+"$@"}
 # a dlpreopen symbol table.
 func_generate_dlsyms ()
 {
-    $opt_debug
-    my_outputname="$1"
-    my_originator="$2"
-    my_pic_p="${3-no}"
-    my_prefix=`$ECHO "$my_originator" | sed 's%[^a-zA-Z0-9]%_%g'`
+    $debug_cmd
+
+    my_outputname=$1
+    my_originator=$2
+    my_pic_p=${3-false}
+    my_prefix=`$ECHO "$my_originator" | $SED 's%[^a-zA-Z0-9]%_%g'`
     my_dlsyms=
 
-    if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
+    if test -n "$dlfiles$dlprefiles" || test no != "$dlself"; then
       if test -n "$NM" && test -n "$global_symbol_pipe"; then
-	my_dlsyms="${my_outputname}S.c"
+	my_dlsyms=${my_outputname}S.c
       else
 	func_error "not configured to extract global symbols from dlpreopened files"
       fi
@@ -3285,7 +4584,7 @@ func_generate_dlsyms ()
       "") ;;
       *.c)
 	# Discover the nlist of each of the dlfiles.
-	nlist="$output_objdir/${my_outputname}.nm"
+	nlist=$output_objdir/$my_outputname.nm
 
 	func_show_eval "$RM $nlist ${nlist}S ${nlist}T"
 
@@ -3293,34 +4592,36 @@ func_generate_dlsyms ()
 	func_verbose "creating $output_objdir/$my_dlsyms"
 
 	$opt_dry_run || $ECHO > "$output_objdir/$my_dlsyms" "\
-/* $my_dlsyms - symbol resolution table for \`$my_outputname' dlsym emulation. */
-/* Generated by $PROGRAM (GNU $PACKAGE$TIMESTAMP) $VERSION */
+/* $my_dlsyms - symbol resolution table for '$my_outputname' dlsym emulation. */
+/* Generated by $PROGRAM (GNU $PACKAGE) $VERSION */
 
 #ifdef __cplusplus
 extern \"C\" {
 #endif
 
-#if defined(__GNUC__) && (((__GNUC__ == 4) && (__GNUC_MINOR__ >= 4)) || (__GNUC__ > 4))
+#if defined __GNUC__ && (((__GNUC__ == 4) && (__GNUC_MINOR__ >= 4)) || (__GNUC__ > 4))
 #pragma GCC diagnostic ignored \"-Wstrict-prototypes\"
 #endif
 
 /* Keep this code in sync between libtool.m4, ltmain, lt_system.h, and tests.  */
-#if defined(_WIN32) || defined(__CYGWIN__) || defined(_WIN32_WCE)
-/* DATA imports from DLLs on WIN32 con't be const, because runtime
+#if defined _WIN32 || defined __CYGWIN__ || defined _WIN32_WCE
+/* DATA imports from DLLs on WIN32 can't be const, because runtime
    relocations are performed -- see ld's documentation on pseudo-relocs.  */
 # define LT_DLSYM_CONST
-#elif defined(__osf__)
+#elif defined __osf__
 /* This system does not cope well with relocations in const data.  */
 # define LT_DLSYM_CONST
 #else
 # define LT_DLSYM_CONST const
 #endif
 
+#define STREQ(s1, s2) (strcmp ((s1), (s2)) == 0)
+
 /* External symbol declarations for the compiler. */\
 "
 
-	if test "$dlself" = yes; then
-	  func_verbose "generating symbol list for \`$output'"
+	if test yes = "$dlself"; then
+	  func_verbose "generating symbol list for '$output'"
 
 	  $opt_dry_run || echo ': @PROGRAM@ ' > "$nlist"
 
@@ -3328,7 +4629,7 @@ extern \"C\" {
 	  progfiles=`$ECHO "$objs$old_deplibs" | $SP2NL | $SED "$lo2o" | $NL2SP`
 	  for progfile in $progfiles; do
 	    func_to_tool_file "$progfile" func_convert_file_msys_to_w32
-	    func_verbose "extracting global C symbols from \`$func_to_tool_file_result'"
+	    func_verbose "extracting global C symbols from '$func_to_tool_file_result'"
 	    $opt_dry_run || eval "$NM $func_to_tool_file_result | $global_symbol_pipe >> '$nlist'"
 	  done
 
@@ -3348,10 +4649,10 @@ extern \"C\" {
 
 	  # Prepare the list of exported symbols
 	  if test -z "$export_symbols"; then
-	    export_symbols="$output_objdir/$outputname.exp"
+	    export_symbols=$output_objdir/$outputname.exp
 	    $opt_dry_run || {
 	      $RM $export_symbols
-	      eval "${SED} -n -e '/^: @PROGRAM@ $/d' -e 's/^.* \(.*\)$/\1/p' "'< "$nlist" > "$export_symbols"'
+	      eval "$SED -n -e '/^: @PROGRAM@ $/d' -e 's/^.* \(.*\)$/\1/p' "'< "$nlist" > "$export_symbols"'
 	      case $host in
 	      *cygwin* | *mingw* | *cegcc* )
                 eval "echo EXPORTS "'> "$output_objdir/$outputname.def"'
@@ -3361,7 +4662,7 @@ extern \"C\" {
 	    }
 	  else
 	    $opt_dry_run || {
-	      eval "${SED} -e 's/\([].[*^$]\)/\\\\\1/g' -e 's/^/ /' -e 's/$/$/'"' < "$export_symbols" > "$output_objdir/$outputname.exp"'
+	      eval "$SED -e 's/\([].[*^$]\)/\\\\\1/g' -e 's/^/ /' -e 's/$/$/'"' < "$export_symbols" > "$output_objdir/$outputname.exp"'
 	      eval '$GREP -f "$output_objdir/$outputname.exp" < "$nlist" > "$nlist"T'
 	      eval '$MV "$nlist"T "$nlist"'
 	      case $host in
@@ -3375,22 +4676,22 @@ extern \"C\" {
 	fi
 
 	for dlprefile in $dlprefiles; do
-	  func_verbose "extracting global C symbols from \`$dlprefile'"
+	  func_verbose "extracting global C symbols from '$dlprefile'"
 	  func_basename "$dlprefile"
-	  name="$func_basename_result"
+	  name=$func_basename_result
           case $host in
 	    *cygwin* | *mingw* | *cegcc* )
 	      # if an import library, we need to obtain dlname
 	      if func_win32_import_lib_p "$dlprefile"; then
 	        func_tr_sh "$dlprefile"
 	        eval "curr_lafile=\$libfile_$func_tr_sh_result"
-	        dlprefile_dlbasename=""
+	        dlprefile_dlbasename=
 	        if test -n "$curr_lafile" && func_lalib_p "$curr_lafile"; then
 	          # Use subshell, to avoid clobbering current variable values
 	          dlprefile_dlname=`source "$curr_lafile" && echo "$dlname"`
-	          if test -n "$dlprefile_dlname" ; then
+	          if test -n "$dlprefile_dlname"; then
 	            func_basename "$dlprefile_dlname"
-	            dlprefile_dlbasename="$func_basename_result"
+	            dlprefile_dlbasename=$func_basename_result
 	          else
 	            # no lafile. user explicitly requested -dlpreopen <import library>.
 	            $sharedlib_from_linklib_cmd "$dlprefile"
@@ -3398,7 +4699,7 @@ extern \"C\" {
 	          fi
 	        fi
 	        $opt_dry_run || {
-	          if test -n "$dlprefile_dlbasename" ; then
+	          if test -n "$dlprefile_dlbasename"; then
 	            eval '$ECHO ": $dlprefile_dlbasename" >> "$nlist"'
 	          else
 	            func_warning "Could not compute DLL name from $name"
@@ -3454,6 +4755,11 @@ extern \"C\" {
 	    echo '/* NONE */' >> "$output_objdir/$my_dlsyms"
 	  fi
 
+	  func_show_eval '$RM "${nlist}I"'
+	  if test -n "$global_symbol_to_import"; then
+	    eval "$global_symbol_to_import"' < "$nlist"S > "$nlist"I'
+	  fi
+
 	  echo >> "$output_objdir/$my_dlsyms" "\
 
 /* The mapping between symbol names and symbols.  */
@@ -3462,11 +4768,30 @@ typedef struct {
   void *address;
 } lt_dlsymlist;
 extern LT_DLSYM_CONST lt_dlsymlist
-lt_${my_prefix}_LTX_preloaded_symbols[];
+lt_${my_prefix}_LTX_preloaded_symbols[];\
+"
+
+	  if test -s "$nlist"I; then
+	    echo >> "$output_objdir/$my_dlsyms" "\
+static void lt_syminit(void)
+{
+  LT_DLSYM_CONST lt_dlsymlist *symbol = lt_${my_prefix}_LTX_preloaded_symbols;
+  for (; symbol->name; ++symbol)
+    {"
+	    $SED 's/.*/      if (STREQ (symbol->name, \"&\")) symbol->address = (void *) \&&;/' < "$nlist"I >> "$output_objdir/$my_dlsyms"
+	    echo >> "$output_objdir/$my_dlsyms" "\
+    }
+}"
+	  fi
+	  echo >> "$output_objdir/$my_dlsyms" "\
 LT_DLSYM_CONST lt_dlsymlist
 lt_${my_prefix}_LTX_preloaded_symbols[] =
-{\
-  { \"$my_originator\", (void *) 0 },"
+{ {\"$my_originator\", (void *) 0},"
+
+	  if test -s "$nlist"I; then
+	    echo >> "$output_objdir/$my_dlsyms" "\
+  {\"@INIT@\", (void *) &lt_syminit},"
+	  fi
 
 	  case $need_lib_prefix in
 	  no)
@@ -3508,9 +4833,7 @@ static const void *lt_preloaded_setup() {
 	  *-*-hpux*)
 	    pic_flag_for_symtable=" $pic_flag"  ;;
 	  *)
-	    if test "X$my_pic_p" != Xno; then
-	      pic_flag_for_symtable=" $pic_flag"
-	    fi
+	    $my_pic_p && pic_flag_for_symtable=" $pic_flag"
 	    ;;
 	  esac
 	  ;;
@@ -3527,10 +4850,10 @@ static const void *lt_preloaded_setup() {
 	func_show_eval '(cd $output_objdir && $LTCC$symtab_cflags -c$no_builtin_flag$pic_flag_for_symtable "$my_dlsyms")' 'exit $?'
 
 	# Clean up the generated files.
-	func_show_eval '$RM "$output_objdir/$my_dlsyms" "$nlist" "${nlist}S" "${nlist}T"'
+	func_show_eval '$RM "$output_objdir/$my_dlsyms" "$nlist" "${nlist}S" "${nlist}T" "${nlist}I"'
 
 	# Transform the symbol file into the correct name.
-	symfileobj="$output_objdir/${my_outputname}S.$objext"
+	symfileobj=$output_objdir/${my_outputname}S.$objext
 	case $host in
 	*cygwin* | *mingw* | *cegcc* )
 	  if test -f "$output_objdir/$my_outputname.def"; then
@@ -3547,11 +4870,8 @@ static const void *lt_preloaded_setup() {
 	  ;;
 	esac
 	;;
-      *-*-freebsd*)
-	# FreeBSD doesn't need this...
-	;;
       *)
-	func_fatal_error "unknown suffix for \`$my_dlsyms'"
+	func_fatal_error "unknown suffix for '$my_dlsyms'"
 	;;
       esac
     else
@@ -3565,6 +4885,32 @@ static const void *lt_preloaded_setup() {
     fi
 }
 
+# func_cygming_gnu_implib_p ARG
+# This predicate returns with zero status (TRUE) if
+# ARG is a GNU/binutils-style import library. Returns
+# with nonzero status (FALSE) otherwise.
+func_cygming_gnu_implib_p ()
+{
+  $debug_cmd
+
+  func_to_tool_file "$1" func_convert_file_msys_to_w32
+  func_cygming_gnu_implib_tmp=`$NM "$func_to_tool_file_result" | eval "$global_symbol_pipe" | $EGREP ' (_head_[A-Za-z0-9_]+_[ad]l*|[A-Za-z0-9_]+_[ad]l*_iname)$'`
+  test -n "$func_cygming_gnu_implib_tmp"
+}
+
+# func_cygming_ms_implib_p ARG
+# This predicate returns with zero status (TRUE) if
+# ARG is an MS-style import library. Returns
+# with nonzero status (FALSE) otherwise.
+func_cygming_ms_implib_p ()
+{
+  $debug_cmd
+
+  func_to_tool_file "$1" func_convert_file_msys_to_w32
+  func_cygming_ms_implib_tmp=`$NM "$func_to_tool_file_result" | eval "$global_symbol_pipe" | $GREP '_NULL_IMPORT_DESCRIPTOR'`
+  test -n "$func_cygming_ms_implib_tmp"
+}
+
 # func_win32_libid arg
 # return the library type of file 'arg'
 #
@@ -3574,8 +4920,9 @@ static const void *lt_preloaded_setup() {
 # Despite the name, also deal with 64 bit binaries.
 func_win32_libid ()
 {
-  $opt_debug
-  win32_libid_type="unknown"
+  $debug_cmd
+
+  win32_libid_type=unknown
   win32_fileres=`file -L $1 2>/dev/null`
   case $win32_fileres in
   *ar\ archive\ import\ library*) # definitely import
@@ -3585,16 +4932,29 @@ func_win32_libid ()
     # Keep the egrep pattern in sync with the one in _LT_CHECK_MAGIC_METHOD.
     if eval $OBJDUMP -f $1 | $SED -e '10q' 2>/dev/null |
        $EGREP 'file format (pei*-i386(.*architecture: i386)?|pe-arm-wince|pe-x86-64)' >/dev/null; then
-      func_to_tool_file "$1" func_convert_file_msys_to_w32
-      win32_nmres=`eval $NM -f posix -A \"$func_to_tool_file_result\" |
-	$SED -n -e '
+      case $nm_interface in
+      "MS dumpbin")
+	if func_cygming_ms_implib_p "$1" ||
+	   func_cygming_gnu_implib_p "$1"
+	then
+	  win32_nmres=import
+	else
+	  win32_nmres=
+	fi
+	;;
+      *)
+	func_to_tool_file "$1" func_convert_file_msys_to_w32
+	win32_nmres=`eval $NM -f posix -A \"$func_to_tool_file_result\" |
+	  $SED -n -e '
 	    1,100{
 		/ I /{
-		    s,.*,import,
+		    s|.*|import|
 		    p
 		    q
 		}
 	    }'`
+	;;
+      esac
       case $win32_nmres in
       import*)  win32_libid_type="x86 archive import";;
       *)        win32_libid_type="x86 archive static";;
@@ -3626,7 +4986,8 @@ func_win32_libid ()
 #    $sharedlib_from_linklib_result
 func_cygming_dll_for_implib ()
 {
-  $opt_debug
+  $debug_cmd
+
   sharedlib_from_linklib_result=`$DLLTOOL --identify-strict --identify "$1"`
 }
 
@@ -3643,7 +5004,8 @@ func_cygming_dll_for_implib ()
 # specified import library.
 func_cygming_dll_for_implib_fallback_core ()
 {
-  $opt_debug
+  $debug_cmd
+
   match_literal=`$ECHO "$1" | $SED "$sed_make_literal_regex"`
   $OBJDUMP -s --section "$1" "$2" 2>/dev/null |
     $SED '/^Contents of section '"$match_literal"':/{
@@ -3679,8 +5041,8 @@ func_cygming_dll_for_implib_fallback_core ()
       /./p' |
     # we now have a list, one entry per line, of the stringified
     # contents of the appropriate section of all members of the
-    # archive which possess that section. Heuristic: eliminate
-    # all those which have a first or second character that is
+    # archive that possess that section. Heuristic: eliminate
+    # all those that have a first or second character that is
     # a '.' (that is, objdump's representation of an unprintable
     # character.) This should work for all archives with less than
     # 0x302f exports -- but will fail for DLLs whose name actually
@@ -3691,30 +5053,6 @@ func_cygming_dll_for_implib_fallback_core ()
     $SED -e '/^\./d;/^.\./d;q'
 }
 
-# func_cygming_gnu_implib_p ARG
-# This predicate returns with zero status (TRUE) if
-# ARG is a GNU/binutils-style import library. Returns
-# with nonzero status (FALSE) otherwise.
-func_cygming_gnu_implib_p ()
-{
-  $opt_debug
-  func_to_tool_file "$1" func_convert_file_msys_to_w32
-  func_cygming_gnu_implib_tmp=`$NM "$func_to_tool_file_result" | eval "$global_symbol_pipe" | $EGREP ' (_head_[A-Za-z0-9_]+_[ad]l*|[A-Za-z0-9_]+_[ad]l*_iname)$'`
-  test -n "$func_cygming_gnu_implib_tmp"
-}
-
-# func_cygming_ms_implib_p ARG
-# This predicate returns with zero status (TRUE) if
-# ARG is an MS-style import library. Returns
-# with nonzero status (FALSE) otherwise.
-func_cygming_ms_implib_p ()
-{
-  $opt_debug
-  func_to_tool_file "$1" func_convert_file_msys_to_w32
-  func_cygming_ms_implib_tmp=`$NM "$func_to_tool_file_result" | eval "$global_symbol_pipe" | $GREP '_NULL_IMPORT_DESCRIPTOR'`
-  test -n "$func_cygming_ms_implib_tmp"
-}
-
 # func_cygming_dll_for_implib_fallback ARG
 # Platform-specific function to extract the
 # name of the DLL associated with the specified
@@ -3728,16 +5066,17 @@ func_cygming_ms_implib_p ()
 #    $sharedlib_from_linklib_result
 func_cygming_dll_for_implib_fallback ()
 {
-  $opt_debug
-  if func_cygming_gnu_implib_p "$1" ; then
+  $debug_cmd
+
+  if func_cygming_gnu_implib_p "$1"; then
     # binutils import library
     sharedlib_from_linklib_result=`func_cygming_dll_for_implib_fallback_core '.idata$7' "$1"`
-  elif func_cygming_ms_implib_p "$1" ; then
+  elif func_cygming_ms_implib_p "$1"; then
     # ms-generated import library
     sharedlib_from_linklib_result=`func_cygming_dll_for_implib_fallback_core '.idata$6' "$1"`
   else
     # unknown
-    sharedlib_from_linklib_result=""
+    sharedlib_from_linklib_result=
   fi
 }
 
@@ -3745,10 +5084,11 @@ func_cygming_dll_for_implib_fallback ()
 # func_extract_an_archive dir oldlib
 func_extract_an_archive ()
 {
-    $opt_debug
-    f_ex_an_ar_dir="$1"; shift
-    f_ex_an_ar_oldlib="$1"
-    if test "$lock_old_archive_extraction" = yes; then
+    $debug_cmd
+
+    f_ex_an_ar_dir=$1; shift
+    f_ex_an_ar_oldlib=$1
+    if test yes = "$lock_old_archive_extraction"; then
       lockfile=$f_ex_an_ar_oldlib.lock
       until $opt_dry_run || ln "$progpath" "$lockfile" 2>/dev/null; do
 	func_echo "Waiting for $lockfile to be removed"
@@ -3757,7 +5097,7 @@ func_extract_an_archive ()
     fi
     func_show_eval "(cd \$f_ex_an_ar_dir && $AR x \"\$f_ex_an_ar_oldlib\")" \
 		   'stat=$?; rm -f "$lockfile"; exit $stat'
-    if test "$lock_old_archive_extraction" = yes; then
+    if test yes = "$lock_old_archive_extraction"; then
       $opt_dry_run || rm -f "$lockfile"
     fi
     if ($AR t "$f_ex_an_ar_oldlib" | sort | sort -uc >/dev/null 2>&1); then
@@ -3771,22 +5111,23 @@ func_extract_an_archive ()
 # func_extract_archives gentop oldlib ...
 func_extract_archives ()
 {
-    $opt_debug
-    my_gentop="$1"; shift
+    $debug_cmd
+
+    my_gentop=$1; shift
     my_oldlibs=${1+"$@"}
-    my_oldobjs=""
-    my_xlib=""
-    my_xabs=""
-    my_xdir=""
+    my_oldobjs=
+    my_xlib=
+    my_xabs=
+    my_xdir=
 
     for my_xlib in $my_oldlibs; do
       # Extract the objects.
       case $my_xlib in
-	[\\/]* | [A-Za-z]:[\\/]*) my_xabs="$my_xlib" ;;
+	[\\/]* | [A-Za-z]:[\\/]*) my_xabs=$my_xlib ;;
 	*) my_xabs=`pwd`"/$my_xlib" ;;
       esac
       func_basename "$my_xlib"
-      my_xlib="$func_basename_result"
+      my_xlib=$func_basename_result
       my_xlib_u=$my_xlib
       while :; do
         case " $extracted_archives " in
@@ -3798,7 +5139,7 @@ func_extract_archives ()
 	esac
       done
       extracted_archives="$extracted_archives $my_xlib_u"
-      my_xdir="$my_gentop/$my_xlib_u"
+      my_xdir=$my_gentop/$my_xlib_u
 
       func_mkdir_p "$my_xdir"
 
@@ -3811,22 +5152,23 @@ func_extract_archives ()
 	  cd $my_xdir || exit $?
 	  darwin_archive=$my_xabs
 	  darwin_curdir=`pwd`
-	  darwin_base_archive=`basename "$darwin_archive"`
+	  func_basename "$darwin_archive"
+	  darwin_base_archive=$func_basename_result
 	  darwin_arches=`$LIPO -info "$darwin_archive" 2>/dev/null | $GREP Architectures 2>/dev/null || true`
 	  if test -n "$darwin_arches"; then
 	    darwin_arches=`$ECHO "$darwin_arches" | $SED -e 's/.*are://'`
 	    darwin_arch=
 	    func_verbose "$darwin_base_archive has multiple architectures $darwin_arches"
-	    for darwin_arch in  $darwin_arches ; do
-	      func_mkdir_p "unfat-$$/${darwin_base_archive}-${darwin_arch}"
-	      $LIPO -thin $darwin_arch -output "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}" "${darwin_archive}"
-	      cd "unfat-$$/${darwin_base_archive}-${darwin_arch}"
-	      func_extract_an_archive "`pwd`" "${darwin_base_archive}"
+	    for darwin_arch in  $darwin_arches; do
+	      func_mkdir_p "unfat-$$/$darwin_base_archive-$darwin_arch"
+	      $LIPO -thin $darwin_arch -output "unfat-$$/$darwin_base_archive-$darwin_arch/$darwin_base_archive" "$darwin_archive"
+	      cd "unfat-$$/$darwin_base_archive-$darwin_arch"
+	      func_extract_an_archive "`pwd`" "$darwin_base_archive"
 	      cd "$darwin_curdir"
-	      $RM "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}"
+	      $RM "unfat-$$/$darwin_base_archive-$darwin_arch/$darwin_base_archive"
 	    done # $darwin_arches
             ## Okay now we've a bunch of thin objects, gotta fatten them up :)
-	    darwin_filelist=`find unfat-$$ -type f -name \*.o -print -o -name \*.lo -print | $SED -e "$basename" | sort -u`
+	    darwin_filelist=`find unfat-$$ -type f -name \*.o -print -o -name \*.lo -print | $SED -e "$sed_basename" | sort -u`
 	    darwin_file=
 	    darwin_files=
 	    for darwin_file in $darwin_filelist; do
@@ -3848,7 +5190,7 @@ func_extract_archives ()
       my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | sort | $NL2SP`
     done
 
-    func_extract_archives_result="$my_oldobjs"
+    func_extract_archives_result=$my_oldobjs
 }
 
 
@@ -3863,7 +5205,7 @@ func_extract_archives ()
 #
 # ARG is the value that the WRAPPER_SCRIPT_BELONGS_IN_OBJDIR
 # variable will take.  If 'yes', then the emitted script
-# will assume that the directory in which it is stored is
+# will assume that the directory where it is stored is
 # the $objdir directory.  This is a cygwin/mingw-specific
 # behavior.
 func_emit_wrapper ()
@@ -3874,7 +5216,7 @@ func_emit_wrapper ()
 #! $SHELL
 
 # $output - temporary wrapper script for $objdir/$outputname
-# Generated by $PROGRAM (GNU $PACKAGE$TIMESTAMP) $VERSION
+# Generated by $PROGRAM (GNU $PACKAGE) $VERSION
 #
 # The $output program cannot be directly executed until all the libtool
 # libraries that it depends on are installed.
@@ -3931,9 +5273,9 @@ _LTECHO_EOF'
 
 # Very basic option parsing. These options are (a) specific to
 # the libtool wrapper, (b) are identical between the wrapper
-# /script/ and the wrapper /executable/ which is used only on
+# /script/ and the wrapper /executable/ that is used only on
 # windows platforms, and (c) all begin with the string "--lt-"
-# (application programs are unlikely to have options which match
+# (application programs are unlikely to have options that match
 # this pattern).
 #
 # There are only two supported options: --lt-debug and
@@ -3966,7 +5308,7 @@ func_parse_lt_options ()
 
   # Print the debug banner immediately:
   if test -n \"\$lt_option_debug\"; then
-    echo \"${outputname}:${output}:\${LINENO}: libtool wrapper (GNU $PACKAGE$TIMESTAMP) $VERSION\" 1>&2
+    echo \"$outputname:$output:\$LINENO: libtool wrapper (GNU $PACKAGE) $VERSION\" 1>&2
   fi
 }
 
@@ -3977,7 +5319,7 @@ func_lt_dump_args ()
   lt_dump_args_N=1;
   for lt_arg
   do
-    \$ECHO \"${outputname}:${output}:\${LINENO}: newargv[\$lt_dump_args_N]: \$lt_arg\"
+    \$ECHO \"$outputname:$output:\$LINENO: newargv[\$lt_dump_args_N]: \$lt_arg\"
     lt_dump_args_N=\`expr \$lt_dump_args_N + 1\`
   done
 }
@@ -3991,7 +5333,7 @@ func_exec_program_core ()
   *-*-mingw | *-*-os2* | *-cegcc*)
     $ECHO "\
       if test -n \"\$lt_option_debug\"; then
-        \$ECHO \"${outputname}:${output}:\${LINENO}: newargv[0]: \$progdir\\\\\$program\" 1>&2
+        \$ECHO \"$outputname:$output:\$LINENO: newargv[0]: \$progdir\\\\\$program\" 1>&2
         func_lt_dump_args \${1+\"\$@\"} 1>&2
       fi
       exec \"\$progdir\\\\\$program\" \${1+\"\$@\"}
@@ -4001,7 +5343,7 @@ func_exec_program_core ()
   *)
     $ECHO "\
       if test -n \"\$lt_option_debug\"; then
-        \$ECHO \"${outputname}:${output}:\${LINENO}: newargv[0]: \$progdir/\$program\" 1>&2
+        \$ECHO \"$outputname:$output:\$LINENO: newargv[0]: \$progdir/\$program\" 1>&2
         func_lt_dump_args \${1+\"\$@\"} 1>&2
       fi
       exec \"\$progdir/\$program\" \${1+\"\$@\"}
@@ -4076,13 +5418,13 @@ func_exec_program ()
   test -n \"\$absdir\" && thisdir=\"\$absdir\"
 "
 
-	if test "$fast_install" = yes; then
+	if test yes = "$fast_install"; then
 	  $ECHO "\
   program=lt-'$outputname'$exeext
   progdir=\"\$thisdir/$objdir\"
 
   if test ! -f \"\$progdir/\$program\" ||
-     { file=\`ls -1dt \"\$progdir/\$program\" \"\$progdir/../\$program\" 2>/dev/null | ${SED} 1q\`; \\
+     { file=\`ls -1dt \"\$progdir/\$program\" \"\$progdir/../\$program\" 2>/dev/null | $SED 1q\`; \\
        test \"X\$file\" != \"X\$progdir/\$program\"; }; then
 
     file=\"\$\$-\$program\"
@@ -4099,7 +5441,7 @@ func_exec_program ()
     if test -n \"\$relink_command\"; then
       if relink_command_output=\`eval \$relink_command 2>&1\`; then :
       else
-	$ECHO \"\$relink_command_output\" >&2
+	\$ECHO \"\$relink_command_output\" >&2
 	$RM \"\$progdir/\$file\"
 	exit 1
       fi
@@ -4134,7 +5476,7 @@ func_exec_program ()
 	fi
 
 	# Export our shlibpath_var if we have one.
-	if test "$shlibpath_overrides_runpath" = yes && test -n "$shlibpath_var" && test -n "$temp_rpath"; then
+	if test yes = "$shlibpath_overrides_runpath" && test -n "$shlibpath_var" && test -n "$temp_rpath"; then
 	  $ECHO "\
     # Add our own library path to $shlibpath_var
     $shlibpath_var=\"$temp_rpath\$$shlibpath_var\"
@@ -4154,7 +5496,7 @@ func_exec_program ()
     fi
   else
     # The program doesn't exist.
-    \$ECHO \"\$0: error: \\\`\$progdir/\$program' does not exist\" 1>&2
+    \$ECHO \"\$0: error: '\$progdir/\$program' does not exist\" 1>&2
     \$ECHO \"This script is just a wrapper for \$program.\" 1>&2
     \$ECHO \"See the $PACKAGE documentation for more information.\" 1>&2
     exit 1
@@ -4173,7 +5515,7 @@ func_emit_cwrapperexe_src ()
 	cat <<EOF
 
 /* $cwrappersource - temporary wrapper executable for $objdir/$outputname
-   Generated by $PROGRAM (GNU $PACKAGE$TIMESTAMP) $VERSION
+   Generated by $PROGRAM (GNU $PACKAGE) $VERSION
 
    The $output program cannot be directly executed until all the libtool
    libraries that it depends on are installed.
@@ -4208,47 +5550,45 @@ EOF
 #include <fcntl.h>
 #include <sys/stat.h>
 
+#define STREQ(s1, s2) (strcmp ((s1), (s2)) == 0)
+
 /* declarations of non-ANSI functions */
-#if defined(__MINGW32__)
+#if defined __MINGW32__
 # ifdef __STRICT_ANSI__
 int _putenv (const char *);
 # endif
-#elif defined(__CYGWIN__)
+#elif defined __CYGWIN__
 # ifdef __STRICT_ANSI__
 char *realpath (const char *, char *);
 int putenv (char *);
 int setenv (const char *, const char *, int);
 # endif
-/* #elif defined (other platforms) ... */
+/* #elif defined other_platform || defined ... */
 #endif
 
 /* portability defines, excluding path handling macros */
-#if defined(_MSC_VER)
+#if defined _MSC_VER
 # define setmode _setmode
 # define stat    _stat
 # define chmod   _chmod
 # define getcwd  _getcwd
 # define putenv  _putenv
 # define S_IXUSR _S_IEXEC
-# ifndef _INTPTR_T_DEFINED
-#  define _INTPTR_T_DEFINED
-#  define intptr_t int
-# endif
-#elif defined(__MINGW32__)
+#elif defined __MINGW32__
 # define setmode _setmode
 # define stat    _stat
 # define chmod   _chmod
 # define getcwd  _getcwd
 # define putenv  _putenv
-#elif defined(__CYGWIN__)
+#elif defined __CYGWIN__
 # define HAVE_SETENV
 # define FOPEN_WB "wb"
-/* #elif defined (other platforms) ... */
+/* #elif defined other platforms ... */
 #endif
 
-#if defined(PATH_MAX)
+#if defined PATH_MAX
 # define LT_PATHMAX PATH_MAX
-#elif defined(MAXPATHLEN)
+#elif defined MAXPATHLEN
 # define LT_PATHMAX MAXPATHLEN
 #else
 # define LT_PATHMAX 1024
@@ -4267,8 +5607,8 @@ int setenv (const char *, const char *, int);
 # define PATH_SEPARATOR ':'
 #endif
 
-#if defined (_WIN32) || defined (__MSDOS__) || defined (__DJGPP__) || \
-  defined (__OS2__)
+#if defined _WIN32 || defined __MSDOS__ || defined __DJGPP__ || \
+  defined __OS2__
 # define HAVE_DOS_BASED_FILE_SYSTEM
 # define FOPEN_WB "wb"
 # ifndef DIR_SEPARATOR_2
@@ -4301,10 +5641,10 @@ int setenv (const char *, const char *, int);
 
 #define XMALLOC(type, num)      ((type *) xmalloc ((num) * sizeof(type)))
 #define XFREE(stale) do { \
-  if (stale) { free ((void *) stale); stale = 0; } \
+  if (stale) { free (stale); stale = 0; } \
 } while (0)
 
-#if defined(LT_DEBUGWRAPPER)
+#if defined LT_DEBUGWRAPPER
 static int lt_debug = 1;
 #else
 static int lt_debug = 0;
@@ -4333,11 +5673,16 @@ void lt_dump_script (FILE *f);
 EOF
 
 	    cat <<EOF
-volatile const char * MAGIC_EXE = "$magic_exe";
+#if __GNUC__ < 4 || (__GNUC__ == 4 && __GNUC_MINOR__ < 5)
+# define externally_visible volatile
+#else
+# define externally_visible __attribute__((externally_visible)) volatile
+#endif
+externally_visible const char * MAGIC_EXE = "$magic_exe";
 const char * LIB_PATH_VARNAME = "$shlibpath_var";
 EOF
 
-	    if test "$shlibpath_overrides_runpath" = yes && test -n "$shlibpath_var" && test -n "$temp_rpath"; then
+	    if test yes = "$shlibpath_overrides_runpath" && test -n "$shlibpath_var" && test -n "$temp_rpath"; then
               func_to_host_path "$temp_rpath"
 	      cat <<EOF
 const char * LIB_PATH_VALUE   = "$func_to_host_path_result";
@@ -4361,7 +5706,7 @@ const char * EXE_PATH_VALUE   = "";
 EOF
 	    fi
 
-	    if test "$fast_install" = yes; then
+	    if test yes = "$fast_install"; then
 	      cat <<EOF
 const char * TARGET_PROGRAM_NAME = "lt-$outputname"; /* hopefully, no .exe */
 EOF
@@ -4390,12 +5735,12 @@ main (int argc, char *argv[])
   char *actual_cwrapper_name;
   char *target_name;
   char *lt_argv_zero;
-  intptr_t rval = 127;
+  int rval = 127;
 
   int i;
 
   program_name = (char *) xstrdup (base_name (argv[0]));
-  newargz = XMALLOC (char *, argc + 1);
+  newargz = XMALLOC (char *, (size_t) argc + 1);
 
   /* very simple arg parsing; don't want to rely on getopt
    * also, copy all non cwrapper options to newargz, except
@@ -4404,10 +5749,10 @@ main (int argc, char *argv[])
   newargc=0;
   for (i = 1; i < argc; i++)
     {
-      if (strcmp (argv[i], dumpscript_opt) == 0)
+      if (STREQ (argv[i], dumpscript_opt))
 	{
 EOF
-	    case "$host" in
+	    case $host in
 	      *mingw* | *cygwin* )
 		# make stdout use "unix" line endings
 		echo "          setmode(1,_O_BINARY);"
@@ -4418,12 +5763,12 @@ EOF
 	  lt_dump_script (stdout);
 	  return 0;
 	}
-      if (strcmp (argv[i], debug_opt) == 0)
+      if (STREQ (argv[i], debug_opt))
 	{
           lt_debug = 1;
           continue;
 	}
-      if (strcmp (argv[i], ltwrapper_option_prefix) == 0)
+      if (STREQ (argv[i], ltwrapper_option_prefix))
         {
           /* however, if there is an option in the LTWRAPPER_OPTION_PREFIX
              namespace, but it is not one of the ones we know about and
@@ -4446,7 +5791,7 @@ EOF
 EOF
 	    cat <<EOF
   /* The GNU banner must be the first non-error debug message */
-  lt_debugprintf (__FILE__, __LINE__, "libtool wrapper (GNU $PACKAGE$TIMESTAMP) $VERSION\n");
+  lt_debugprintf (__FILE__, __LINE__, "libtool wrapper (GNU $PACKAGE) $VERSION\n");
 EOF
 	    cat <<"EOF"
   lt_debugprintf (__FILE__, __LINE__, "(main) argv[0]: %s\n", argv[0]);
@@ -4557,7 +5902,7 @@ EOF
 		cat <<"EOF"
   /* execv doesn't actually work on mingw as expected on unix */
   newargz = prepare_spawn (newargz);
-  rval = _spawnv (_P_WAIT, lt_argv_zero, (const char * const *) newargz);
+  rval = (int) _spawnv (_P_WAIT, lt_argv_zero, (const char * const *) newargz);
   if (rval == -1)
     {
       /* failed to start process */
@@ -4602,7 +5947,7 @@ base_name (const char *name)
 {
   const char *base;
 
-#if defined (HAVE_DOS_BASED_FILE_SYSTEM)
+#if defined HAVE_DOS_BASED_FILE_SYSTEM
   /* Skip over the disk name in MSDOS pathnames. */
   if (isalpha ((unsigned char) name[0]) && name[1] == ':')
     name += 2;
@@ -4661,7 +6006,7 @@ find_executable (const char *wrapper)
   const char *p_next;
   /* static buffer for getcwd */
   char tmp[LT_PATHMAX + 1];
-  int tmp_len;
+  size_t tmp_len;
   char *concat_name;
 
   lt_debugprintf (__FILE__, __LINE__, "(find_executable): %s\n",
@@ -4671,7 +6016,7 @@ find_executable (const char *wrapper)
     return NULL;
 
   /* Absolute path? */
-#if defined (HAVE_DOS_BASED_FILE_SYSTEM)
+#if defined HAVE_DOS_BASED_FILE_SYSTEM
   if (isalpha ((unsigned char) wrapper[0]) && wrapper[1] == ':')
     {
       concat_name = xstrdup (wrapper);
@@ -4689,7 +6034,7 @@ find_executable (const char *wrapper)
 	    return concat_name;
 	  XFREE (concat_name);
 	}
-#if defined (HAVE_DOS_BASED_FILE_SYSTEM)
+#if defined HAVE_DOS_BASED_FILE_SYSTEM
     }
 #endif
 
@@ -4712,7 +6057,7 @@ find_executable (const char *wrapper)
 	      for (q = p; *q; q++)
 		if (IS_PATH_SEPARATOR (*q))
 		  break;
-	      p_len = q - p;
+	      p_len = (size_t) (q - p);
 	      p_next = (*q == '\0' ? q : q + 1);
 	      if (p_len == 0)
 		{
@@ -4831,7 +6176,7 @@ strendzap (char *str, const char *pat)
   if (patlen <= len)
     {
       str += len - patlen;
-      if (strcmp (str, pat) == 0)
+      if (STREQ (str, pat))
 	*str = '\0';
     }
   return str;
@@ -4896,7 +6241,7 @@ lt_setenv (const char *name, const char *value)
     char *str = xstrdup (value);
     setenv (name, str, 1);
 #else
-    int len = strlen (name) + 1 + strlen (value) + 1;
+    size_t len = strlen (name) + 1 + strlen (value) + 1;
     char *str = XMALLOC (char, len);
     sprintf (str, "%s=%s", name, value);
     if (putenv (str) != EXIT_SUCCESS)
@@ -4913,8 +6258,8 @@ lt_extend_str (const char *orig_value, const char *add, int to_end)
   char *new_value;
   if (orig_value && *orig_value)
     {
-      int orig_value_len = strlen (orig_value);
-      int add_len = strlen (add);
+      size_t orig_value_len = strlen (orig_value);
+      size_t add_len = strlen (add);
       new_value = XMALLOC (char, add_len + orig_value_len + 1);
       if (to_end)
         {
@@ -4945,10 +6290,10 @@ lt_update_exe_path (const char *name, const char *value)
     {
       char *new_value = lt_extend_str (getenv (name), value, 0);
       /* some systems can't cope with a ':'-terminated path #' */
-      int len = strlen (new_value);
-      while (((len = strlen (new_value)) > 0) && IS_PATH_SEPARATOR (new_value[len-1]))
+      size_t len = strlen (new_value);
+      while ((len > 0) && IS_PATH_SEPARATOR (new_value[len-1]))
         {
-          new_value[len-1] = '\0';
+          new_value[--len] = '\0';
         }
       lt_setenv (name, new_value);
       XFREE (new_value);
@@ -5115,27 +6460,47 @@ EOF
 # True if ARG is an import lib, as indicated by $file_magic_cmd
 func_win32_import_lib_p ()
 {
-    $opt_debug
+    $debug_cmd
+
     case `eval $file_magic_cmd \"\$1\" 2>/dev/null | $SED -e 10q` in
     *import*) : ;;
     *) false ;;
     esac
 }
 
+# func_suncc_cstd_abi
+# !!ONLY CALL THIS FOR SUN CC AFTER $compile_command IS FULLY EXPANDED!!
+# Several compiler flags select an ABI that is incompatible with the
+# Cstd library. Avoid specifying it if any are in CXXFLAGS.
+func_suncc_cstd_abi ()
+{
+    $debug_cmd
+
+    case " $compile_command " in
+    *" -compat=g "*|*\ -std=c++[0-9][0-9]\ *|*" -library=stdcxx4 "*|*" -library=stlport4 "*)
+      suncc_use_cstd_abi=no
+      ;;
+    *)
+      suncc_use_cstd_abi=yes
+      ;;
+    esac
+}
+
 # func_mode_link arg...
 func_mode_link ()
 {
-    $opt_debug
+    $debug_cmd
+
     case $host in
     *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-cegcc*)
       # It is impossible to link a dll without this setting, and
       # we shouldn't force the makefile maintainer to figure out
-      # which system we are compiling for in order to pass an extra
+      # what system we are compiling for in order to pass an extra
       # flag for every libtool invocation.
       # allow_undefined=no
 
       # FIXME: Unfortunately, there are problems with the above when trying
-      # to make a dll which has undefined symbols, in which case not
+      # to make a dll that has undefined symbols, in which case not
       # even a static library is built.  For now, we need to specify
       # -no-undefined on the libtool link line when we can be certain
       # that all symbols are satisfied, otherwise we get a static library.
@@ -5179,10 +6544,11 @@ func_mode_link ()
     module=no
     no_install=no
     objs=
+    os2dllname=
     non_pic_objects=
     precious_files_regex=
     prefer_static_libs=no
-    preload=no
+    preload=false
     prev=
     prevarg=
     release=
@@ -5194,7 +6560,7 @@ func_mode_link ()
     vinfo=
     vinfo_number=no
     weak_libs=
-    single_module="${wl}-single_module"
+    single_module=$wl-single_module
     func_infer_tag $base_compile
 
     # We need to know -static, to get the right output filenames.
@@ -5202,15 +6568,15 @@ func_mode_link ()
     do
       case $arg in
       -shared)
-	test "$build_libtool_libs" != yes && \
-	  func_fatal_configuration "can not build a shared library"
+	test yes != "$build_libtool_libs" \
+	  && func_fatal_configuration "cannot build a shared library"
 	build_old_libs=no
 	break
 	;;
       -all-static | -static | -static-libtool-libs)
 	case $arg in
 	-all-static)
-	  if test "$build_libtool_libs" = yes && test -z "$link_static_flag"; then
+	  if test yes = "$build_libtool_libs" && test -z "$link_static_flag"; then
 	    func_warning "complete static linking is impossible in this configuration"
 	  fi
 	  if test -n "$link_static_flag"; then
@@ -5243,7 +6609,7 @@ func_mode_link ()
 
     # Go through the arguments, transforming them on the way.
     while test "$#" -gt 0; do
-      arg="$1"
+      arg=$1
       shift
       func_quote_for_eval "$arg"
       qarg=$func_quote_for_eval_unquoted_result
@@ -5260,21 +6626,21 @@ func_mode_link ()
 
 	case $prev in
 	bindir)
-	  bindir="$arg"
+	  bindir=$arg
 	  prev=
 	  continue
 	  ;;
 	dlfiles|dlprefiles)
-	  if test "$preload" = no; then
+	  $preload || {
 	    # Add the symbol object into the linking commands.
 	    func_append compile_command " @SYMFILE@"
 	    func_append finalize_command " @SYMFILE@"
-	    preload=yes
-	  fi
+	    preload=:
+	  }
 	  case $arg in
 	  *.la | *.lo) ;;  # We handle these cases below.
 	  force)
-	    if test "$dlself" = no; then
+	    if test no = "$dlself"; then
 	      dlself=needless
 	      export_dynamic=yes
 	    fi
@@ -5282,9 +6648,9 @@ func_mode_link ()
 	    continue
 	    ;;
 	  self)
-	    if test "$prev" = dlprefiles; then
+	    if test dlprefiles = "$prev"; then
 	      dlself=yes
-	    elif test "$prev" = dlfiles && test "$dlopen_self" != yes; then
+	    elif test dlfiles = "$prev" && test yes != "$dlopen_self"; then
 	      dlself=yes
 	    else
 	      dlself=needless
@@ -5294,7 +6660,7 @@ func_mode_link ()
 	    continue
 	    ;;
 	  *)
-	    if test "$prev" = dlfiles; then
+	    if test dlfiles = "$prev"; then
 	      func_append dlfiles " $arg"
 	    else
 	      func_append dlprefiles " $arg"
@@ -5305,14 +6671,14 @@ func_mode_link ()
 	  esac
 	  ;;
 	expsyms)
-	  export_symbols="$arg"
+	  export_symbols=$arg
 	  test -f "$arg" \
-	    || func_fatal_error "symbol file \`$arg' does not exist"
+	    || func_fatal_error "symbol file '$arg' does not exist"
 	  prev=
 	  continue
 	  ;;
 	expsyms_regex)
-	  export_symbols_regex="$arg"
+	  export_symbols_regex=$arg
 	  prev=
 	  continue
 	  ;;
@@ -5330,7 +6696,13 @@ func_mode_link ()
 	  continue
 	  ;;
 	inst_prefix)
-	  inst_prefix_dir="$arg"
+	  inst_prefix_dir=$arg
+	  prev=
+	  continue
+	  ;;
+	mllvm)
+	  # Clang does not use LLVM to link, so we can simply discard any
+	  # '-mllvm $arg' options when doing the link step.
 	  prev=
 	  continue
 	  ;;
@@ -5354,21 +6726,21 @@ func_mode_link ()
 
 		if test -z "$pic_object" ||
 		   test -z "$non_pic_object" ||
-		   test "$pic_object" = none &&
-		   test "$non_pic_object" = none; then
-		  func_fatal_error "cannot find name of object for \`$arg'"
+		   test none = "$pic_object" &&
+		   test none = "$non_pic_object"; then
+		  func_fatal_error "cannot find name of object for '$arg'"
 		fi
 
 		# Extract subdirectory from the argument.
 		func_dirname "$arg" "/" ""
-		xdir="$func_dirname_result"
+		xdir=$func_dirname_result
 
-		if test "$pic_object" != none; then
+		if test none != "$pic_object"; then
 		  # Prepend the subdirectory the object is found in.
-		  pic_object="$xdir$pic_object"
+		  pic_object=$xdir$pic_object
 
-		  if test "$prev" = dlfiles; then
-		    if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then
+		  if test dlfiles = "$prev"; then
+		    if test yes = "$build_libtool_libs" && test yes = "$dlopen_support"; then
 		      func_append dlfiles " $pic_object"
 		      prev=
 		      continue
@@ -5379,7 +6751,7 @@ func_mode_link ()
 		  fi
 
 		  # CHECK ME:  I think I busted this.  -Ossama
-		  if test "$prev" = dlprefiles; then
+		  if test dlprefiles = "$prev"; then
 		    # Preload the old-style object.
 		    func_append dlprefiles " $pic_object"
 		    prev=
@@ -5387,23 +6759,23 @@ func_mode_link ()
 
 		  # A PIC object.
 		  func_append libobjs " $pic_object"
-		  arg="$pic_object"
+		  arg=$pic_object
 		fi
 
 		# Non-PIC object.
-		if test "$non_pic_object" != none; then
+		if test none != "$non_pic_object"; then
 		  # Prepend the subdirectory the object is found in.
-		  non_pic_object="$xdir$non_pic_object"
+		  non_pic_object=$xdir$non_pic_object
 
 		  # A standard non-PIC object
 		  func_append non_pic_objects " $non_pic_object"
-		  if test -z "$pic_object" || test "$pic_object" = none ; then
-		    arg="$non_pic_object"
+		  if test -z "$pic_object" || test none = "$pic_object"; then
+		    arg=$non_pic_object
 		  fi
 		else
 		  # If the PIC object exists, use it instead.
 		  # $xdir was prepended to $pic_object above.
-		  non_pic_object="$pic_object"
+		  non_pic_object=$pic_object
 		  func_append non_pic_objects " $non_pic_object"
 		fi
 	      else
@@ -5411,7 +6783,7 @@ func_mode_link ()
 		if $opt_dry_run; then
 		  # Extract subdirectory from the argument.
 		  func_dirname "$arg" "/" ""
-		  xdir="$func_dirname_result"
+		  xdir=$func_dirname_result
 
 		  func_lo2o "$arg"
 		  pic_object=$xdir$objdir/$func_lo2o_result
@@ -5419,24 +6791,29 @@ func_mode_link ()
 		  func_append libobjs " $pic_object"
 		  func_append non_pic_objects " $non_pic_object"
 	        else
-		  func_fatal_error "\`$arg' is not a valid libtool object"
+		  func_fatal_error "'$arg' is not a valid libtool object"
 		fi
 	      fi
 	    done
 	  else
-	    func_fatal_error "link input file \`$arg' does not exist"
+	    func_fatal_error "link input file '$arg' does not exist"
 	  fi
 	  arg=$save_arg
 	  prev=
 	  continue
 	  ;;
+	os2dllname)
+	  os2dllname=$arg
+	  prev=
+	  continue
+	  ;;
 	precious_regex)
-	  precious_files_regex="$arg"
+	  precious_files_regex=$arg
 	  prev=
 	  continue
 	  ;;
 	release)
-	  release="-$arg"
+	  release=-$arg
 	  prev=
 	  continue
 	  ;;
@@ -5448,7 +6825,7 @@ func_mode_link ()
 	    func_fatal_error "only absolute run-paths are allowed"
 	    ;;
 	  esac
-	  if test "$prev" = rpath; then
+	  if test rpath = "$prev"; then
 	    case "$rpath " in
 	    *" $arg "*) ;;
 	    *) func_append rpath " $arg" ;;
@@ -5463,7 +6840,7 @@ func_mode_link ()
 	  continue
 	  ;;
 	shrext)
-	  shrext_cmds="$arg"
+	  shrext_cmds=$arg
 	  prev=
 	  continue
 	  ;;
@@ -5503,7 +6880,7 @@ func_mode_link ()
 	esac
       fi # test -n "$prev"
 
-      prevarg="$arg"
+      prevarg=$arg
 
       case $arg in
       -all-static)
@@ -5517,7 +6894,7 @@ func_mode_link ()
 
       -allow-undefined)
 	# FIXME: remove this flag sometime in the future.
-	func_fatal_error "\`-allow-undefined' must not be used because it is the default"
+	func_fatal_error "'-allow-undefined' must not be used because it is the default"
 	;;
 
       -avoid-version)
@@ -5549,7 +6926,7 @@ func_mode_link ()
 	if test -n "$export_symbols" || test -n "$export_symbols_regex"; then
 	  func_fatal_error "more than one -exported-symbols argument is not allowed"
 	fi
-	if test "X$arg" = "X-export-symbols"; then
+	if test X-export-symbols = "X$arg"; then
 	  prev=expsyms
 	else
 	  prev=expsyms_regex
@@ -5583,9 +6960,9 @@ func_mode_link ()
 	func_stripname "-L" '' "$arg"
 	if test -z "$func_stripname_result"; then
 	  if test "$#" -gt 0; then
-	    func_fatal_error "require no space between \`-L' and \`$1'"
+	    func_fatal_error "require no space between '-L' and '$1'"
 	  else
-	    func_fatal_error "need path for \`-L' option"
+	    func_fatal_error "need path for '-L' option"
 	  fi
 	fi
 	func_resolve_sysroot "$func_stripname_result"
@@ -5596,8 +6973,8 @@ func_mode_link ()
 	*)
 	  absdir=`cd "$dir" && pwd`
 	  test -z "$absdir" && \
-	    func_fatal_error "cannot determine absolute directory name of \`$dir'"
-	  dir="$absdir"
+	    func_fatal_error "cannot determine absolute directory name of '$dir'"
+	  dir=$absdir
 	  ;;
 	esac
 	case "$deplibs " in
@@ -5628,12 +7005,11 @@ func_mode_link ()
 	  esac
 	  ;;
 	esac
-	deplibs="$deplibs $arg"
 	continue
 	;;
 
       -l*)
-	if test "X$arg" = "X-lc" || test "X$arg" = "X-lm"; then
+	if test X-lc = "X$arg" || test X-lm = "X$arg"; then
 	  case $host in
 	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-beos* | *-cegcc* | *-*-haiku*)
 	    # These systems don't actually have a C or math library (as such)
@@ -5641,11 +7017,11 @@ func_mode_link ()
 	    ;;
 	  *-*-os2*)
 	    # These systems don't actually have a C library (as such)
-	    test "X$arg" = "X-lc" && continue
+	    test X-lc = "X$arg" && continue
 	    ;;
-	  *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*)
+	  *-*-openbsd* | *-*-freebsd* | *-*-dragonfly* | *-*-bitrig*)
 	    # Do not include libc due to us having libc/libc_r.
-	    test "X$arg" = "X-lc" && continue
+	    test X-lc = "X$arg" && continue
 	    ;;
 	  *-*-rhapsody* | *-*-darwin1.[012])
 	    # Rhapsody C and math libraries are in the System framework
@@ -5654,16 +7030,16 @@ func_mode_link ()
 	    ;;
 	  *-*-sco3.2v5* | *-*-sco5v6*)
 	    # Causes problems with __ctype
-	    test "X$arg" = "X-lc" && continue
+	    test X-lc = "X$arg" && continue
 	    ;;
 	  *-*-sysv4.2uw2* | *-*-sysv5* | *-*-unixware* | *-*-OpenUNIX*)
 	    # Compiler inserts libc in the correct place for threads to work
-	    test "X$arg" = "X-lc" && continue
+	    test X-lc = "X$arg" && continue
 	    ;;
 	  esac
-	elif test "X$arg" = "X-lc_r"; then
+	elif test X-lc_r = "X$arg"; then
 	 case $host in
-	 *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*)
+	 *-*-openbsd* | *-*-freebsd* | *-*-dragonfly* | *-*-bitrig*)
 	   # Do not include libc_r directly, use -pthread flag.
 	   continue
 	   ;;
@@ -5673,6 +7049,11 @@ func_mode_link ()
 	continue
 	;;
 
+      -mllvm)
+	prev=mllvm
+	continue
+	;;
+
       -module)
 	module=yes
 	continue
@@ -5702,7 +7083,7 @@ func_mode_link ()
 	;;
 
       -multi_module)
-	single_module="${wl}-multi_module"
+	single_module=$wl-multi_module
 	continue
 	;;
 
@@ -5716,8 +7097,8 @@ func_mode_link ()
 	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-darwin* | *-cegcc*)
 	  # The PATH hackery in wrapper scripts is required on Windows
 	  # and Darwin in order for the loader to find any dlls it needs.
-	  func_warning "\`-no-install' is ignored for $host"
-	  func_warning "assuming \`-no-fast-install' instead"
+	  func_warning "'-no-install' is ignored for $host"
+	  func_warning "assuming '-no-fast-install' instead"
 	  fast_install=no
 	  ;;
 	*) no_install=yes ;;
@@ -5735,6 +7116,11 @@ func_mode_link ()
 	continue
 	;;
 
+      -os2dllname)
+	prev=os2dllname
+	continue
+	;;
+
       -o) prev=output ;;
 
       -precious-files-regex)
@@ -5822,14 +7208,14 @@ func_mode_link ()
 	func_stripname '-Wc,' '' "$arg"
 	args=$func_stripname_result
 	arg=
-	save_ifs="$IFS"; IFS=','
+	save_ifs=$IFS; IFS=,
 	for flag in $args; do
-	  IFS="$save_ifs"
+	  IFS=$save_ifs
           func_quote_for_eval "$flag"
 	  func_append arg " $func_quote_for_eval_result"
 	  func_append compiler_flags " $func_quote_for_eval_result"
 	done
-	IFS="$save_ifs"
+	IFS=$save_ifs
 	func_stripname ' ' '' "$arg"
 	arg=$func_stripname_result
 	;;
@@ -5838,15 +7224,15 @@ func_mode_link ()
 	func_stripname '-Wl,' '' "$arg"
 	args=$func_stripname_result
 	arg=
-	save_ifs="$IFS"; IFS=','
+	save_ifs=$IFS; IFS=,
 	for flag in $args; do
-	  IFS="$save_ifs"
+	  IFS=$save_ifs
           func_quote_for_eval "$flag"
 	  func_append arg " $wl$func_quote_for_eval_result"
 	  func_append compiler_flags " $wl$func_quote_for_eval_result"
 	  func_append linker_flags " $func_quote_for_eval_result"
 	done
-	IFS="$save_ifs"
+	IFS=$save_ifs
 	func_stripname ' ' '' "$arg"
 	arg=$func_stripname_result
 	;;
@@ -5869,7 +7255,7 @@ func_mode_link ()
       # -msg_* for osf cc
       -msg_*)
 	func_quote_for_eval "$arg"
-	arg="$func_quote_for_eval_result"
+	arg=$func_quote_for_eval_result
 	;;
 
       # Flags to be passed through unchanged, with rationale:
@@ -5881,25 +7267,46 @@ func_mode_link ()
       # -m*, -t[45]*, -txscale* architecture-specific flags for GCC
       # -F/path              path to uninstalled frameworks, gcc on darwin
       # -p, -pg, --coverage, -fprofile-*  profiling flags for GCC
+      # -fstack-protector*   stack protector flags for GCC
       # @file                GCC response files
       # -tp=*                Portland pgcc target processor selection
       # --sysroot=*          for sysroot support
-      # -O*, -flto*, -fwhopr*, -fuse-linker-plugin GCC link-time optimization
+      # -O*, -g*, -flto*, -fwhopr*, -fuse-linker-plugin GCC link-time optimization
+      # -stdlib=*            select c++ std lib with clang
       -64|-mips[0-9]|-r[0-9][0-9]*|-xarch=*|-xtarget=*|+DA*|+DD*|-q*|-m*| \
       -t[45]*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*|-tp=*|--sysroot=*| \
-      -O*|-flto*|-fwhopr*|-fuse-linker-plugin)
+      -O*|-g*|-flto*|-fwhopr*|-fuse-linker-plugin|-fstack-protector*|-stdlib=*)
         func_quote_for_eval "$arg"
-	arg="$func_quote_for_eval_result"
+	arg=$func_quote_for_eval_result
         func_append compile_command " $arg"
         func_append finalize_command " $arg"
         func_append compiler_flags " $arg"
         continue
         ;;
 
+      -Z*)
+        if test os2 = "`expr $host : '.*\(os2\)'`"; then
+          # OS/2 uses -Zxxx to specify OS/2-specific options
+	  compiler_flags="$compiler_flags $arg"
+	  func_append compile_command " $arg"
+	  func_append finalize_command " $arg"
+	  case $arg in
+	  -Zlinker | -Zstack)
+	    prev=xcompiler
+	    ;;
+	  esac
+	  continue
+        else
+	  # Otherwise treat like 'Some other compiler flag' below
+	  func_quote_for_eval "$arg"
+	  arg=$func_quote_for_eval_result
+        fi
+	;;
+
       # Some other compiler flag.
       -* | +*)
         func_quote_for_eval "$arg"
-	arg="$func_quote_for_eval_result"
+	arg=$func_quote_for_eval_result
 	;;
 
       *.$objext)
@@ -5920,21 +7327,21 @@ func_mode_link ()
 
 	  if test -z "$pic_object" ||
 	     test -z "$non_pic_object" ||
-	     test "$pic_object" = none &&
-	     test "$non_pic_object" = none; then
-	    func_fatal_error "cannot find name of object for \`$arg'"
+	     test none = "$pic_object" &&
+	     test none = "$non_pic_object"; then
+	    func_fatal_error "cannot find name of object for '$arg'"
 	  fi
 
 	  # Extract subdirectory from the argument.
 	  func_dirname "$arg" "/" ""
-	  xdir="$func_dirname_result"
+	  xdir=$func_dirname_result
 
-	  if test "$pic_object" != none; then
+	  test none = "$pic_object" || {
 	    # Prepend the subdirectory the object is found in.
-	    pic_object="$xdir$pic_object"
+	    pic_object=$xdir$pic_object
 
-	    if test "$prev" = dlfiles; then
-	      if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then
+	    if test dlfiles = "$prev"; then
+	      if test yes = "$build_libtool_libs" && test yes = "$dlopen_support"; then
 		func_append dlfiles " $pic_object"
 		prev=
 		continue
@@ -5945,7 +7352,7 @@ func_mode_link ()
 	    fi
 
 	    # CHECK ME:  I think I busted this.  -Ossama
-	    if test "$prev" = dlprefiles; then
+	    if test dlprefiles = "$prev"; then
 	      # Preload the old-style object.
 	      func_append dlprefiles " $pic_object"
 	      prev=
@@ -5953,23 +7360,23 @@ func_mode_link ()
 
 	    # A PIC object.
 	    func_append libobjs " $pic_object"
-	    arg="$pic_object"
-	  fi
+	    arg=$pic_object
+	  }
 
 	  # Non-PIC object.
-	  if test "$non_pic_object" != none; then
+	  if test none != "$non_pic_object"; then
 	    # Prepend the subdirectory the object is found in.
-	    non_pic_object="$xdir$non_pic_object"
+	    non_pic_object=$xdir$non_pic_object
 
 	    # A standard non-PIC object
 	    func_append non_pic_objects " $non_pic_object"
-	    if test -z "$pic_object" || test "$pic_object" = none ; then
-	      arg="$non_pic_object"
+	    if test -z "$pic_object" || test none = "$pic_object"; then
+	      arg=$non_pic_object
 	    fi
 	  else
 	    # If the PIC object exists, use it instead.
 	    # $xdir was prepended to $pic_object above.
-	    non_pic_object="$pic_object"
+	    non_pic_object=$pic_object
 	    func_append non_pic_objects " $non_pic_object"
 	  fi
 	else
@@ -5977,7 +7384,7 @@ func_mode_link ()
 	  if $opt_dry_run; then
 	    # Extract subdirectory from the argument.
 	    func_dirname "$arg" "/" ""
-	    xdir="$func_dirname_result"
+	    xdir=$func_dirname_result
 
 	    func_lo2o "$arg"
 	    pic_object=$xdir$objdir/$func_lo2o_result
@@ -5985,7 +7392,7 @@ func_mode_link ()
 	    func_append libobjs " $pic_object"
 	    func_append non_pic_objects " $non_pic_object"
 	  else
-	    func_fatal_error "\`$arg' is not a valid libtool object"
+	    func_fatal_error "'$arg' is not a valid libtool object"
 	  fi
 	fi
 	;;
@@ -6001,11 +7408,11 @@ func_mode_link ()
 	# A libtool-controlled library.
 
 	func_resolve_sysroot "$arg"
-	if test "$prev" = dlfiles; then
+	if test dlfiles = "$prev"; then
 	  # This library was specified with -dlopen.
 	  func_append dlfiles " $func_resolve_sysroot_result"
 	  prev=
-	elif test "$prev" = dlprefiles; then
+	elif test dlprefiles = "$prev"; then
 	  # The library was specified with -dlpreopen.
 	  func_append dlprefiles " $func_resolve_sysroot_result"
 	  prev=
@@ -6020,7 +7427,7 @@ func_mode_link ()
 	# Unknown arguments in both finalize_command and compile_command need
 	# to be aesthetically quoted because they are evaled later.
 	func_quote_for_eval "$arg"
-	arg="$func_quote_for_eval_result"
+	arg=$func_quote_for_eval_result
 	;;
       esac # arg
 
@@ -6032,9 +7439,9 @@ func_mode_link ()
     done # argument parsing loop
 
     test -n "$prev" && \
-      func_fatal_help "the \`$prevarg' option requires an argument"
+      func_fatal_help "the '$prevarg' option requires an argument"
 
-    if test "$export_dynamic" = yes && test -n "$export_dynamic_flag_spec"; then
+    if test yes = "$export_dynamic" && test -n "$export_dynamic_flag_spec"; then
       eval arg=\"$export_dynamic_flag_spec\"
       func_append compile_command " $arg"
       func_append finalize_command " $arg"
@@ -6043,20 +7450,23 @@ func_mode_link ()
     oldlibs=
     # calculate the name of the file, without its directory
     func_basename "$output"
-    outputname="$func_basename_result"
-    libobjs_save="$libobjs"
+    outputname=$func_basename_result
+    libobjs_save=$libobjs
 
     if test -n "$shlibpath_var"; then
       # get the directories listed in $shlibpath_var
-      eval shlib_search_path=\`\$ECHO \"\${$shlibpath_var}\" \| \$SED \'s/:/ /g\'\`
+      eval shlib_search_path=\`\$ECHO \"\$$shlibpath_var\" \| \$SED \'s/:/ /g\'\`
     else
       shlib_search_path=
     fi
     eval sys_lib_search_path=\"$sys_lib_search_path_spec\"
     eval sys_lib_dlsearch_path=\"$sys_lib_dlsearch_path_spec\"
 
+    # Definition is injected by LT_CONFIG during libtool generation.
+    func_munge_path_list sys_lib_dlsearch_path "$LT_SYS_LIBRARY_PATH"
+
     func_dirname "$output" "/" ""
-    output_objdir="$func_dirname_result$objdir"
+    output_objdir=$func_dirname_result$objdir
     func_to_tool_file "$output_objdir/"
     tool_output_objdir=$func_to_tool_file_result
     # Create the object directory.
@@ -6079,7 +7489,7 @@ func_mode_link ()
     # Find all interdependent deplibs by searching for libraries
     # that are linked more than once (e.g. -la -lb -la)
     for deplib in $deplibs; do
-      if $opt_preserve_dup_deps ; then
+      if $opt_preserve_dup_deps; then
 	case "$libs " in
 	*" $deplib "*) func_append specialdeplibs " $deplib" ;;
 	esac
@@ -6087,7 +7497,7 @@ func_mode_link ()
       func_append libs " $deplib"
     done
 
-    if test "$linkmode" = lib; then
+    if test lib = "$linkmode"; then
       libs="$predeps $libs $compiler_lib_search_path $postdeps"
 
       # Compute libraries that are listed more than once in $predeps
@@ -6119,7 +7529,7 @@ func_mode_link ()
 	  case $file in
 	  *.la) ;;
 	  *)
-	    func_fatal_help "libraries can \`-dlopen' only libtool libraries: $file"
+	    func_fatal_help "libraries can '-dlopen' only libtool libraries: $file"
 	    ;;
 	  esac
 	done
@@ -6127,7 +7537,7 @@ func_mode_link ()
     prog)
 	compile_deplibs=
 	finalize_deplibs=
-	alldeplibs=no
+	alldeplibs=false
 	newdlfiles=
 	newdlprefiles=
 	passes="conv scan dlopen dlpreopen link"
@@ -6139,29 +7549,29 @@ func_mode_link ()
     for pass in $passes; do
       # The preopen pass in lib mode reverses $deplibs; put it back here
       # so that -L comes before libs that need it for instance...
-      if test "$linkmode,$pass" = "lib,link"; then
+      if test lib,link = "$linkmode,$pass"; then
 	## FIXME: Find the place where the list is rebuilt in the wrong
 	##        order, and fix it there properly
         tmp_deplibs=
 	for deplib in $deplibs; do
 	  tmp_deplibs="$deplib $tmp_deplibs"
 	done
-	deplibs="$tmp_deplibs"
+	deplibs=$tmp_deplibs
       fi
 
-      if test "$linkmode,$pass" = "lib,link" ||
-	 test "$linkmode,$pass" = "prog,scan"; then
-	libs="$deplibs"
+      if test lib,link = "$linkmode,$pass" ||
+	 test prog,scan = "$linkmode,$pass"; then
+	libs=$deplibs
 	deplibs=
       fi
-      if test "$linkmode" = prog; then
+      if test prog = "$linkmode"; then
 	case $pass in
-	dlopen) libs="$dlfiles" ;;
-	dlpreopen) libs="$dlprefiles" ;;
+	dlopen) libs=$dlfiles ;;
+	dlpreopen) libs=$dlprefiles ;;
 	link) libs="$deplibs %DEPLIBS% $dependency_libs" ;;
 	esac
       fi
-      if test "$linkmode,$pass" = "lib,dlpreopen"; then
+      if test lib,dlpreopen = "$linkmode,$pass"; then
 	# Collect and forward deplibs of preopened libtool libs
 	for lib in $dlprefiles; do
 	  # Ignore non-libtool-libs
@@ -6182,59 +7592,42 @@ func_mode_link ()
 	    esac
 	  done
 	done
-	libs="$dlprefiles"
+	libs=$dlprefiles
       fi
-      if test "$pass" = dlopen; then
+      if test dlopen = "$pass"; then
 	# Collect dlpreopened libraries
-	save_deplibs="$deplibs"
+	save_deplibs=$deplibs
 	deplibs=
       fi
 
       for deplib in $libs; do
 	lib=
-	found=no
+	found=false
 	case $deplib in
 	-mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe \
         |-threads|-fopenmp|-openmp|-mp|-xopenmp|-omp|-qsmp=*)
-	  if test "$linkmode,$pass" = "prog,link"; then
+	  if test prog,link = "$linkmode,$pass"; then
 	    compile_deplibs="$deplib $compile_deplibs"
 	    finalize_deplibs="$deplib $finalize_deplibs"
 	  else
 	    func_append compiler_flags " $deplib"
-	  fi
-
-	  case $linkmode in
-	  lib)
-	    deplibs="$deplib $deplibs"
-	    test "$pass" = conv && continue
-	    newdependency_libs="$deplib $newdependency_libs"
-	    ;;
-	  prog)
-	    if test "$pass" = conv; then
-	      deplibs="$deplib $deplibs"
-	      continue
-	    fi
-	    if test "$pass" = scan; then
-	      deplibs="$deplib $deplibs"
-	    else
-	      compile_deplibs="$deplib $compile_deplibs"
-	      finalize_deplibs="$deplib $finalize_deplibs"
+	    if test lib = "$linkmode"; then
+		case "$new_inherited_linker_flags " in
+		    *" $deplib "*) ;;
+		    * ) func_append new_inherited_linker_flags " $deplib" ;;
+		esac
 	    fi
-	    ;;
-	  *)
-	    ;;
-	  esac # linkmode
-
+	  fi
 	  continue
 	  ;;
 	-l*)
-	  if test "$linkmode" != lib && test "$linkmode" != prog; then
-	    func_warning "\`-l' is ignored for archives/objects"
+	  if test lib != "$linkmode" && test prog != "$linkmode"; then
+	    func_warning "'-l' is ignored for archives/objects"
 	    continue
 	  fi
 	  func_stripname '-l' '' "$deplib"
 	  name=$func_stripname_result
-	  if test "$linkmode" = lib; then
+	  if test lib = "$linkmode"; then
 	    searchdirs="$newlib_search_path $lib_search_path $compiler_lib_search_dirs $sys_lib_search_path $shlib_search_path"
 	  else
 	    searchdirs="$newlib_search_path $lib_search_path $sys_lib_search_path $shlib_search_path"
@@ -6242,31 +7635,22 @@ func_mode_link ()
 	  for searchdir in $searchdirs; do
 	    for search_ext in .la $std_shrext .so .a; do
 	      # Search the libtool library
-	      lib="$searchdir/lib${name}${search_ext}"
+	      lib=$searchdir/lib$name$search_ext
 	      if test -f "$lib"; then
-		if test "$search_ext" = ".la"; then
-		  found=yes
+		if test .la = "$search_ext"; then
+		  found=:
 		else
-		  found=no
+		  found=false
 		fi
 		break 2
 	      fi
 	    done
 	  done
-	  if test "$found" != yes; then
-	    # deplib doesn't seem to be a libtool library
-	    if test "$linkmode,$pass" = "prog,link"; then
-	      compile_deplibs="$deplib $compile_deplibs"
-	      finalize_deplibs="$deplib $finalize_deplibs"
-	    else
-	      deplibs="$deplib $deplibs"
-	      test "$linkmode" = lib && newdependency_libs="$deplib $newdependency_libs"
-	    fi
-	    continue
-	  else # deplib is a libtool library
+	  if $found; then
+	    # deplib is a libtool library
 	    # If $allow_libtool_libs_with_static_runtimes && $deplib is a stdlib,
 	    # We need to do some special things here, and not later.
-	    if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
+	    if test yes = "$allow_libtool_libs_with_static_runtimes"; then
 	      case " $predeps $postdeps " in
 	      *" $deplib "*)
 		if func_lalib_p "$lib"; then
@@ -6274,19 +7658,19 @@ func_mode_link ()
 		  old_library=
 		  func_source "$lib"
 		  for l in $old_library $library_names; do
-		    ll="$l"
+		    ll=$l
 		  done
-		  if test "X$ll" = "X$old_library" ; then # only static version available
-		    found=no
+		  if test "X$ll" = "X$old_library"; then # only static version available
+		    found=false
 		    func_dirname "$lib" "" "."
-		    ladir="$func_dirname_result"
+		    ladir=$func_dirname_result
 		    lib=$ladir/$old_library
-		    if test "$linkmode,$pass" = "prog,link"; then
+		    if test prog,link = "$linkmode,$pass"; then
 		      compile_deplibs="$deplib $compile_deplibs"
 		      finalize_deplibs="$deplib $finalize_deplibs"
 		    else
 		      deplibs="$deplib $deplibs"
-		      test "$linkmode" = lib && newdependency_libs="$deplib $newdependency_libs"
+		      test lib = "$linkmode" && newdependency_libs="$deplib $newdependency_libs"
 		    fi
 		    continue
 		  fi
@@ -6295,15 +7679,25 @@ func_mode_link ()
 	      *) ;;
 	      esac
 	    fi
+	  else
+	    # deplib doesn't seem to be a libtool library
+	    if test prog,link = "$linkmode,$pass"; then
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    else
+	      deplibs="$deplib $deplibs"
+	      test lib = "$linkmode" && newdependency_libs="$deplib $newdependency_libs"
+	    fi
+	    continue
 	  fi
 	  ;; # -l
 	*.ltframework)
-	  if test "$linkmode,$pass" = "prog,link"; then
+	  if test prog,link = "$linkmode,$pass"; then
 	    compile_deplibs="$deplib $compile_deplibs"
 	    finalize_deplibs="$deplib $finalize_deplibs"
 	  else
 	    deplibs="$deplib $deplibs"
-	    if test "$linkmode" = lib ; then
+	    if test lib = "$linkmode"; then
 		case "$new_inherited_linker_flags " in
 		    *" $deplib "*) ;;
 		    * ) func_append new_inherited_linker_flags " $deplib" ;;
@@ -6316,18 +7710,18 @@ func_mode_link ()
 	  case $linkmode in
 	  lib)
 	    deplibs="$deplib $deplibs"
-	    test "$pass" = conv && continue
+	    test conv = "$pass" && continue
 	    newdependency_libs="$deplib $newdependency_libs"
 	    func_stripname '-L' '' "$deplib"
 	    func_resolve_sysroot "$func_stripname_result"
 	    func_append newlib_search_path " $func_resolve_sysroot_result"
 	    ;;
 	  prog)
-	    if test "$pass" = conv; then
+	    if test conv = "$pass"; then
 	      deplibs="$deplib $deplibs"
 	      continue
 	    fi
-	    if test "$pass" = scan; then
+	    if test scan = "$pass"; then
 	      deplibs="$deplib $deplibs"
 	    else
 	      compile_deplibs="$deplib $compile_deplibs"
@@ -6338,13 +7732,13 @@ func_mode_link ()
 	    func_append newlib_search_path " $func_resolve_sysroot_result"
 	    ;;
 	  *)
-	    func_warning "\`-L' is ignored for archives/objects"
+	    func_warning "'-L' is ignored for archives/objects"
 	    ;;
 	  esac # linkmode
 	  continue
 	  ;; # -L
 	-R*)
-	  if test "$pass" = link; then
+	  if test link = "$pass"; then
 	    func_stripname '-R' '' "$deplib"
 	    func_resolve_sysroot "$func_stripname_result"
 	    dir=$func_resolve_sysroot_result
@@ -6362,7 +7756,7 @@ func_mode_link ()
 	  lib=$func_resolve_sysroot_result
 	  ;;
 	*.$libext)
-	  if test "$pass" = conv; then
+	  if test conv = "$pass"; then
 	    deplibs="$deplib $deplibs"
 	    continue
 	  fi
@@ -6373,21 +7767,26 @@ func_mode_link ()
 	    case " $dlpreconveniencelibs " in
 	    *" $deplib "*) ;;
 	    *)
-	      valid_a_lib=no
+	      valid_a_lib=false
 	      case $deplibs_check_method in
 		match_pattern*)
 		  set dummy $deplibs_check_method; shift
 		  match_pattern_regex=`expr "$deplibs_check_method" : "$1 \(.*\)"`
 		  if eval "\$ECHO \"$deplib\"" 2>/dev/null | $SED 10q \
 		    | $EGREP "$match_pattern_regex" > /dev/null; then
-		    valid_a_lib=yes
+		    valid_a_lib=:
 		  fi
 		;;
 		pass_all)
-		  valid_a_lib=yes
+		  valid_a_lib=:
 		;;
 	      esac
-	      if test "$valid_a_lib" != yes; then
+	      if $valid_a_lib; then
+		echo
+		$ECHO "*** Warning: Linking the shared library $output against the"
+		$ECHO "*** static library $deplib is not portable!"
+		deplibs="$deplib $deplibs"
+	      else
 		echo
 		$ECHO "*** Warning: Trying to link with static lib archive $deplib."
 		echo "*** I have the capability to make that library automatically link in when"
@@ -6395,18 +7794,13 @@ func_mode_link ()
 		echo "*** shared version of the library, which you do not appear to have"
 		echo "*** because the file extensions .$libext of this argument makes me believe"
 		echo "*** that it is just a static archive that I should not use here."
-	      else
-		echo
-		$ECHO "*** Warning: Linking the shared library $output against the"
-		$ECHO "*** static library $deplib is not portable!"
-		deplibs="$deplib $deplibs"
 	      fi
 	      ;;
 	    esac
 	    continue
 	    ;;
 	  prog)
-	    if test "$pass" != link; then
+	    if test link != "$pass"; then
 	      deplibs="$deplib $deplibs"
 	    else
 	      compile_deplibs="$deplib $compile_deplibs"
@@ -6417,10 +7811,10 @@ func_mode_link ()
 	  esac # linkmode
 	  ;; # *.$libext
 	*.lo | *.$objext)
-	  if test "$pass" = conv; then
+	  if test conv = "$pass"; then
 	    deplibs="$deplib $deplibs"
-	  elif test "$linkmode" = prog; then
-	    if test "$pass" = dlpreopen || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then
+	  elif test prog = "$linkmode"; then
+	    if test dlpreopen = "$pass" || test yes != "$dlopen_support" || test no = "$build_libtool_libs"; then
 	      # If there is no dlopen support or we're linking statically,
 	      # we need to preload.
 	      func_append newdlprefiles " $deplib"
@@ -6433,22 +7827,20 @@ func_mode_link ()
 	  continue
 	  ;;
 	%DEPLIBS%)
-	  alldeplibs=yes
+	  alldeplibs=:
 	  continue
 	  ;;
 	esac # case $deplib
 
-	if test "$found" = yes || test -f "$lib"; then :
-	else
-	  func_fatal_error "cannot find the library \`$lib' or unhandled argument \`$deplib'"
-	fi
+	$found || test -f "$lib" \
+	  || func_fatal_error "cannot find the library '$lib' or unhandled argument '$deplib'"
 
 	# Check to see that this really is a libtool archive.
 	func_lalib_unsafe_p "$lib" \
-	  || func_fatal_error "\`$lib' is not a valid libtool archive"
+	  || func_fatal_error "'$lib' is not a valid libtool archive"
 
 	func_dirname "$lib" "" "."
-	ladir="$func_dirname_result"
+	ladir=$func_dirname_result
 
 	dlname=
 	dlopen=
@@ -6478,30 +7870,30 @@ func_mode_link ()
 	  done
 	fi
 	dependency_libs=`$ECHO " $dependency_libs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
-	if test "$linkmode,$pass" = "lib,link" ||
-	   test "$linkmode,$pass" = "prog,scan" ||
-	   { test "$linkmode" != prog && test "$linkmode" != lib; }; then
+	if test lib,link = "$linkmode,$pass" ||
+	   test prog,scan = "$linkmode,$pass" ||
+	   { test prog != "$linkmode" && test lib != "$linkmode"; }; then
 	  test -n "$dlopen" && func_append dlfiles " $dlopen"
 	  test -n "$dlpreopen" && func_append dlprefiles " $dlpreopen"
 	fi
 
-	if test "$pass" = conv; then
+	if test conv = "$pass"; then
 	  # Only check for convenience libraries
 	  deplibs="$lib $deplibs"
 	  if test -z "$libdir"; then
 	    if test -z "$old_library"; then
-	      func_fatal_error "cannot find name of link library for \`$lib'"
+	      func_fatal_error "cannot find name of link library for '$lib'"
 	    fi
 	    # It is a libtool convenience library, so add in its objects.
 	    func_append convenience " $ladir/$objdir/$old_library"
 	    func_append old_convenience " $ladir/$objdir/$old_library"
-	  elif test "$linkmode" != prog && test "$linkmode" != lib; then
-	    func_fatal_error "\`$lib' is not a convenience library"
+	  elif test prog != "$linkmode" && test lib != "$linkmode"; then
+	    func_fatal_error "'$lib' is not a convenience library"
 	  fi
 	  tmp_libs=
 	  for deplib in $dependency_libs; do
 	    deplibs="$deplib $deplibs"
-	    if $opt_preserve_dup_deps ; then
+	    if $opt_preserve_dup_deps; then
 	      case "$tmp_libs " in
 	      *" $deplib "*) func_append specialdeplibs " $deplib" ;;
 	      esac
@@ -6515,26 +7907,26 @@ func_mode_link ()
 	# Get the name of the library we link against.
 	linklib=
 	if test -n "$old_library" &&
-	   { test "$prefer_static_libs" = yes ||
-	     test "$prefer_static_libs,$installed" = "built,no"; }; then
+	   { test yes = "$prefer_static_libs" ||
+	     test built,no = "$prefer_static_libs,$installed"; }; then
 	  linklib=$old_library
 	else
 	  for l in $old_library $library_names; do
-	    linklib="$l"
+	    linklib=$l
 	  done
 	fi
 	if test -z "$linklib"; then
-	  func_fatal_error "cannot find name of link library for \`$lib'"
+	  func_fatal_error "cannot find name of link library for '$lib'"
 	fi
 
 	# This library was specified with -dlopen.
-	if test "$pass" = dlopen; then
-	  if test -z "$libdir"; then
-	    func_fatal_error "cannot -dlopen a convenience library: \`$lib'"
-	  fi
+	if test dlopen = "$pass"; then
+	  test -z "$libdir" \
+	    && func_fatal_error "cannot -dlopen a convenience library: '$lib'"
 	  if test -z "$dlname" ||
-	     test "$dlopen_support" != yes ||
-	     test "$build_libtool_libs" = no; then
+	     test yes != "$dlopen_support" ||
+	     test no = "$build_libtool_libs"
+	  then
 	    # If there is no dlname, no dlopen support or we're linking
 	    # statically, we need to preload.  We also need to preload any
 	    # dependent libraries so libltdl's deplib preloader doesn't
@@ -6548,40 +7940,40 @@ func_mode_link ()
 
 	# We need an absolute path.
 	case $ladir in
-	[\\/]* | [A-Za-z]:[\\/]*) abs_ladir="$ladir" ;;
+	[\\/]* | [A-Za-z]:[\\/]*) abs_ladir=$ladir ;;
 	*)
 	  abs_ladir=`cd "$ladir" && pwd`
 	  if test -z "$abs_ladir"; then
-	    func_warning "cannot determine absolute directory name of \`$ladir'"
+	    func_warning "cannot determine absolute directory name of '$ladir'"
 	    func_warning "passing it literally to the linker, although it might fail"
-	    abs_ladir="$ladir"
+	    abs_ladir=$ladir
 	  fi
 	  ;;
 	esac
 	func_basename "$lib"
-	laname="$func_basename_result"
+	laname=$func_basename_result
 
 	# Find the relevant object directory and library name.
-	if test "X$installed" = Xyes; then
+	if test yes = "$installed"; then
 	  if test ! -f "$lt_sysroot$libdir/$linklib" && test -f "$abs_ladir/$linklib"; then
-	    func_warning "library \`$lib' was moved."
-	    dir="$ladir"
-	    absdir="$abs_ladir"
-	    libdir="$abs_ladir"
+	    func_warning "library '$lib' was moved."
+	    dir=$ladir
+	    absdir=$abs_ladir
+	    libdir=$abs_ladir
 	  else
-	    dir="$lt_sysroot$libdir"
-	    absdir="$lt_sysroot$libdir"
+	    dir=$lt_sysroot$libdir
+	    absdir=$lt_sysroot$libdir
 	  fi
-	  test "X$hardcode_automatic" = Xyes && avoidtemprpath=yes
+	  test yes = "$hardcode_automatic" && avoidtemprpath=yes
 	else
 	  if test ! -f "$ladir/$objdir/$linklib" && test -f "$abs_ladir/$linklib"; then
-	    dir="$ladir"
-	    absdir="$abs_ladir"
+	    dir=$ladir
+	    absdir=$abs_ladir
 	    # Remove this search path later
 	    func_append notinst_path " $abs_ladir"
 	  else
-	    dir="$ladir/$objdir"
-	    absdir="$abs_ladir/$objdir"
+	    dir=$ladir/$objdir
+	    absdir=$abs_ladir/$objdir
 	    # Remove this search path later
 	    func_append notinst_path " $abs_ladir"
 	  fi
@@ -6590,11 +7982,11 @@ func_mode_link ()
 	name=$func_stripname_result
 
 	# This library was specified with -dlpreopen.
-	if test "$pass" = dlpreopen; then
-	  if test -z "$libdir" && test "$linkmode" = prog; then
-	    func_fatal_error "only libraries may -dlpreopen a convenience library: \`$lib'"
+	if test dlpreopen = "$pass"; then
+	  if test -z "$libdir" && test prog = "$linkmode"; then
+	    func_fatal_error "only libraries may -dlpreopen a convenience library: '$lib'"
 	  fi
-	  case "$host" in
+	  case $host in
 	    # special handling for platforms with PE-DLLs.
 	    *cygwin* | *mingw* | *cegcc* )
 	      # Linker will automatically link against shared library if both
@@ -6638,9 +8030,9 @@ func_mode_link ()
 
 	if test -z "$libdir"; then
 	  # Link the convenience library
-	  if test "$linkmode" = lib; then
+	  if test lib = "$linkmode"; then
 	    deplibs="$dir/$old_library $deplibs"
-	  elif test "$linkmode,$pass" = "prog,link"; then
+	  elif test prog,link = "$linkmode,$pass"; then
 	    compile_deplibs="$dir/$old_library $compile_deplibs"
 	    finalize_deplibs="$dir/$old_library $finalize_deplibs"
 	  else
@@ -6650,14 +8042,14 @@ func_mode_link ()
 	fi
 
 
-	if test "$linkmode" = prog && test "$pass" != link; then
+	if test prog = "$linkmode" && test link != "$pass"; then
 	  func_append newlib_search_path " $ladir"
 	  deplibs="$lib $deplibs"
 
-	  linkalldeplibs=no
-	  if test "$link_all_deplibs" != no || test -z "$library_names" ||
-	     test "$build_libtool_libs" = no; then
-	    linkalldeplibs=yes
+	  linkalldeplibs=false
+	  if test no != "$link_all_deplibs" || test -z "$library_names" ||
+	     test no = "$build_libtool_libs"; then
+	    linkalldeplibs=:
 	  fi
 
 	  tmp_libs=
@@ -6669,14 +8061,14 @@ func_mode_link ()
 		 ;;
 	    esac
 	    # Need to link against all dependency_libs?
-	    if test "$linkalldeplibs" = yes; then
+	    if $linkalldeplibs; then
 	      deplibs="$deplib $deplibs"
 	    else
 	      # Need to hardcode shared library paths
 	      # or/and link against static libraries
 	      newdependency_libs="$deplib $newdependency_libs"
 	    fi
-	    if $opt_preserve_dup_deps ; then
+	    if $opt_preserve_dup_deps; then
 	      case "$tmp_libs " in
 	      *" $deplib "*) func_append specialdeplibs " $deplib" ;;
 	      esac
@@ -6686,15 +8078,15 @@ func_mode_link ()
 	  continue
 	fi # $linkmode = prog...
 
-	if test "$linkmode,$pass" = "prog,link"; then
+	if test prog,link = "$linkmode,$pass"; then
 	  if test -n "$library_names" &&
-	     { { test "$prefer_static_libs" = no ||
-	         test "$prefer_static_libs,$installed" = "built,yes"; } ||
+	     { { test no = "$prefer_static_libs" ||
+	         test built,yes = "$prefer_static_libs,$installed"; } ||
 	       test -z "$old_library"; }; then
 	    # We need to hardcode the library path
-	    if test -n "$shlibpath_var" && test -z "$avoidtemprpath" ; then
+	    if test -n "$shlibpath_var" && test -z "$avoidtemprpath"; then
 	      # Make sure the rpath contains only unique directories.
-	      case "$temp_rpath:" in
+	      case $temp_rpath: in
 	      *"$absdir:"*) ;;
 	      *) func_append temp_rpath "$absdir:" ;;
 	      esac
@@ -6723,9 +8115,9 @@ func_mode_link ()
 	    esac
 	  fi # $linkmode,$pass = prog,link...
 
-	  if test "$alldeplibs" = yes &&
-	     { test "$deplibs_check_method" = pass_all ||
-	       { test "$build_libtool_libs" = yes &&
+	  if $alldeplibs &&
+	     { test pass_all = "$deplibs_check_method" ||
+	       { test yes = "$build_libtool_libs" &&
 		 test -n "$library_names"; }; }; then
 	    # We only need to search for static libraries
 	    continue
@@ -6734,19 +8126,19 @@ func_mode_link ()
 
 	link_static=no # Whether the deplib will be linked statically
 	use_static_libs=$prefer_static_libs
-	if test "$use_static_libs" = built && test "$installed" = yes; then
+	if test built = "$use_static_libs" && test yes = "$installed"; then
 	  use_static_libs=no
 	fi
 	if test -n "$library_names" &&
-	   { test "$use_static_libs" = no || test -z "$old_library"; }; then
+	   { test no = "$use_static_libs" || test -z "$old_library"; }; then
 	  case $host in
-	  *cygwin* | *mingw* | *cegcc*)
+	  *cygwin* | *mingw* | *cegcc* | *os2*)
 	      # No point in relinking DLLs because paths are not encoded
 	      func_append notinst_deplibs " $lib"
 	      need_relink=no
 	    ;;
 	  *)
-	    if test "$installed" = no; then
+	    if test no = "$installed"; then
 	      func_append notinst_deplibs " $lib"
 	      need_relink=yes
 	    fi
@@ -6756,24 +8148,24 @@ func_mode_link ()
 
 	  # Warn about portability, can't link against -module's on some
 	  # systems (darwin).  Don't bleat about dlopened modules though!
-	  dlopenmodule=""
+	  dlopenmodule=
 	  for dlpremoduletest in $dlprefiles; do
 	    if test "X$dlpremoduletest" = "X$lib"; then
-	      dlopenmodule="$dlpremoduletest"
+	      dlopenmodule=$dlpremoduletest
 	      break
 	    fi
 	  done
-	  if test -z "$dlopenmodule" && test "$shouldnotlink" = yes && test "$pass" = link; then
+	  if test -z "$dlopenmodule" && test yes = "$shouldnotlink" && test link = "$pass"; then
 	    echo
-	    if test "$linkmode" = prog; then
+	    if test prog = "$linkmode"; then
 	      $ECHO "*** Warning: Linking the executable $output against the loadable module"
 	    else
 	      $ECHO "*** Warning: Linking the shared library $output against the loadable module"
 	    fi
 	    $ECHO "*** $linklib is not portable!"
 	  fi
-	  if test "$linkmode" = lib &&
-	     test "$hardcode_into_libs" = yes; then
+	  if test lib = "$linkmode" &&
+	     test yes = "$hardcode_into_libs"; then
 	    # Hardcode the library path.
 	    # Skip directories that are in the system default run-time
 	    # search path.
@@ -6801,43 +8193,43 @@ func_mode_link ()
 	    # figure out the soname
 	    set dummy $library_names
 	    shift
-	    realname="$1"
+	    realname=$1
 	    shift
 	    libname=`eval "\\$ECHO \"$libname_spec\""`
 	    # use dlname if we got it. it's perfectly good, no?
 	    if test -n "$dlname"; then
-	      soname="$dlname"
+	      soname=$dlname
 	    elif test -n "$soname_spec"; then
 	      # bleh windows
 	      case $host in
-	      *cygwin* | mingw* | *cegcc*)
+	      *cygwin* | mingw* | *cegcc* | *os2*)
 	        func_arith $current - $age
 		major=$func_arith_result
-		versuffix="-$major"
+		versuffix=-$major
 		;;
 	      esac
 	      eval soname=\"$soname_spec\"
 	    else
-	      soname="$realname"
+	      soname=$realname
 	    fi
 
 	    # Make a new name for the extract_expsyms_cmds to use
-	    soroot="$soname"
+	    soroot=$soname
 	    func_basename "$soroot"
-	    soname="$func_basename_result"
+	    soname=$func_basename_result
 	    func_stripname 'lib' '.dll' "$soname"
 	    newlib=libimp-$func_stripname_result.a
 
 	    # If the library has no export list, then create one now
 	    if test -f "$output_objdir/$soname-def"; then :
 	    else
-	      func_verbose "extracting exported symbol list from \`$soname'"
+	      func_verbose "extracting exported symbol list from '$soname'"
 	      func_execute_cmds "$extract_expsyms_cmds" 'exit $?'
 	    fi
 
 	    # Create $newlib
 	    if test -f "$output_objdir/$newlib"; then :; else
-	      func_verbose "generating import library for \`$soname'"
+	      func_verbose "generating import library for '$soname'"
 	      func_execute_cmds "$old_archive_from_expsyms_cmds" 'exit $?'
 	    fi
 	    # make sure the library variables are pointing to the new library
@@ -6845,58 +8237,58 @@ func_mode_link ()
 	    linklib=$newlib
 	  fi # test -n "$old_archive_from_expsyms_cmds"
 
-	  if test "$linkmode" = prog || test "$opt_mode" != relink; then
+	  if test prog = "$linkmode" || test relink != "$opt_mode"; then
 	    add_shlibpath=
 	    add_dir=
 	    add=
 	    lib_linked=yes
 	    case $hardcode_action in
 	    immediate | unsupported)
-	      if test "$hardcode_direct" = no; then
-		add="$dir/$linklib"
+	      if test no = "$hardcode_direct"; then
+		add=$dir/$linklib
 		case $host in
-		  *-*-sco3.2v5.0.[024]*) add_dir="-L$dir" ;;
-		  *-*-sysv4*uw2*) add_dir="-L$dir" ;;
+		  *-*-sco3.2v5.0.[024]*) add_dir=-L$dir ;;
+		  *-*-sysv4*uw2*) add_dir=-L$dir ;;
 		  *-*-sysv5OpenUNIX* | *-*-sysv5UnixWare7.[01].[10]* | \
-		    *-*-unixware7*) add_dir="-L$dir" ;;
+		    *-*-unixware7*) add_dir=-L$dir ;;
 		  *-*-darwin* )
-		    # if the lib is a (non-dlopened) module then we can not
+		    # if the lib is a (non-dlopened) module then we cannot
 		    # link against it, someone is ignoring the earlier warnings
 		    if /usr/bin/file -L $add 2> /dev/null |
-			 $GREP ": [^:]* bundle" >/dev/null ; then
+			 $GREP ": [^:]* bundle" >/dev/null; then
 		      if test "X$dlopenmodule" != "X$lib"; then
 			$ECHO "*** Warning: lib $linklib is a module, not a shared library"
-			if test -z "$old_library" ; then
+			if test -z "$old_library"; then
 			  echo
 			  echo "*** And there doesn't seem to be a static archive available"
 			  echo "*** The link will probably fail, sorry"
 			else
-			  add="$dir/$old_library"
+			  add=$dir/$old_library
 			fi
 		      elif test -n "$old_library"; then
-			add="$dir/$old_library"
+			add=$dir/$old_library
 		      fi
 		    fi
 		esac
-	      elif test "$hardcode_minus_L" = no; then
+	      elif test no = "$hardcode_minus_L"; then
 		case $host in
-		*-*-sunos*) add_shlibpath="$dir" ;;
+		*-*-sunos*) add_shlibpath=$dir ;;
 		esac
-		add_dir="-L$dir"
-		add="-l$name"
-	      elif test "$hardcode_shlibpath_var" = no; then
-		add_shlibpath="$dir"
-		add="-l$name"
+		add_dir=-L$dir
+		add=-l$name
+	      elif test no = "$hardcode_shlibpath_var"; then
+		add_shlibpath=$dir
+		add=-l$name
 	      else
 		lib_linked=no
 	      fi
 	      ;;
 	    relink)
-	      if test "$hardcode_direct" = yes &&
-	         test "$hardcode_direct_absolute" = no; then
-		add="$dir/$linklib"
-	      elif test "$hardcode_minus_L" = yes; then
-		add_dir="-L$absdir"
+	      if test yes = "$hardcode_direct" &&
+	         test no = "$hardcode_direct_absolute"; then
+		add=$dir/$linklib
+	      elif test yes = "$hardcode_minus_L"; then
+		add_dir=-L$absdir
 		# Try looking first in the location we're being installed to.
 		if test -n "$inst_prefix_dir"; then
 		  case $libdir in
@@ -6905,10 +8297,10 @@ func_mode_link ()
 		      ;;
 		  esac
 		fi
-		add="-l$name"
-	      elif test "$hardcode_shlibpath_var" = yes; then
-		add_shlibpath="$dir"
-		add="-l$name"
+		add=-l$name
+	      elif test yes = "$hardcode_shlibpath_var"; then
+		add_shlibpath=$dir
+		add=-l$name
 	      else
 		lib_linked=no
 	      fi
@@ -6916,7 +8308,7 @@ func_mode_link ()
 	    *) lib_linked=no ;;
 	    esac
 
-	    if test "$lib_linked" != yes; then
+	    if test yes != "$lib_linked"; then
 	      func_fatal_configuration "unsupported hardcode properties"
 	    fi
 
@@ -6926,15 +8318,15 @@ func_mode_link ()
 	      *) func_append compile_shlibpath "$add_shlibpath:" ;;
 	      esac
 	    fi
-	    if test "$linkmode" = prog; then
+	    if test prog = "$linkmode"; then
 	      test -n "$add_dir" && compile_deplibs="$add_dir $compile_deplibs"
 	      test -n "$add" && compile_deplibs="$add $compile_deplibs"
 	    else
 	      test -n "$add_dir" && deplibs="$add_dir $deplibs"
 	      test -n "$add" && deplibs="$add $deplibs"
-	      if test "$hardcode_direct" != yes &&
-		 test "$hardcode_minus_L" != yes &&
-		 test "$hardcode_shlibpath_var" = yes; then
+	      if test yes != "$hardcode_direct" &&
+		 test yes != "$hardcode_minus_L" &&
+		 test yes = "$hardcode_shlibpath_var"; then
 		case :$finalize_shlibpath: in
 		*":$libdir:"*) ;;
 		*) func_append finalize_shlibpath "$libdir:" ;;
@@ -6943,33 +8335,33 @@ func_mode_link ()
 	    fi
 	  fi
 
-	  if test "$linkmode" = prog || test "$opt_mode" = relink; then
+	  if test prog = "$linkmode" || test relink = "$opt_mode"; then
 	    add_shlibpath=
 	    add_dir=
 	    add=
 	    # Finalize command for both is simple: just hardcode it.
-	    if test "$hardcode_direct" = yes &&
-	       test "$hardcode_direct_absolute" = no; then
-	      add="$libdir/$linklib"
-	    elif test "$hardcode_minus_L" = yes; then
-	      add_dir="-L$libdir"
-	      add="-l$name"
-	    elif test "$hardcode_shlibpath_var" = yes; then
+	    if test yes = "$hardcode_direct" &&
+	       test no = "$hardcode_direct_absolute"; then
+	      add=$libdir/$linklib
+	    elif test yes = "$hardcode_minus_L"; then
+	      add_dir=-L$libdir
+	      add=-l$name
+	    elif test yes = "$hardcode_shlibpath_var"; then
 	      case :$finalize_shlibpath: in
 	      *":$libdir:"*) ;;
 	      *) func_append finalize_shlibpath "$libdir:" ;;
 	      esac
-	      add="-l$name"
-	    elif test "$hardcode_automatic" = yes; then
+	      add=-l$name
+	    elif test yes = "$hardcode_automatic"; then
 	      if test -n "$inst_prefix_dir" &&
-		 test -f "$inst_prefix_dir$libdir/$linklib" ; then
-		add="$inst_prefix_dir$libdir/$linklib"
+		 test -f "$inst_prefix_dir$libdir/$linklib"; then
+		add=$inst_prefix_dir$libdir/$linklib
 	      else
-		add="$libdir/$linklib"
+		add=$libdir/$linklib
 	      fi
 	    else
 	      # We cannot seem to hardcode it, guess we'll fake it.
-	      add_dir="-L$libdir"
+	      add_dir=-L$libdir
 	      # Try looking first in the location we're being installed to.
 	      if test -n "$inst_prefix_dir"; then
 		case $libdir in
@@ -6978,10 +8370,10 @@ func_mode_link ()
 		    ;;
 		esac
 	      fi
-	      add="-l$name"
+	      add=-l$name
 	    fi
 
-	    if test "$linkmode" = prog; then
+	    if test prog = "$linkmode"; then
 	      test -n "$add_dir" && finalize_deplibs="$add_dir $finalize_deplibs"
 	      test -n "$add" && finalize_deplibs="$add $finalize_deplibs"
 	    else
@@ -6989,43 +8381,43 @@ func_mode_link ()
 	      test -n "$add" && deplibs="$add $deplibs"
 	    fi
 	  fi
-	elif test "$linkmode" = prog; then
+	elif test prog = "$linkmode"; then
 	  # Here we assume that one of hardcode_direct or hardcode_minus_L
 	  # is not unsupported.  This is valid on all known static and
 	  # shared platforms.
-	  if test "$hardcode_direct" != unsupported; then
-	    test -n "$old_library" && linklib="$old_library"
+	  if test unsupported != "$hardcode_direct"; then
+	    test -n "$old_library" && linklib=$old_library
 	    compile_deplibs="$dir/$linklib $compile_deplibs"
 	    finalize_deplibs="$dir/$linklib $finalize_deplibs"
 	  else
 	    compile_deplibs="-l$name -L$dir $compile_deplibs"
 	    finalize_deplibs="-l$name -L$dir $finalize_deplibs"
 	  fi
-	elif test "$build_libtool_libs" = yes; then
+	elif test yes = "$build_libtool_libs"; then
 	  # Not a shared library
-	  if test "$deplibs_check_method" != pass_all; then
+	  if test pass_all != "$deplibs_check_method"; then
 	    # We're trying link a shared library against a static one
 	    # but the system doesn't support it.
 
 	    # Just print a warning and add the library to dependency_libs so
 	    # that the program can be linked against the static library.
 	    echo
-	    $ECHO "*** Warning: This system can not link to static lib archive $lib."
+	    $ECHO "*** Warning: This system cannot link to static lib archive $lib."
 	    echo "*** I have the capability to make that library automatically link in when"
 	    echo "*** you link to this library.  But I can only do this if you have a"
 	    echo "*** shared version of the library, which you do not appear to have."
-	    if test "$module" = yes; then
+	    if test yes = "$module"; then
 	      echo "*** But as you try to build a module library, libtool will still create "
 	      echo "*** a static module, that should work as long as the dlopening application"
 	      echo "*** is linked with the -dlopen flag to resolve symbols at runtime."
 	      if test -z "$global_symbol_pipe"; then
 		echo
 		echo "*** However, this would only work if libtool was able to extract symbol"
-		echo "*** lists from a program, using \`nm' or equivalent, but libtool could"
+		echo "*** lists from a program, using 'nm' or equivalent, but libtool could"
 		echo "*** not find such a program.  So, this module is probably useless."
-		echo "*** \`nm' from GNU binutils and a full rebuild may help."
+		echo "*** 'nm' from GNU binutils and a full rebuild may help."
 	      fi
-	      if test "$build_old_libs" = no; then
+	      if test no = "$build_old_libs"; then
 		build_libtool_libs=module
 		build_old_libs=yes
 	      else
@@ -7038,11 +8430,11 @@ func_mode_link ()
 	  fi
 	fi # link shared/static library?
 
-	if test "$linkmode" = lib; then
+	if test lib = "$linkmode"; then
 	  if test -n "$dependency_libs" &&
-	     { test "$hardcode_into_libs" != yes ||
-	       test "$build_old_libs" = yes ||
-	       test "$link_static" = yes; }; then
+	     { test yes != "$hardcode_into_libs" ||
+	       test yes = "$build_old_libs" ||
+	       test yes = "$link_static"; }; then
 	    # Extract -R from dependency_libs
 	    temp_deplibs=
 	    for libdir in $dependency_libs; do
@@ -7056,12 +8448,12 @@ func_mode_link ()
 	      *) func_append temp_deplibs " $libdir";;
 	      esac
 	    done
-	    dependency_libs="$temp_deplibs"
+	    dependency_libs=$temp_deplibs
 	  fi
 
 	  func_append newlib_search_path " $absdir"
 	  # Link against this library
-	  test "$link_static" = no && newdependency_libs="$abs_ladir/$laname $newdependency_libs"
+	  test no = "$link_static" && newdependency_libs="$abs_ladir/$laname $newdependency_libs"
 	  # ... and its dependency_libs
 	  tmp_libs=
 	  for deplib in $dependency_libs; do
@@ -7071,7 +8463,7 @@ func_mode_link ()
                    func_resolve_sysroot "$func_stripname_result";;
               *) func_resolve_sysroot "$deplib" ;;
             esac
-	    if $opt_preserve_dup_deps ; then
+	    if $opt_preserve_dup_deps; then
 	      case "$tmp_libs " in
 	      *" $func_resolve_sysroot_result "*)
                 func_append specialdeplibs " $func_resolve_sysroot_result" ;;
@@ -7080,12 +8472,12 @@ func_mode_link ()
 	    func_append tmp_libs " $func_resolve_sysroot_result"
 	  done
 
-	  if test "$link_all_deplibs" != no; then
+	  if test no != "$link_all_deplibs"; then
 	    # Add the search paths of all dependency libraries
 	    for deplib in $dependency_libs; do
 	      path=
 	      case $deplib in
-	      -L*) path="$deplib" ;;
+	      -L*) path=$deplib ;;
 	      *.la)
 	        func_resolve_sysroot "$deplib"
 	        deplib=$func_resolve_sysroot_result
@@ -7093,12 +8485,12 @@ func_mode_link ()
 		dir=$func_dirname_result
 		# We need an absolute path.
 		case $dir in
-		[\\/]* | [A-Za-z]:[\\/]*) absdir="$dir" ;;
+		[\\/]* | [A-Za-z]:[\\/]*) absdir=$dir ;;
 		*)
 		  absdir=`cd "$dir" && pwd`
 		  if test -z "$absdir"; then
-		    func_warning "cannot determine absolute directory name of \`$dir'"
-		    absdir="$dir"
+		    func_warning "cannot determine absolute directory name of '$dir'"
+		    absdir=$dir
 		  fi
 		  ;;
 		esac
@@ -7106,35 +8498,35 @@ func_mode_link ()
 		case $host in
 		*-*-darwin*)
 		  depdepl=
-		  eval deplibrary_names=`${SED} -n -e 's/^library_names=\(.*\)$/\1/p' $deplib`
-		  if test -n "$deplibrary_names" ; then
-		    for tmp in $deplibrary_names ; do
+		  eval deplibrary_names=`$SED -n -e 's/^library_names=\(.*\)$/\1/p' $deplib`
+		  if test -n "$deplibrary_names"; then
+		    for tmp in $deplibrary_names; do
 		      depdepl=$tmp
 		    done
-		    if test -f "$absdir/$objdir/$depdepl" ; then
-		      depdepl="$absdir/$objdir/$depdepl"
-		      darwin_install_name=`${OTOOL} -L $depdepl | awk '{if (NR == 2) {print $1;exit}}'`
+		    if test -f "$absdir/$objdir/$depdepl"; then
+		      depdepl=$absdir/$objdir/$depdepl
+		      darwin_install_name=`$OTOOL -L $depdepl | awk '{if (NR == 2) {print $1;exit}}'`
                       if test -z "$darwin_install_name"; then
-                          darwin_install_name=`${OTOOL64} -L $depdepl  | awk '{if (NR == 2) {print $1;exit}}'`
+                          darwin_install_name=`$OTOOL64 -L $depdepl  | awk '{if (NR == 2) {print $1;exit}}'`
                       fi
-		      func_append compiler_flags " ${wl}-dylib_file ${wl}${darwin_install_name}:${depdepl}"
-		      func_append linker_flags " -dylib_file ${darwin_install_name}:${depdepl}"
+		      func_append compiler_flags " $wl-dylib_file $wl$darwin_install_name:$depdepl"
+		      func_append linker_flags " -dylib_file $darwin_install_name:$depdepl"
 		      path=
 		    fi
 		  fi
 		  ;;
 		*)
-		  path="-L$absdir/$objdir"
+		  path=-L$absdir/$objdir
 		  ;;
 		esac
 		else
-		  eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
+		  eval libdir=`$SED -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
 		  test -z "$libdir" && \
-		    func_fatal_error "\`$deplib' is not a valid libtool archive"
+		    func_fatal_error "'$deplib' is not a valid libtool archive"
 		  test "$absdir" != "$libdir" && \
-		    func_warning "\`$deplib' seems to be moved"
+		    func_warning "'$deplib' seems to be moved"
 
-		  path="-L$absdir"
+		  path=-L$absdir
 		fi
 		;;
 	      esac
@@ -7146,23 +8538,23 @@ func_mode_link ()
 	  fi # link_all_deplibs != no
 	fi # linkmode = lib
       done # for deplib in $libs
-      if test "$pass" = link; then
-	if test "$linkmode" = "prog"; then
+      if test link = "$pass"; then
+	if test prog = "$linkmode"; then
 	  compile_deplibs="$new_inherited_linker_flags $compile_deplibs"
 	  finalize_deplibs="$new_inherited_linker_flags $finalize_deplibs"
 	else
 	  compiler_flags="$compiler_flags "`$ECHO " $new_inherited_linker_flags" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'`
 	fi
       fi
-      dependency_libs="$newdependency_libs"
-      if test "$pass" = dlpreopen; then
+      dependency_libs=$newdependency_libs
+      if test dlpreopen = "$pass"; then
 	# Link the dlpreopened libraries before other libraries
 	for deplib in $save_deplibs; do
 	  deplibs="$deplib $deplibs"
 	done
       fi
-      if test "$pass" != dlopen; then
-	if test "$pass" != conv; then
+      if test dlopen != "$pass"; then
+	test conv = "$pass" || {
 	  # Make sure lib_search_path contains only unique directories.
 	  lib_search_path=
 	  for dir in $newlib_search_path; do
@@ -7172,12 +8564,12 @@ func_mode_link ()
 	    esac
 	  done
 	  newlib_search_path=
-	fi
+	}
 
-	if test "$linkmode,$pass" != "prog,link"; then
-	  vars="deplibs"
-	else
+	if test prog,link = "$linkmode,$pass"; then
 	  vars="compile_deplibs finalize_deplibs"
+	else
+	  vars=deplibs
 	fi
 	for var in $vars dependency_libs; do
 	  # Add libraries to $var in reverse order
@@ -7235,62 +8627,93 @@ func_mode_link ()
 	  eval $var=\"$tmp_libs\"
 	done # for var
       fi
+
+      # Add Sun CC postdeps if required:
+      test CXX = "$tagname" && {
+        case $host_os in
+        linux*)
+          case `$CC -V 2>&1 | sed 5q` in
+          *Sun\ C*) # Sun C++ 5.9
+            func_suncc_cstd_abi
+
+            if test no != "$suncc_use_cstd_abi"; then
+              func_append postdeps ' -library=Cstd -library=Crun'
+            fi
+            ;;
+          esac
+          ;;
+
+        solaris*)
+          func_cc_basename "$CC"
+          case $func_cc_basename_result in
+          CC* | sunCC*)
+            func_suncc_cstd_abi
+
+            if test no != "$suncc_use_cstd_abi"; then
+              func_append postdeps ' -library=Cstd -library=Crun'
+            fi
+            ;;
+          esac
+          ;;
+        esac
+      }
+
       # Last step: remove runtime libs from dependency_libs
       # (they stay in deplibs)
       tmp_libs=
-      for i in $dependency_libs ; do
+      for i in $dependency_libs; do
 	case " $predeps $postdeps $compiler_lib_search_path " in
 	*" $i "*)
-	  i=""
+	  i=
 	  ;;
 	esac
-	if test -n "$i" ; then
+	if test -n "$i"; then
 	  func_append tmp_libs " $i"
 	fi
       done
       dependency_libs=$tmp_libs
     done # for pass
-    if test "$linkmode" = prog; then
-      dlfiles="$newdlfiles"
+    if test prog = "$linkmode"; then
+      dlfiles=$newdlfiles
     fi
-    if test "$linkmode" = prog || test "$linkmode" = lib; then
-      dlprefiles="$newdlprefiles"
+    if test prog = "$linkmode" || test lib = "$linkmode"; then
+      dlprefiles=$newdlprefiles
     fi
 
     case $linkmode in
     oldlib)
-      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
-	func_warning "\`-dlopen' is ignored for archives"
+      if test -n "$dlfiles$dlprefiles" || test no != "$dlself"; then
+	func_warning "'-dlopen' is ignored for archives"
       fi
 
       case " $deplibs" in
       *\ -l* | *\ -L*)
-	func_warning "\`-l' and \`-L' are ignored for archives" ;;
+	func_warning "'-l' and '-L' are ignored for archives" ;;
       esac
 
       test -n "$rpath" && \
-	func_warning "\`-rpath' is ignored for archives"
+	func_warning "'-rpath' is ignored for archives"
 
       test -n "$xrpath" && \
-	func_warning "\`-R' is ignored for archives"
+	func_warning "'-R' is ignored for archives"
 
       test -n "$vinfo" && \
-	func_warning "\`-version-info/-version-number' is ignored for archives"
+	func_warning "'-version-info/-version-number' is ignored for archives"
 
       test -n "$release" && \
-	func_warning "\`-release' is ignored for archives"
+	func_warning "'-release' is ignored for archives"
 
       test -n "$export_symbols$export_symbols_regex" && \
-	func_warning "\`-export-symbols' is ignored for archives"
+	func_warning "'-export-symbols' is ignored for archives"
 
       # Now set the variables for building old libraries.
       build_libtool_libs=no
-      oldlibs="$output"
+      oldlibs=$output
       func_append objs "$old_deplibs"
       ;;
 
     lib)
-      # Make sure we only generate libraries of the form `libNAME.la'.
+      # Make sure we only generate libraries of the form 'libNAME.la'.
       case $outputname in
       lib*)
 	func_stripname 'lib' '.la' "$outputname"
@@ -7299,10 +8722,10 @@ func_mode_link ()
 	eval libname=\"$libname_spec\"
 	;;
       *)
-	test "$module" = no && \
-	  func_fatal_help "libtool library \`$output' must begin with \`lib'"
+	test no = "$module" \
+	  && func_fatal_help "libtool library '$output' must begin with 'lib'"
 
-	if test "$need_lib_prefix" != no; then
+	if test no != "$need_lib_prefix"; then
 	  # Add the "lib" prefix for modules if required
 	  func_stripname '' '.la' "$outputname"
 	  name=$func_stripname_result
@@ -7316,8 +8739,8 @@ func_mode_link ()
       esac
 
       if test -n "$objs"; then
-	if test "$deplibs_check_method" != pass_all; then
-	  func_fatal_error "cannot build libtool library \`$output' from non-libtool objects on this host:$objs"
+	if test pass_all != "$deplibs_check_method"; then
+	  func_fatal_error "cannot build libtool library '$output' from non-libtool objects on this host:$objs"
 	else
 	  echo
 	  $ECHO "*** Warning: Linking the shared library $output against the non-libtool"
@@ -7326,21 +8749,21 @@ func_mode_link ()
 	fi
       fi
 
-      test "$dlself" != no && \
-	func_warning "\`-dlopen self' is ignored for libtool libraries"
+      test no = "$dlself" \
+	|| func_warning "'-dlopen self' is ignored for libtool libraries"
 
       set dummy $rpath
       shift
-      test "$#" -gt 1 && \
-	func_warning "ignoring multiple \`-rpath's for a libtool library"
+      test 1 -lt "$#" \
+	&& func_warning "ignoring multiple '-rpath's for a libtool library"
 
-      install_libdir="$1"
+      install_libdir=$1
 
       oldlibs=
       if test -z "$rpath"; then
-	if test "$build_libtool_libs" = yes; then
+	if test yes = "$build_libtool_libs"; then
 	  # Building a libtool convenience library.
-	  # Some compilers have problems with a `.al' extension so
+	  # Some compilers have problems with a '.al' extension so
 	  # convenience libraries should have the same extension an
 	  # archive normally would.
 	  oldlibs="$output_objdir/$libname.$libext $oldlibs"
@@ -7349,20 +8772,20 @@ func_mode_link ()
 	fi
 
 	test -n "$vinfo" && \
-	  func_warning "\`-version-info/-version-number' is ignored for convenience libraries"
+	  func_warning "'-version-info/-version-number' is ignored for convenience libraries"
 
 	test -n "$release" && \
-	  func_warning "\`-release' is ignored for convenience libraries"
+	  func_warning "'-release' is ignored for convenience libraries"
       else
 
 	# Parse the version information argument.
-	save_ifs="$IFS"; IFS=':'
+	save_ifs=$IFS; IFS=:
 	set dummy $vinfo 0 0 0
 	shift
-	IFS="$save_ifs"
+	IFS=$save_ifs
 
 	test -n "$7" && \
-	  func_fatal_help "too many parameters to \`-version-info'"
+	  func_fatal_help "too many parameters to '-version-info'"
 
 	# convert absolute version numbers to libtool ages
 	# this retains compatibility with .la files and attempts
@@ -7370,42 +8793,42 @@ func_mode_link ()
 
 	case $vinfo_number in
 	yes)
-	  number_major="$1"
-	  number_minor="$2"
-	  number_revision="$3"
+	  number_major=$1
+	  number_minor=$2
+	  number_revision=$3
 	  #
 	  # There are really only two kinds -- those that
 	  # use the current revision as the major version
 	  # and those that subtract age and use age as
 	  # a minor version.  But, then there is irix
-	  # which has an extra 1 added just for fun
+	  # that has an extra 1 added just for fun
 	  #
 	  case $version_type in
 	  # correct linux to gnu/linux during the next big refactor
-	  darwin|linux|osf|windows|none)
+	  darwin|freebsd-elf|linux|osf|windows|none)
 	    func_arith $number_major + $number_minor
 	    current=$func_arith_result
-	    age="$number_minor"
-	    revision="$number_revision"
+	    age=$number_minor
+	    revision=$number_revision
 	    ;;
-	  freebsd-aout|freebsd-elf|qnx|sunos)
-	    current="$number_major"
-	    revision="$number_minor"
-	    age="0"
+	  freebsd-aout|qnx|sunos)
+	    current=$number_major
+	    revision=$number_minor
+	    age=0
 	    ;;
 	  irix|nonstopux)
 	    func_arith $number_major + $number_minor
 	    current=$func_arith_result
-	    age="$number_minor"
-	    revision="$number_minor"
+	    age=$number_minor
+	    revision=$number_minor
 	    lt_irix_increment=no
 	    ;;
 	  esac
 	  ;;
 	no)
-	  current="$1"
-	  revision="$2"
-	  age="$3"
+	  current=$1
+	  revision=$2
+	  age=$3
 	  ;;
 	esac
 
@@ -7413,30 +8836,30 @@ func_mode_link ()
 	case $current in
 	0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;;
 	*)
-	  func_error "CURRENT \`$current' must be a nonnegative integer"
-	  func_fatal_error "\`$vinfo' is not valid version information"
+	  func_error "CURRENT '$current' must be a nonnegative integer"
+	  func_fatal_error "'$vinfo' is not valid version information"
 	  ;;
 	esac
 
 	case $revision in
 	0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;;
 	*)
-	  func_error "REVISION \`$revision' must be a nonnegative integer"
-	  func_fatal_error "\`$vinfo' is not valid version information"
+	  func_error "REVISION '$revision' must be a nonnegative integer"
+	  func_fatal_error "'$vinfo' is not valid version information"
 	  ;;
 	esac
 
 	case $age in
 	0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;;
 	*)
-	  func_error "AGE \`$age' must be a nonnegative integer"
-	  func_fatal_error "\`$vinfo' is not valid version information"
+	  func_error "AGE '$age' must be a nonnegative integer"
+	  func_fatal_error "'$vinfo' is not valid version information"
 	  ;;
 	esac
 
 	if test "$age" -gt "$current"; then
-	  func_error "AGE \`$age' is greater than the current interface number \`$current'"
-	  func_fatal_error "\`$vinfo' is not valid version information"
+	  func_error "AGE '$age' is greater than the current interface number '$current'"
+	  func_fatal_error "'$vinfo' is not valid version information"
 	fi
 
 	# Calculate the version variables.
@@ -7451,26 +8874,36 @@ func_mode_link ()
 	  # verstring for coding it into the library header
 	  func_arith $current - $age
 	  major=.$func_arith_result
-	  versuffix="$major.$age.$revision"
+	  versuffix=$major.$age.$revision
 	  # Darwin ld doesn't like 0 for these options...
 	  func_arith $current + 1
 	  minor_current=$func_arith_result
-	  xlcverstring="${wl}-compatibility_version ${wl}$minor_current ${wl}-current_version ${wl}$minor_current.$revision"
+	  xlcverstring="$wl-compatibility_version $wl$minor_current $wl-current_version $wl$minor_current.$revision"
 	  verstring="-compatibility_version $minor_current -current_version $minor_current.$revision"
+          # On Darwin other compilers
+          case $CC in
+              nagfor*)
+                  verstring="$wl-compatibility_version $wl$minor_current $wl-current_version $wl$minor_current.$revision"
+                  ;;
+              *)
+                  verstring="-compatibility_version $minor_current -current_version $minor_current.$revision"
+                  ;;
+          esac
 	  ;;
 
 	freebsd-aout)
-	  major=".$current"
-	  versuffix=".$current.$revision";
+	  major=.$current
+	  versuffix=.$current.$revision
 	  ;;
 
 	freebsd-elf)
-	  major=".$current"
-	  versuffix=".$current"
+	  func_arith $current - $age
+	  major=.$func_arith_result
+	  versuffix=$major.$age.$revision
 	  ;;
 
 	irix | nonstopux)
-	  if test "X$lt_irix_increment" = "Xno"; then
+	  if test no = "$lt_irix_increment"; then
 	    func_arith $current - $age
 	  else
 	    func_arith $current - $age + 1
@@ -7481,69 +8914,74 @@ func_mode_link ()
 	    nonstopux) verstring_prefix=nonstopux ;;
 	    *)         verstring_prefix=sgi ;;
 	  esac
-	  verstring="$verstring_prefix$major.$revision"
+	  verstring=$verstring_prefix$major.$revision
 
 	  # Add in all the interfaces that we are compatible with.
 	  loop=$revision
-	  while test "$loop" -ne 0; do
+	  while test 0 -ne "$loop"; do
 	    func_arith $revision - $loop
 	    iface=$func_arith_result
 	    func_arith $loop - 1
 	    loop=$func_arith_result
-	    verstring="$verstring_prefix$major.$iface:$verstring"
+	    verstring=$verstring_prefix$major.$iface:$verstring
 	  done
 
-	  # Before this point, $major must not contain `.'.
+	  # Before this point, $major must not contain '.'.
 	  major=.$major
-	  versuffix="$major.$revision"
+	  versuffix=$major.$revision
 	  ;;
 
 	linux) # correct to gnu/linux during the next big refactor
 	  func_arith $current - $age
 	  major=.$func_arith_result
-	  versuffix="$major.$age.$revision"
+	  versuffix=$major.$age.$revision
 	  ;;
 
 	osf)
 	  func_arith $current - $age
 	  major=.$func_arith_result
-	  versuffix=".$current.$age.$revision"
-	  verstring="$current.$age.$revision"
+	  versuffix=.$current.$age.$revision
+	  verstring=$current.$age.$revision
 
 	  # Add in all the interfaces that we are compatible with.
 	  loop=$age
-	  while test "$loop" -ne 0; do
+	  while test 0 -ne "$loop"; do
 	    func_arith $current - $loop
 	    iface=$func_arith_result
 	    func_arith $loop - 1
 	    loop=$func_arith_result
-	    verstring="$verstring:${iface}.0"
+	    verstring=$verstring:$iface.0
 	  done
 
 	  # Make executables depend on our current version.
-	  func_append verstring ":${current}.0"
+	  func_append verstring ":$current.0"
 	  ;;
 
 	qnx)
-	  major=".$current"
-	  versuffix=".$current"
+	  major=.$current
+	  versuffix=.$current
+	  ;;
+
+	sco)
+	  major=.$current
+	  versuffix=.$current
 	  ;;
 
 	sunos)
-	  major=".$current"
-	  versuffix=".$current.$revision"
+	  major=.$current
+	  versuffix=.$current.$revision
 	  ;;
 
 	windows)
 	  # Use '-' rather than '.', since we only want one
-	  # extension on DOS 8.3 filesystems.
+	  # extension on DOS 8.3 file systems.
 	  func_arith $current - $age
 	  major=$func_arith_result
-	  versuffix="-$major"
+	  versuffix=-$major
 	  ;;
 
 	*)
-	  func_fatal_configuration "unknown library version type \`$version_type'"
+	  func_fatal_configuration "unknown library version type '$version_type'"
 	  ;;
 	esac
 
@@ -7557,42 +8995,45 @@ func_mode_link ()
 	    verstring=
 	    ;;
 	  *)
-	    verstring="0.0"
+	    verstring=0.0
 	    ;;
 	  esac
-	  if test "$need_version" = no; then
+	  if test no = "$need_version"; then
 	    versuffix=
 	  else
-	    versuffix=".0.0"
+	    versuffix=.0.0
 	  fi
 	fi
 
 	# Remove version info from name if versioning should be avoided
-	if test "$avoid_version" = yes && test "$need_version" = no; then
+	if test yes,no = "$avoid_version,$need_version"; then
 	  major=
 	  versuffix=
-	  verstring=""
+	  verstring=
 	fi
 
 	# Check to see if the archive will have undefined symbols.
-	if test "$allow_undefined" = yes; then
-	  if test "$allow_undefined_flag" = unsupported; then
-	    func_warning "undefined symbols not allowed in $host shared libraries"
-	    build_libtool_libs=no
-	    build_old_libs=yes
+	if test yes = "$allow_undefined"; then
+	  if test unsupported = "$allow_undefined_flag"; then
+	    if test yes = "$build_old_libs"; then
+	      func_warning "undefined symbols not allowed in $host shared libraries; building static only"
+	      build_libtool_libs=no
+	    else
+	      func_fatal_error "can't build $host shared library unless -no-undefined is specified"
+	    fi
 	  fi
 	else
 	  # Don't allow undefined symbols.
-	  allow_undefined_flag="$no_undefined_flag"
+	  allow_undefined_flag=$no_undefined_flag
 	fi
 
       fi
 
-      func_generate_dlsyms "$libname" "$libname" "yes"
+      func_generate_dlsyms "$libname" "$libname" :
       func_append libobjs " $symfileobj"
-      test "X$libobjs" = "X " && libobjs=
+      test " " = "$libobjs" && libobjs=
 
-      if test "$opt_mode" != relink; then
+      if test relink != "$opt_mode"; then
 	# Remove our outputs, but don't remove object files since they
 	# may have been created when compiling PIC objects.
 	removelist=
@@ -7601,8 +9042,8 @@ func_mode_link ()
 	  case $p in
 	    *.$objext | *.gcno)
 	       ;;
-	    $output_objdir/$outputname | $output_objdir/$libname.* | $output_objdir/${libname}${release}.*)
-	       if test "X$precious_files_regex" != "X"; then
+	    $output_objdir/$outputname | $output_objdir/$libname.* | $output_objdir/$libname$release.*)
+	       if test -n "$precious_files_regex"; then
 		 if $ECHO "$p" | $EGREP -e "$precious_files_regex" >/dev/null 2>&1
 		 then
 		   continue
@@ -7618,11 +9059,11 @@ func_mode_link ()
       fi
 
       # Now set the variables for building old libraries.
-      if test "$build_old_libs" = yes && test "$build_libtool_libs" != convenience ; then
+      if test yes = "$build_old_libs" && test convenience != "$build_libtool_libs"; then
 	func_append oldlibs " $output_objdir/$libname.$libext"
 
 	# Transform .lo files to .o files.
-	oldobjs="$objs "`$ECHO "$libobjs" | $SP2NL | $SED "/\.${libext}$/d; $lo2o" | $NL2SP`
+	oldobjs="$objs "`$ECHO "$libobjs" | $SP2NL | $SED "/\.$libext$/d; $lo2o" | $NL2SP`
       fi
 
       # Eliminate all temporary directories.
@@ -7643,13 +9084,13 @@ func_mode_link ()
 	  *) func_append finalize_rpath " $libdir" ;;
 	  esac
 	done
-	if test "$hardcode_into_libs" != yes || test "$build_old_libs" = yes; then
+	if test yes != "$hardcode_into_libs" || test yes = "$build_old_libs"; then
 	  dependency_libs="$temp_xrpath $dependency_libs"
 	fi
       fi
 
       # Make sure dlfiles contains only unique files that won't be dlpreopened
-      old_dlfiles="$dlfiles"
+      old_dlfiles=$dlfiles
       dlfiles=
       for lib in $old_dlfiles; do
 	case " $dlprefiles $dlfiles " in
@@ -7659,7 +9100,7 @@ func_mode_link ()
       done
 
       # Make sure dlprefiles contains only unique files
-      old_dlprefiles="$dlprefiles"
+      old_dlprefiles=$dlprefiles
       dlprefiles=
       for lib in $old_dlprefiles; do
 	case "$dlprefiles " in
@@ -7668,7 +9109,7 @@ func_mode_link ()
 	esac
       done
 
-      if test "$build_libtool_libs" = yes; then
+      if test yes = "$build_libtool_libs"; then
 	if test -n "$rpath"; then
 	  case $host in
 	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-beos* | *-cegcc* | *-*-haiku*)
@@ -7692,7 +9133,7 @@ func_mode_link ()
 	    ;;
 	  *)
 	    # Add libc to deplibs on all other systems if necessary.
-	    if test "$build_libtool_need_lc" = "yes"; then
+	    if test yes = "$build_libtool_need_lc"; then
 	      func_append deplibs " -lc"
 	    fi
 	    ;;
@@ -7708,9 +9149,9 @@ func_mode_link ()
 	# I'm not sure if I'm treating the release correctly.  I think
 	# release should show up in the -l (ie -lgmp5) so we don't want to
 	# add it in twice.  Is that correct?
-	release=""
-	versuffix=""
-	major=""
+	release=
+	versuffix=
+	major=
 	newdeplibs=
 	droppeddeps=no
 	case $deplibs_check_method in
@@ -7739,20 +9180,20 @@ EOF
 	      -l*)
 		func_stripname -l '' "$i"
 		name=$func_stripname_result
-		if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
+		if test yes = "$allow_libtool_libs_with_static_runtimes"; then
 		  case " $predeps $postdeps " in
 		  *" $i "*)
 		    func_append newdeplibs " $i"
-		    i=""
+		    i=
 		    ;;
 		  esac
 		fi
-		if test -n "$i" ; then
+		if test -n "$i"; then
 		  libname=`eval "\\$ECHO \"$libname_spec\""`
 		  deplib_matches=`eval "\\$ECHO \"$library_names_spec\""`
 		  set dummy $deplib_matches; shift
 		  deplib_match=$1
-		  if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
+		  if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0; then
 		    func_append newdeplibs " $i"
 		  else
 		    droppeddeps=yes
@@ -7782,20 +9223,20 @@ EOF
 		$opt_dry_run || $RM conftest
 		if $LTCC $LTCFLAGS -o conftest conftest.c $i; then
 		  ldd_output=`ldd conftest`
-		  if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
+		  if test yes = "$allow_libtool_libs_with_static_runtimes"; then
 		    case " $predeps $postdeps " in
 		    *" $i "*)
 		      func_append newdeplibs " $i"
-		      i=""
+		      i=
 		      ;;
 		    esac
 		  fi
-		  if test -n "$i" ; then
+		  if test -n "$i"; then
 		    libname=`eval "\\$ECHO \"$libname_spec\""`
 		    deplib_matches=`eval "\\$ECHO \"$library_names_spec\""`
 		    set dummy $deplib_matches; shift
 		    deplib_match=$1
-		    if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0 ; then
+		    if test `expr "$ldd_output" : ".*$deplib_match"` -ne 0; then
 		      func_append newdeplibs " $i"
 		    else
 		      droppeddeps=yes
@@ -7832,24 +9273,24 @@ EOF
 	    -l*)
 	      func_stripname -l '' "$a_deplib"
 	      name=$func_stripname_result
-	      if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
+	      if test yes = "$allow_libtool_libs_with_static_runtimes"; then
 		case " $predeps $postdeps " in
 		*" $a_deplib "*)
 		  func_append newdeplibs " $a_deplib"
-		  a_deplib=""
+		  a_deplib=
 		  ;;
 		esac
 	      fi
-	      if test -n "$a_deplib" ; then
+	      if test -n "$a_deplib"; then
 		libname=`eval "\\$ECHO \"$libname_spec\""`
 		if test -n "$file_magic_glob"; then
 		  libnameglob=`func_echo_all "$libname" | $SED -e $file_magic_glob`
 		else
 		  libnameglob=$libname
 		fi
-		test "$want_nocaseglob" = yes && nocaseglob=`shopt -p nocaseglob`
+		test yes = "$want_nocaseglob" && nocaseglob=`shopt -p nocaseglob`
 		for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do
-		  if test "$want_nocaseglob" = yes; then
+		  if test yes = "$want_nocaseglob"; then
 		    shopt -s nocaseglob
 		    potential_libs=`ls $i/$libnameglob[.-]* 2>/dev/null`
 		    $nocaseglob
@@ -7867,25 +9308,25 @@ EOF
 		      # We might still enter an endless loop, since a link
 		      # loop can be closed while we follow links,
 		      # but so what?
-		      potlib="$potent_lib"
+		      potlib=$potent_lib
 		      while test -h "$potlib" 2>/dev/null; do
-			potliblink=`ls -ld $potlib | ${SED} 's/.* -> //'`
+			potliblink=`ls -ld $potlib | $SED 's/.* -> //'`
 			case $potliblink in
-			[\\/]* | [A-Za-z]:[\\/]*) potlib="$potliblink";;
-			*) potlib=`$ECHO "$potlib" | $SED 's,[^/]*$,,'`"$potliblink";;
+			[\\/]* | [A-Za-z]:[\\/]*) potlib=$potliblink;;
+			*) potlib=`$ECHO "$potlib" | $SED 's|[^/]*$||'`"$potliblink";;
 			esac
 		      done
 		      if eval $file_magic_cmd \"\$potlib\" 2>/dev/null |
 			 $SED -e 10q |
 			 $EGREP "$file_magic_regex" > /dev/null; then
 			func_append newdeplibs " $a_deplib"
-			a_deplib=""
+			a_deplib=
 			break 2
 		      fi
 		  done
 		done
 	      fi
-	      if test -n "$a_deplib" ; then
+	      if test -n "$a_deplib"; then
 		droppeddeps=yes
 		echo
 		$ECHO "*** Warning: linker path does not have real file for library $a_deplib."
@@ -7893,7 +9334,7 @@ EOF
 		echo "*** you link to this library.  But I can only do this if you have a"
 		echo "*** shared version of the library, which you do not appear to have"
 		echo "*** because I did check the linker path looking for a file starting"
-		if test -z "$potlib" ; then
+		if test -z "$potlib"; then
 		  $ECHO "*** with $libname but no candidates were found. (...for file magic test)"
 		else
 		  $ECHO "*** with $libname and none of the candidates passed a file format test"
@@ -7916,30 +9357,30 @@ EOF
 	    -l*)
 	      func_stripname -l '' "$a_deplib"
 	      name=$func_stripname_result
-	      if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
+	      if test yes = "$allow_libtool_libs_with_static_runtimes"; then
 		case " $predeps $postdeps " in
 		*" $a_deplib "*)
 		  func_append newdeplibs " $a_deplib"
-		  a_deplib=""
+		  a_deplib=
 		  ;;
 		esac
 	      fi
-	      if test -n "$a_deplib" ; then
+	      if test -n "$a_deplib"; then
 		libname=`eval "\\$ECHO \"$libname_spec\""`
 		for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do
 		  potential_libs=`ls $i/$libname[.-]* 2>/dev/null`
 		  for potent_lib in $potential_libs; do
-		    potlib="$potent_lib" # see symlink-check above in file_magic test
+		    potlib=$potent_lib # see symlink-check above in file_magic test
 		    if eval "\$ECHO \"$potent_lib\"" 2>/dev/null | $SED 10q | \
 		       $EGREP "$match_pattern_regex" > /dev/null; then
 		      func_append newdeplibs " $a_deplib"
-		      a_deplib=""
+		      a_deplib=
 		      break 2
 		    fi
 		  done
 		done
 	      fi
-	      if test -n "$a_deplib" ; then
+	      if test -n "$a_deplib"; then
 		droppeddeps=yes
 		echo
 		$ECHO "*** Warning: linker path does not have real file for library $a_deplib."
@@ -7947,7 +9388,7 @@ EOF
 		echo "*** you link to this library.  But I can only do this if you have a"
 		echo "*** shared version of the library, which you do not appear to have"
 		echo "*** because I did check the linker path looking for a file starting"
-		if test -z "$potlib" ; then
+		if test -z "$potlib"; then
 		  $ECHO "*** with $libname but no candidates were found. (...for regex pattern test)"
 		else
 		  $ECHO "*** with $libname and none of the candidates passed a file format test"
@@ -7963,18 +9404,18 @@ EOF
 	  done # Gone through all deplibs.
 	  ;;
 	none | unknown | *)
-	  newdeplibs=""
+	  newdeplibs=
 	  tmp_deplibs=`$ECHO " $deplibs" | $SED 's/ -lc$//; s/ -[LR][^ ]*//g'`
-	  if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
-	    for i in $predeps $postdeps ; do
+	  if test yes = "$allow_libtool_libs_with_static_runtimes"; then
+	    for i in $predeps $postdeps; do
 	      # can't use Xsed below, because $i might contain '/'
-	      tmp_deplibs=`$ECHO " $tmp_deplibs" | $SED "s,$i,,"`
+	      tmp_deplibs=`$ECHO " $tmp_deplibs" | $SED "s|$i||"`
 	    done
 	  fi
 	  case $tmp_deplibs in
 	  *[!\	\ ]*)
 	    echo
-	    if test "X$deplibs_check_method" = "Xnone"; then
+	    if test none = "$deplibs_check_method"; then
 	      echo "*** Warning: inter-library dependencies are not supported in this platform."
 	    else
 	      echo "*** Warning: inter-library dependencies are not known to be supported."
@@ -7998,8 +9439,8 @@ EOF
 	  ;;
 	esac
 
-	if test "$droppeddeps" = yes; then
-	  if test "$module" = yes; then
+	if test yes = "$droppeddeps"; then
+	  if test yes = "$module"; then
 	    echo
 	    echo "*** Warning: libtool could not satisfy all declared inter-library"
 	    $ECHO "*** dependencies of module $libname.  Therefore, libtool will create"
@@ -8008,12 +9449,12 @@ EOF
 	    if test -z "$global_symbol_pipe"; then
 	      echo
 	      echo "*** However, this would only work if libtool was able to extract symbol"
-	      echo "*** lists from a program, using \`nm' or equivalent, but libtool could"
+	      echo "*** lists from a program, using 'nm' or equivalent, but libtool could"
 	      echo "*** not find such a program.  So, this module is probably useless."
-	      echo "*** \`nm' from GNU binutils and a full rebuild may help."
+	      echo "*** 'nm' from GNU binutils and a full rebuild may help."
 	    fi
-	    if test "$build_old_libs" = no; then
-	      oldlibs="$output_objdir/$libname.$libext"
+	    if test no = "$build_old_libs"; then
+	      oldlibs=$output_objdir/$libname.$libext
 	      build_libtool_libs=module
 	      build_old_libs=yes
 	    else
@@ -8024,14 +9465,14 @@ EOF
 	    echo "*** automatically added whenever a program is linked with this library"
 	    echo "*** or is declared to -dlopen it."
 
-	    if test "$allow_undefined" = no; then
+	    if test no = "$allow_undefined"; then
 	      echo
 	      echo "*** Since this library must not contain undefined symbols,"
 	      echo "*** because either the platform does not support them or"
 	      echo "*** it was explicitly requested with -no-undefined,"
 	      echo "*** libtool will only create a static version of it."
-	      if test "$build_old_libs" = no; then
-		oldlibs="$output_objdir/$libname.$libext"
+	      if test no = "$build_old_libs"; then
+		oldlibs=$output_objdir/$libname.$libext
 		build_libtool_libs=module
 		build_old_libs=yes
 	      else
@@ -8077,7 +9518,7 @@ EOF
 	*) func_append new_libs " $deplib" ;;
 	esac
       done
-      deplibs="$new_libs"
+      deplibs=$new_libs
 
       # All the library-specific variables (install_libdir is set above).
       library_names=
@@ -8085,25 +9526,25 @@ EOF
       dlname=
 
       # Test again, we may have decided not to build it any more
-      if test "$build_libtool_libs" = yes; then
-	# Remove ${wl} instances when linking with ld.
+      if test yes = "$build_libtool_libs"; then
+	# Remove $wl instances when linking with ld.
 	# FIXME: should test the right _cmds variable.
 	case $archive_cmds in
 	  *\$LD\ *) wl= ;;
         esac
-	if test "$hardcode_into_libs" = yes; then
+	if test yes = "$hardcode_into_libs"; then
 	  # Hardcode the library paths
 	  hardcode_libdirs=
 	  dep_rpath=
-	  rpath="$finalize_rpath"
-	  test "$opt_mode" != relink && rpath="$compile_rpath$rpath"
+	  rpath=$finalize_rpath
+	  test relink = "$opt_mode" || rpath=$compile_rpath$rpath
 	  for libdir in $rpath; do
 	    if test -n "$hardcode_libdir_flag_spec"; then
 	      if test -n "$hardcode_libdir_separator"; then
 		func_replace_sysroot "$libdir"
 		libdir=$func_replace_sysroot_result
 		if test -z "$hardcode_libdirs"; then
-		  hardcode_libdirs="$libdir"
+		  hardcode_libdirs=$libdir
 		else
 		  # Just accumulate the unique libdirs.
 		  case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
@@ -8128,7 +9569,7 @@ EOF
 	  # Substitute the hardcoded libdirs into the rpath.
 	  if test -n "$hardcode_libdir_separator" &&
 	     test -n "$hardcode_libdirs"; then
-	    libdir="$hardcode_libdirs"
+	    libdir=$hardcode_libdirs
 	    eval "dep_rpath=\"$hardcode_libdir_flag_spec\""
 	  fi
 	  if test -n "$runpath_var" && test -n "$perm_rpath"; then
@@ -8142,8 +9583,8 @@ EOF
 	  test -n "$dep_rpath" && deplibs="$dep_rpath $deplibs"
 	fi
 
-	shlibpath="$finalize_shlibpath"
-	test "$opt_mode" != relink && shlibpath="$compile_shlibpath$shlibpath"
+	shlibpath=$finalize_shlibpath
+	test relink = "$opt_mode" || shlibpath=$compile_shlibpath$shlibpath
 	if test -n "$shlibpath"; then
 	  eval "$shlibpath_var='$shlibpath\$$shlibpath_var'; export $shlibpath_var"
 	fi
@@ -8153,19 +9594,19 @@ EOF
 	eval library_names=\"$library_names_spec\"
 	set dummy $library_names
 	shift
-	realname="$1"
+	realname=$1
 	shift
 
 	if test -n "$soname_spec"; then
 	  eval soname=\"$soname_spec\"
 	else
-	  soname="$realname"
+	  soname=$realname
 	fi
 	if test -z "$dlname"; then
 	  dlname=$soname
 	fi
 
-	lib="$output_objdir/$realname"
+	lib=$output_objdir/$realname
 	linknames=
 	for link
 	do
@@ -8179,7 +9620,7 @@ EOF
 	delfiles=
 	if test -n "$export_symbols" && test -n "$include_expsyms"; then
 	  $opt_dry_run || cp "$export_symbols" "$output_objdir/$libname.uexp"
-	  export_symbols="$output_objdir/$libname.uexp"
+	  export_symbols=$output_objdir/$libname.uexp
 	  func_append delfiles " $export_symbols"
 	fi
 
@@ -8188,31 +9629,31 @@ EOF
 	cygwin* | mingw* | cegcc*)
 	  if test -n "$export_symbols" && test -z "$export_symbols_regex"; then
 	    # exporting using user supplied symfile
-	    if test "x`$SED 1q $export_symbols`" != xEXPORTS; then
+	    func_dll_def_p "$export_symbols" || {
 	      # and it's NOT already a .def file. Must figure out
 	      # which of the given symbols are data symbols and tag
 	      # them as such. So, trigger use of export_symbols_cmds.
 	      # export_symbols gets reassigned inside the "prepare
 	      # the list of exported symbols" if statement, so the
 	      # include_expsyms logic still works.
-	      orig_export_symbols="$export_symbols"
+	      orig_export_symbols=$export_symbols
 	      export_symbols=
 	      always_export_symbols=yes
-	    fi
+	    }
 	  fi
 	  ;;
 	esac
 
 	# Prepare the list of exported symbols
 	if test -z "$export_symbols"; then
-	  if test "$always_export_symbols" = yes || test -n "$export_symbols_regex"; then
-	    func_verbose "generating symbol list for \`$libname.la'"
-	    export_symbols="$output_objdir/$libname.exp"
+	  if test yes = "$always_export_symbols" || test -n "$export_symbols_regex"; then
+	    func_verbose "generating symbol list for '$libname.la'"
+	    export_symbols=$output_objdir/$libname.exp
 	    $opt_dry_run || $RM $export_symbols
 	    cmds=$export_symbols_cmds
-	    save_ifs="$IFS"; IFS='~'
+	    save_ifs=$IFS; IFS='~'
 	    for cmd1 in $cmds; do
-	      IFS="$save_ifs"
+	      IFS=$save_ifs
 	      # Take the normal branch if the nm_file_list_spec branch
 	      # doesn't work or if tool conversion is not needed.
 	      case $nm_file_list_spec~$to_tool_file_cmd in
@@ -8226,7 +9667,7 @@ EOF
 		  try_normal_branch=no
 		  ;;
 	      esac
-	      if test "$try_normal_branch" = yes \
+	      if test yes = "$try_normal_branch" \
 		 && { test "$len" -lt "$max_cmd_len" \
 		      || test "$max_cmd_len" -le -1; }
 	      then
@@ -8237,7 +9678,7 @@ EOF
 		output_la=$func_basename_result
 		save_libobjs=$libobjs
 		save_output=$output
-		output=${output_objdir}/${output_la}.nm
+		output=$output_objdir/$output_la.nm
 		func_to_tool_file "$output"
 		libobjs=$nm_file_list_spec$func_to_tool_file_result
 		func_append delfiles " $output"
@@ -8260,8 +9701,8 @@ EOF
 		break
 	      fi
 	    done
-	    IFS="$save_ifs"
-	    if test -n "$export_symbols_regex" && test "X$skipped_export" != "X:"; then
+	    IFS=$save_ifs
+	    if test -n "$export_symbols_regex" && test : != "$skipped_export"; then
 	      func_show_eval '$EGREP -e "$export_symbols_regex" "$export_symbols" > "${export_symbols}T"'
 	      func_show_eval '$MV "${export_symbols}T" "$export_symbols"'
 	    fi
@@ -8269,16 +9710,16 @@ EOF
 	fi
 
 	if test -n "$export_symbols" && test -n "$include_expsyms"; then
-	  tmp_export_symbols="$export_symbols"
-	  test -n "$orig_export_symbols" && tmp_export_symbols="$orig_export_symbols"
+	  tmp_export_symbols=$export_symbols
+	  test -n "$orig_export_symbols" && tmp_export_symbols=$orig_export_symbols
 	  $opt_dry_run || eval '$ECHO "$include_expsyms" | $SP2NL >> "$tmp_export_symbols"'
 	fi
 
-	if test "X$skipped_export" != "X:" && test -n "$orig_export_symbols"; then
+	if test : != "$skipped_export" && test -n "$orig_export_symbols"; then
 	  # The given exports_symbols file has to be filtered, so filter it.
-	  func_verbose "filter symbol list for \`$libname.la' to tag DATA exports"
+	  func_verbose "filter symbol list for '$libname.la' to tag DATA exports"
 	  # FIXME: $output_objdir/$libname.filter potentially contains lots of
-	  # 's' commands which not all seds can handle. GNU sed should be fine
+	  # 's' commands, which not all seds can handle. GNU sed should be fine
 	  # though. Also, the filter scales superlinearly with the number of
 	  # global variables. join(1) would be nice here, but unfortunately
 	  # isn't a blessed tool.
@@ -8297,11 +9738,11 @@ EOF
 	    ;;
 	  esac
 	done
-	deplibs="$tmp_deplibs"
+	deplibs=$tmp_deplibs
 
 	if test -n "$convenience"; then
 	  if test -n "$whole_archive_flag_spec" &&
-	    test "$compiler_needs_object" = yes &&
+	    test yes = "$compiler_needs_object" &&
 	    test -z "$libobjs"; then
 	    # extract the archives, so we have objects to list.
 	    # TODO: could optimize this to just extract one archive.
@@ -8312,7 +9753,7 @@ EOF
 	    eval libobjs=\"\$libobjs $whole_archive_flag_spec\"
 	    test "X$libobjs" = "X " && libobjs=
 	  else
-	    gentop="$output_objdir/${outputname}x"
+	    gentop=$output_objdir/${outputname}x
 	    func_append generated " $gentop"
 
 	    func_extract_archives $gentop $convenience
@@ -8321,18 +9762,18 @@ EOF
 	  fi
 	fi
 
-	if test "$thread_safe" = yes && test -n "$thread_safe_flag_spec"; then
+	if test yes = "$thread_safe" && test -n "$thread_safe_flag_spec"; then
 	  eval flag=\"$thread_safe_flag_spec\"
 	  func_append linker_flags " $flag"
 	fi
 
 	# Make a backup of the uninstalled library when relinking
-	if test "$opt_mode" = relink; then
+	if test relink = "$opt_mode"; then
 	  $opt_dry_run || eval '(cd $output_objdir && $RM ${realname}U && $MV $realname ${realname}U)' || exit $?
 	fi
 
 	# Do each of the archive commands.
-	if test "$module" = yes && test -n "$module_cmds" ; then
+	if test yes = "$module" && test -n "$module_cmds"; then
 	  if test -n "$export_symbols" && test -n "$module_expsym_cmds"; then
 	    eval test_cmds=\"$module_expsym_cmds\"
 	    cmds=$module_expsym_cmds
@@ -8350,7 +9791,7 @@ EOF
 	  fi
 	fi
 
-	if test "X$skipped_export" != "X:" &&
+	if test : != "$skipped_export" &&
 	   func_len " $test_cmds" &&
 	   len=$func_len_result &&
 	   test "$len" -lt "$max_cmd_len" || test "$max_cmd_len" -le -1; then
@@ -8383,8 +9824,8 @@ EOF
 	  last_robj=
 	  k=1
 
-	  if test -n "$save_libobjs" && test "X$skipped_export" != "X:" && test "$with_gnu_ld" = yes; then
-	    output=${output_objdir}/${output_la}.lnkscript
+	  if test -n "$save_libobjs" && test : != "$skipped_export" && test yes = "$with_gnu_ld"; then
+	    output=$output_objdir/$output_la.lnkscript
 	    func_verbose "creating GNU ld script: $output"
 	    echo 'INPUT (' > $output
 	    for obj in $save_libobjs
@@ -8396,14 +9837,14 @@ EOF
 	    func_append delfiles " $output"
 	    func_to_tool_file "$output"
 	    output=$func_to_tool_file_result
-	  elif test -n "$save_libobjs" && test "X$skipped_export" != "X:" && test "X$file_list_spec" != X; then
-	    output=${output_objdir}/${output_la}.lnk
+	  elif test -n "$save_libobjs" && test : != "$skipped_export" && test -n "$file_list_spec"; then
+	    output=$output_objdir/$output_la.lnk
 	    func_verbose "creating linker input file list: $output"
 	    : > $output
 	    set x $save_libobjs
 	    shift
 	    firstobj=
-	    if test "$compiler_needs_object" = yes; then
+	    if test yes = "$compiler_needs_object"; then
 	      firstobj="$1 "
 	      shift
 	    fi
@@ -8418,7 +9859,7 @@ EOF
 	  else
 	    if test -n "$save_libobjs"; then
 	      func_verbose "creating reloadable object files..."
-	      output=$output_objdir/$output_la-${k}.$objext
+	      output=$output_objdir/$output_la-$k.$objext
 	      eval test_cmds=\"$reload_cmds\"
 	      func_len " $test_cmds"
 	      len0=$func_len_result
@@ -8430,13 +9871,13 @@ EOF
 		func_len " $obj"
 		func_arith $len + $func_len_result
 		len=$func_arith_result
-		if test "X$objlist" = X ||
+		if test -z "$objlist" ||
 		   test "$len" -lt "$max_cmd_len"; then
 		  func_append objlist " $obj"
 		else
 		  # The command $test_cmds is almost too long, add a
 		  # command to the queue.
-		  if test "$k" -eq 1 ; then
+		  if test 1 -eq "$k"; then
 		    # The first file doesn't have a previous command to add.
 		    reload_objs=$objlist
 		    eval concat_cmds=\"$reload_cmds\"
@@ -8446,10 +9887,10 @@ EOF
 		    reload_objs="$objlist $last_robj"
 		    eval concat_cmds=\"\$concat_cmds~$reload_cmds~\$RM $last_robj\"
 		  fi
-		  last_robj=$output_objdir/$output_la-${k}.$objext
+		  last_robj=$output_objdir/$output_la-$k.$objext
 		  func_arith $k + 1
 		  k=$func_arith_result
-		  output=$output_objdir/$output_la-${k}.$objext
+		  output=$output_objdir/$output_la-$k.$objext
 		  objlist=" $obj"
 		  func_len " $last_robj"
 		  func_arith $len0 + $func_len_result
@@ -8461,9 +9902,9 @@ EOF
 	      # files will link in the last one created.
 	      test -z "$concat_cmds" || concat_cmds=$concat_cmds~
 	      reload_objs="$objlist $last_robj"
-	      eval concat_cmds=\"\${concat_cmds}$reload_cmds\"
+	      eval concat_cmds=\"\$concat_cmds$reload_cmds\"
 	      if test -n "$last_robj"; then
-	        eval concat_cmds=\"\${concat_cmds}~\$RM $last_robj\"
+	        eval concat_cmds=\"\$concat_cmds~\$RM $last_robj\"
 	      fi
 	      func_append delfiles " $output"
 
@@ -8471,9 +9912,9 @@ EOF
 	      output=
 	    fi
 
-	    if ${skipped_export-false}; then
-	      func_verbose "generating symbol list for \`$libname.la'"
-	      export_symbols="$output_objdir/$libname.exp"
+	    ${skipped_export-false} && {
+	      func_verbose "generating symbol list for '$libname.la'"
+	      export_symbols=$output_objdir/$libname.exp
 	      $opt_dry_run || $RM $export_symbols
 	      libobjs=$output
 	      # Append the command to create the export file.
@@ -8482,16 +9923,16 @@ EOF
 	      if test -n "$last_robj"; then
 		eval concat_cmds=\"\$concat_cmds~\$RM $last_robj\"
 	      fi
-	    fi
+	    }
 
 	    test -n "$save_libobjs" &&
 	      func_verbose "creating a temporary reloadable object file: $output"
 
 	    # Loop through the commands generated above and execute them.
-	    save_ifs="$IFS"; IFS='~'
+	    save_ifs=$IFS; IFS='~'
 	    for cmd in $concat_cmds; do
-	      IFS="$save_ifs"
-	      $opt_silent || {
+	      IFS=$save_ifs
+	      $opt_quiet || {
 		  func_quote_for_expand "$cmd"
 		  eval "func_echo $func_quote_for_expand_result"
 	      }
@@ -8499,7 +9940,7 @@ EOF
 		lt_exit=$?
 
 		# Restore the uninstalled library and exit
-		if test "$opt_mode" = relink; then
+		if test relink = "$opt_mode"; then
 		  ( cd "$output_objdir" && \
 		    $RM "${realname}T" && \
 		    $MV "${realname}U" "$realname" )
@@ -8508,7 +9949,7 @@ EOF
 		exit $lt_exit
 	      }
 	    done
-	    IFS="$save_ifs"
+	    IFS=$save_ifs
 
 	    if test -n "$export_symbols_regex" && ${skipped_export-false}; then
 	      func_show_eval '$EGREP -e "$export_symbols_regex" "$export_symbols" > "${export_symbols}T"'
@@ -8516,18 +9957,18 @@ EOF
 	    fi
 	  fi
 
-          if ${skipped_export-false}; then
+          ${skipped_export-false} && {
 	    if test -n "$export_symbols" && test -n "$include_expsyms"; then
-	      tmp_export_symbols="$export_symbols"
-	      test -n "$orig_export_symbols" && tmp_export_symbols="$orig_export_symbols"
+	      tmp_export_symbols=$export_symbols
+	      test -n "$orig_export_symbols" && tmp_export_symbols=$orig_export_symbols
 	      $opt_dry_run || eval '$ECHO "$include_expsyms" | $SP2NL >> "$tmp_export_symbols"'
 	    fi
 
 	    if test -n "$orig_export_symbols"; then
 	      # The given exports_symbols file has to be filtered, so filter it.
-	      func_verbose "filter symbol list for \`$libname.la' to tag DATA exports"
+	      func_verbose "filter symbol list for '$libname.la' to tag DATA exports"
 	      # FIXME: $output_objdir/$libname.filter potentially contains lots of
-	      # 's' commands which not all seds can handle. GNU sed should be fine
+	      # 's' commands, which not all seds can handle. GNU sed should be fine
 	      # though. Also, the filter scales superlinearly with the number of
 	      # global variables. join(1) would be nice here, but unfortunately
 	      # isn't a blessed tool.
@@ -8536,7 +9977,7 @@ EOF
 	      export_symbols=$output_objdir/$libname.def
 	      $opt_dry_run || $SED -f $output_objdir/$libname.filter < $orig_export_symbols > $export_symbols
 	    fi
-	  fi
+	  }
 
 	  libobjs=$output
 	  # Restore the value of output.
@@ -8550,7 +9991,7 @@ EOF
 	  # value of $libobjs for piecewise linking.
 
 	  # Do each of the archive commands.
-	  if test "$module" = yes && test -n "$module_cmds" ; then
+	  if test yes = "$module" && test -n "$module_cmds"; then
 	    if test -n "$export_symbols" && test -n "$module_expsym_cmds"; then
 	      cmds=$module_expsym_cmds
 	    else
@@ -8572,7 +10013,7 @@ EOF
 
 	# Add any objects from preloaded convenience libraries
 	if test -n "$dlprefiles"; then
-	  gentop="$output_objdir/${outputname}x"
+	  gentop=$output_objdir/${outputname}x
 	  func_append generated " $gentop"
 
 	  func_extract_archives $gentop $dlprefiles
@@ -8580,11 +10021,12 @@ EOF
 	  test "X$libobjs" = "X " && libobjs=
 	fi
 
-	save_ifs="$IFS"; IFS='~'
+	save_ifs=$IFS; IFS='~'
 	for cmd in $cmds; do
-	  IFS="$save_ifs"
+	  IFS=$sp$nl
 	  eval cmd=\"$cmd\"
-	  $opt_silent || {
+	  IFS=$save_ifs
+	  $opt_quiet || {
 	    func_quote_for_expand "$cmd"
 	    eval "func_echo $func_quote_for_expand_result"
 	  }
@@ -8592,7 +10034,7 @@ EOF
 	    lt_exit=$?
 
 	    # Restore the uninstalled library and exit
-	    if test "$opt_mode" = relink; then
+	    if test relink = "$opt_mode"; then
 	      ( cd "$output_objdir" && \
 	        $RM "${realname}T" && \
 		$MV "${realname}U" "$realname" )
@@ -8601,10 +10043,10 @@ EOF
 	    exit $lt_exit
 	  }
 	done
-	IFS="$save_ifs"
+	IFS=$save_ifs
 
 	# Restore the uninstalled library and exit
-	if test "$opt_mode" = relink; then
+	if test relink = "$opt_mode"; then
 	  $opt_dry_run || eval '(cd $output_objdir && $RM ${realname}T && $MV $realname ${realname}T && $MV ${realname}U $realname)' || exit $?
 
 	  if test -n "$convenience"; then
@@ -8624,39 +10066,39 @@ EOF
 	done
 
 	# If -module or -export-dynamic was specified, set the dlname.
-	if test "$module" = yes || test "$export_dynamic" = yes; then
+	if test yes = "$module" || test yes = "$export_dynamic"; then
 	  # On all known operating systems, these are identical.
-	  dlname="$soname"
+	  dlname=$soname
 	fi
       fi
       ;;
 
     obj)
-      if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
-	func_warning "\`-dlopen' is ignored for objects"
+      if test -n "$dlfiles$dlprefiles" || test no != "$dlself"; then
+	func_warning "'-dlopen' is ignored for objects"
       fi
 
       case " $deplibs" in
       *\ -l* | *\ -L*)
-	func_warning "\`-l' and \`-L' are ignored for objects" ;;
+	func_warning "'-l' and '-L' are ignored for objects" ;;
       esac
 
       test -n "$rpath" && \
-	func_warning "\`-rpath' is ignored for objects"
+	func_warning "'-rpath' is ignored for objects"
 
       test -n "$xrpath" && \
-	func_warning "\`-R' is ignored for objects"
+	func_warning "'-R' is ignored for objects"
 
       test -n "$vinfo" && \
-	func_warning "\`-version-info' is ignored for objects"
+	func_warning "'-version-info' is ignored for objects"
 
       test -n "$release" && \
-	func_warning "\`-release' is ignored for objects"
+	func_warning "'-release' is ignored for objects"
 
       case $output in
       *.lo)
 	test -n "$objs$old_deplibs" && \
-	  func_fatal_error "cannot build library object \`$output' from non-libtool objects"
+	  func_fatal_error "cannot build library object '$output' from non-libtool objects"
 
 	libobj=$output
 	func_lo2o "$libobj"
@@ -8664,7 +10106,7 @@ EOF
 	;;
       *)
 	libobj=
-	obj="$output"
+	obj=$output
 	;;
       esac
 
@@ -8677,17 +10119,19 @@ EOF
       # the extraction.
       reload_conv_objs=
       gentop=
-      # reload_cmds runs $LD directly, so let us get rid of
-      # -Wl from whole_archive_flag_spec and hope we can get by with
-      # turning comma into space..
-      wl=
-
+      # if reload_cmds runs $LD directly, get rid of -Wl from
+      # whole_archive_flag_spec and hope we can get by with turning comma
+      # into space.
+      case $reload_cmds in
+        *\$LD[\ \$]*) wl= ;;
+      esac
       if test -n "$convenience"; then
 	if test -n "$whole_archive_flag_spec"; then
 	  eval tmp_whole_archive_flags=\"$whole_archive_flag_spec\"
-	  reload_conv_objs=$reload_objs\ `$ECHO "$tmp_whole_archive_flags" | $SED 's|,| |g'`
+	  test -n "$wl" || tmp_whole_archive_flags=`$ECHO "$tmp_whole_archive_flags" | $SED 's|,| |g'`
+	  reload_conv_objs=$reload_objs\ $tmp_whole_archive_flags
 	else
-	  gentop="$output_objdir/${obj}x"
+	  gentop=$output_objdir/${obj}x
 	  func_append generated " $gentop"
 
 	  func_extract_archives $gentop $convenience
@@ -8696,12 +10140,12 @@ EOF
       fi
 
       # If we're not building shared, we need to use non_pic_objs
-      test "$build_libtool_libs" != yes && libobjs="$non_pic_objects"
+      test yes = "$build_libtool_libs" || libobjs=$non_pic_objects
 
       # Create the old-style object.
-      reload_objs="$objs$old_deplibs "`$ECHO "$libobjs" | $SP2NL | $SED "/\.${libext}$/d; /\.lib$/d; $lo2o" | $NL2SP`" $reload_conv_objs" ### testsuite: skip nested quoting test
+      reload_objs=$objs$old_deplibs' '`$ECHO "$libobjs" | $SP2NL | $SED "/\.$libext$/d; /\.lib$/d; $lo2o" | $NL2SP`' '$reload_conv_objs
 
-      output="$obj"
+      output=$obj
       func_execute_cmds "$reload_cmds" 'exit $?'
 
       # Exit if we aren't doing a library object file.
@@ -8713,7 +10157,7 @@ EOF
 	exit $EXIT_SUCCESS
       fi
 
-      if test "$build_libtool_libs" != yes; then
+      test yes = "$build_libtool_libs" || {
 	if test -n "$gentop"; then
 	  func_show_eval '${RM}r "$gentop"'
 	fi
@@ -8723,12 +10167,12 @@ EOF
 	# $show "echo timestamp > $libobj"
 	# $opt_dry_run || eval "echo timestamp > $libobj" || exit $?
 	exit $EXIT_SUCCESS
-      fi
+      }
 
-      if test -n "$pic_flag" || test "$pic_mode" != default; then
+      if test -n "$pic_flag" || test default != "$pic_mode"; then
 	# Only do commands if we really have different PIC objects.
 	reload_objs="$libobjs $reload_conv_objs"
-	output="$libobj"
+	output=$libobj
 	func_execute_cmds "$reload_cmds" 'exit $?'
       fi
 
@@ -8745,16 +10189,14 @@ EOF
 	          output=$func_stripname_result.exe;;
       esac
       test -n "$vinfo" && \
-	func_warning "\`-version-info' is ignored for programs"
+	func_warning "'-version-info' is ignored for programs"
 
       test -n "$release" && \
-	func_warning "\`-release' is ignored for programs"
+	func_warning "'-release' is ignored for programs"
 
-      test "$preload" = yes \
-        && test "$dlopen_support" = unknown \
-	&& test "$dlopen_self" = unknown \
-	&& test "$dlopen_self_static" = unknown && \
-	  func_warning "\`LT_INIT([dlopen])' not used. Assuming no dlopen support."
+      $preload \
+	&& test unknown,unknown,unknown = "$dlopen_support,$dlopen_self,$dlopen_self_static" \
+	&& func_warning "'LT_INIT([dlopen])' not used. Assuming no dlopen support."
 
       case $host in
       *-*-rhapsody* | *-*-darwin1.[012])
@@ -8768,11 +10210,11 @@ EOF
       *-*-darwin*)
 	# Don't allow lazy linking, it breaks C++ global constructors
 	# But is supposedly fixed on 10.4 or later (yay!).
-	if test "$tagname" = CXX ; then
+	if test CXX = "$tagname"; then
 	  case ${MACOSX_DEPLOYMENT_TARGET-10.0} in
 	    10.[0123])
-	      func_append compile_command " ${wl}-bind_at_load"
-	      func_append finalize_command " ${wl}-bind_at_load"
+	      func_append compile_command " $wl-bind_at_load"
+	      func_append finalize_command " $wl-bind_at_load"
 	    ;;
 	  esac
 	fi
@@ -8808,7 +10250,7 @@ EOF
 	*) func_append new_libs " $deplib" ;;
 	esac
       done
-      compile_deplibs="$new_libs"
+      compile_deplibs=$new_libs
 
 
       func_append compile_command " $compile_deplibs"
@@ -8832,7 +10274,7 @@ EOF
 	if test -n "$hardcode_libdir_flag_spec"; then
 	  if test -n "$hardcode_libdir_separator"; then
 	    if test -z "$hardcode_libdirs"; then
-	      hardcode_libdirs="$libdir"
+	      hardcode_libdirs=$libdir
 	    else
 	      # Just accumulate the unique libdirs.
 	      case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
@@ -8855,7 +10297,7 @@ EOF
 	fi
 	case $host in
 	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-cegcc*)
-	  testbindir=`${ECHO} "$libdir" | ${SED} -e 's*/lib$*/bin*'`
+	  testbindir=`$ECHO "$libdir" | $SED -e 's*/lib$*/bin*'`
 	  case :$dllsearchpath: in
 	  *":$libdir:"*) ;;
 	  ::) dllsearchpath=$libdir;;
@@ -8872,10 +10314,10 @@ EOF
       # Substitute the hardcoded libdirs into the rpath.
       if test -n "$hardcode_libdir_separator" &&
 	 test -n "$hardcode_libdirs"; then
-	libdir="$hardcode_libdirs"
+	libdir=$hardcode_libdirs
 	eval rpath=\" $hardcode_libdir_flag_spec\"
       fi
-      compile_rpath="$rpath"
+      compile_rpath=$rpath
 
       rpath=
       hardcode_libdirs=
@@ -8883,7 +10325,7 @@ EOF
 	if test -n "$hardcode_libdir_flag_spec"; then
 	  if test -n "$hardcode_libdir_separator"; then
 	    if test -z "$hardcode_libdirs"; then
-	      hardcode_libdirs="$libdir"
+	      hardcode_libdirs=$libdir
 	    else
 	      # Just accumulate the unique libdirs.
 	      case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in
@@ -8908,45 +10350,43 @@ EOF
       # Substitute the hardcoded libdirs into the rpath.
       if test -n "$hardcode_libdir_separator" &&
 	 test -n "$hardcode_libdirs"; then
-	libdir="$hardcode_libdirs"
+	libdir=$hardcode_libdirs
 	eval rpath=\" $hardcode_libdir_flag_spec\"
       fi
-      finalize_rpath="$rpath"
+      finalize_rpath=$rpath
 
-      if test -n "$libobjs" && test "$build_old_libs" = yes; then
+      if test -n "$libobjs" && test yes = "$build_old_libs"; then
 	# Transform all the library objects into standard objects.
 	compile_command=`$ECHO "$compile_command" | $SP2NL | $SED "$lo2o" | $NL2SP`
 	finalize_command=`$ECHO "$finalize_command" | $SP2NL | $SED "$lo2o" | $NL2SP`
       fi
 
-      func_generate_dlsyms "$outputname" "@PROGRAM@" "no"
+      func_generate_dlsyms "$outputname" "@PROGRAM@" false
 
       # template prelinking step
       if test -n "$prelink_cmds"; then
 	func_execute_cmds "$prelink_cmds" 'exit $?'
       fi
 
-      wrappers_required=yes
+      wrappers_required=:
       case $host in
       *cegcc* | *mingw32ce*)
         # Disable wrappers for cegcc and mingw32ce hosts, we are cross compiling anyway.
-        wrappers_required=no
+        wrappers_required=false
         ;;
       *cygwin* | *mingw* )
-        if test "$build_libtool_libs" != yes; then
-          wrappers_required=no
-        fi
+        test yes = "$build_libtool_libs" || wrappers_required=false
         ;;
       *)
-        if test "$need_relink" = no || test "$build_libtool_libs" != yes; then
-          wrappers_required=no
+        if test no = "$need_relink" || test yes != "$build_libtool_libs"; then
+          wrappers_required=false
         fi
         ;;
       esac
-      if test "$wrappers_required" = no; then
+      $wrappers_required || {
 	# Replace the output file specification.
 	compile_command=`$ECHO "$compile_command" | $SED 's%@OUTPUT@%'"$output"'%g'`
-	link_command="$compile_command$compile_rpath"
+	link_command=$compile_command$compile_rpath
 
 	# We have no uninstalled library dependencies, so finalize right now.
 	exit_status=0
@@ -8959,12 +10399,12 @@ EOF
 	fi
 
 	# Delete the generated files.
-	if test -f "$output_objdir/${outputname}S.${objext}"; then
-	  func_show_eval '$RM "$output_objdir/${outputname}S.${objext}"'
+	if test -f "$output_objdir/${outputname}S.$objext"; then
+	  func_show_eval '$RM "$output_objdir/${outputname}S.$objext"'
 	fi
 
 	exit $exit_status
-      fi
+      }
 
       if test -n "$compile_shlibpath$finalize_shlibpath"; then
 	compile_command="$shlibpath_var=\"$compile_shlibpath$finalize_shlibpath\$$shlibpath_var\" $compile_command"
@@ -8994,9 +10434,9 @@ EOF
 	fi
       fi
 
-      if test "$no_install" = yes; then
+      if test yes = "$no_install"; then
 	# We don't need to create a wrapper script.
-	link_command="$compile_var$compile_command$compile_rpath"
+	link_command=$compile_var$compile_command$compile_rpath
 	# Replace the output file specification.
 	link_command=`$ECHO "$link_command" | $SED 's%@OUTPUT@%'"$output"'%g'`
 	# Delete the old output file.
@@ -9013,27 +10453,28 @@ EOF
 	exit $EXIT_SUCCESS
       fi
 
-      if test "$hardcode_action" = relink; then
-	# Fast installation is not supported
-	link_command="$compile_var$compile_command$compile_rpath"
-	relink_command="$finalize_var$finalize_command$finalize_rpath"
+      case $hardcode_action,$fast_install in
+        relink,*)
+	  # Fast installation is not supported
+	  link_command=$compile_var$compile_command$compile_rpath
+	  relink_command=$finalize_var$finalize_command$finalize_rpath
 
-	func_warning "this platform does not like uninstalled shared libraries"
-	func_warning "\`$output' will be relinked during installation"
-      else
-	if test "$fast_install" != no; then
-	  link_command="$finalize_var$compile_command$finalize_rpath"
-	  if test "$fast_install" = yes; then
-	    relink_command=`$ECHO "$compile_var$compile_command$compile_rpath" | $SED 's%@OUTPUT@%\$progdir/\$file%g'`
-	  else
-	    # fast_install is set to needless
-	    relink_command=
-	  fi
-	else
-	  link_command="$compile_var$compile_command$compile_rpath"
-	  relink_command="$finalize_var$finalize_command$finalize_rpath"
-	fi
-      fi
+	  func_warning "this platform does not like uninstalled shared libraries"
+	  func_warning "'$output' will be relinked during installation"
+	  ;;
+        *,yes)
+	  link_command=$finalize_var$compile_command$finalize_rpath
+	  relink_command=`$ECHO "$compile_var$compile_command$compile_rpath" | $SED 's%@OUTPUT@%\$progdir/\$file%g'`
+          ;;
+	*,no)
+	  link_command=$compile_var$compile_command$compile_rpath
+	  relink_command=$finalize_var$finalize_command$finalize_rpath
+          ;;
+	*,needless)
+	  link_command=$finalize_var$compile_command$finalize_rpath
+	  relink_command=
+          ;;
+      esac
 
       # Replace the output file specification.
       link_command=`$ECHO "$link_command" | $SED 's%@OUTPUT@%'"$output_objdir/$outputname"'%g'`
@@ -9090,8 +10531,8 @@ EOF
 	    func_dirname_and_basename "$output" "" "."
 	    output_name=$func_basename_result
 	    output_path=$func_dirname_result
-	    cwrappersource="$output_path/$objdir/lt-$output_name.c"
-	    cwrapper="$output_path/$output_name.exe"
+	    cwrappersource=$output_path/$objdir/lt-$output_name.c
+	    cwrapper=$output_path/$output_name.exe
 	    $RM $cwrappersource $cwrapper
 	    trap "$RM $cwrappersource $cwrapper; exit $EXIT_FAILURE" 1 2 15
 
@@ -9112,7 +10553,7 @@ EOF
 	    trap "$RM $func_ltwrapper_scriptname_result; exit $EXIT_FAILURE" 1 2 15
 	    $opt_dry_run || {
 	      # note: this script will not be executed, so do not chmod.
-	      if test "x$build" = "x$host" ; then
+	      if test "x$build" = "x$host"; then
 		$cwrapper --lt-dump-script > $func_ltwrapper_scriptname_result
 	      else
 		func_emit_wrapper no > $func_ltwrapper_scriptname_result
@@ -9135,25 +10576,27 @@ EOF
     # See if we need to build an old-fashioned archive.
     for oldlib in $oldlibs; do
 
-      if test "$build_libtool_libs" = convenience; then
-	oldobjs="$libobjs_save $symfileobj"
-	addlibs="$convenience"
-	build_libtool_libs=no
-      else
-	if test "$build_libtool_libs" = module; then
-	  oldobjs="$libobjs_save"
+      case $build_libtool_libs in
+        convenience)
+	  oldobjs="$libobjs_save $symfileobj"
+	  addlibs=$convenience
 	  build_libtool_libs=no
-	else
+	  ;;
+	module)
+	  oldobjs=$libobjs_save
+	  addlibs=$old_convenience
+	  build_libtool_libs=no
+          ;;
+	*)
 	  oldobjs="$old_deplibs $non_pic_objects"
-	  if test "$preload" = yes && test -f "$symfileobj"; then
-	    func_append oldobjs " $symfileobj"
-	  fi
-	fi
-	addlibs="$old_convenience"
-      fi
+	  $preload && test -f "$symfileobj" \
+	    && func_append oldobjs " $symfileobj"
+	  addlibs=$old_convenience
+	  ;;
+      esac
 
       if test -n "$addlibs"; then
-	gentop="$output_objdir/${outputname}x"
+	gentop=$output_objdir/${outputname}x
 	func_append generated " $gentop"
 
 	func_extract_archives $gentop $addlibs
@@ -9161,13 +10604,13 @@ EOF
       fi
 
       # Do each command in the archive commands.
-      if test -n "$old_archive_from_new_cmds" && test "$build_libtool_libs" = yes; then
+      if test -n "$old_archive_from_new_cmds" && test yes = "$build_libtool_libs"; then
 	cmds=$old_archive_from_new_cmds
       else
 
 	# Add any objects from preloaded convenience libraries
 	if test -n "$dlprefiles"; then
-	  gentop="$output_objdir/${outputname}x"
+	  gentop=$output_objdir/${outputname}x
 	  func_append generated " $gentop"
 
 	  func_extract_archives $gentop $dlprefiles
@@ -9188,7 +10631,7 @@ EOF
 	  :
 	else
 	  echo "copying selected object files to avoid basename conflicts..."
-	  gentop="$output_objdir/${outputname}x"
+	  gentop=$output_objdir/${outputname}x
 	  func_append generated " $gentop"
 	  func_mkdir_p "$gentop"
 	  save_oldobjs=$oldobjs
@@ -9197,7 +10640,7 @@ EOF
 	  for obj in $save_oldobjs
 	  do
 	    func_basename "$obj"
-	    objbase="$func_basename_result"
+	    objbase=$func_basename_result
 	    case " $oldobjs " in
 	    " ") oldobjs=$obj ;;
 	    *[\ /]"$objbase "*)
@@ -9266,18 +10709,18 @@ EOF
 	    else
 	      # the above command should be used before it gets too long
 	      oldobjs=$objlist
-	      if test "$obj" = "$last_oldobj" ; then
+	      if test "$obj" = "$last_oldobj"; then
 		RANLIB=$save_RANLIB
 	      fi
 	      test -z "$concat_cmds" || concat_cmds=$concat_cmds~
-	      eval concat_cmds=\"\${concat_cmds}$old_archive_cmds\"
+	      eval concat_cmds=\"\$concat_cmds$old_archive_cmds\"
 	      objlist=
 	      len=$len0
 	    fi
 	  done
 	  RANLIB=$save_RANLIB
 	  oldobjs=$objlist
-	  if test "X$oldobjs" = "X" ; then
+	  if test -z "$oldobjs"; then
 	    eval cmds=\"\$concat_cmds\"
 	  else
 	    eval cmds=\"\$concat_cmds~\$old_archive_cmds\"
@@ -9294,7 +10737,7 @@ EOF
     case $output in
     *.la)
       old_library=
-      test "$build_old_libs" = yes && old_library="$libname.$libext"
+      test yes = "$build_old_libs" && old_library=$libname.$libext
       func_verbose "creating $output"
 
       # Preserve any variables that may affect compiler behavior
@@ -9309,31 +10752,31 @@ EOF
 	fi
       done
       # Quote the link command for shipping.
-      relink_command="(cd `pwd`; $SHELL $progpath $preserve_args --mode=relink $libtool_args @inst_prefix_dir@)"
+      relink_command="(cd `pwd`; $SHELL \"$progpath\" $preserve_args --mode=relink $libtool_args @inst_prefix_dir@)"
       relink_command=`$ECHO "$relink_command" | $SED "$sed_quote_subst"`
-      if test "$hardcode_automatic" = yes ; then
+      if test yes = "$hardcode_automatic"; then
 	relink_command=
       fi
 
       # Only create the output if not a dry run.
       $opt_dry_run || {
 	for installed in no yes; do
-	  if test "$installed" = yes; then
+	  if test yes = "$installed"; then
 	    if test -z "$install_libdir"; then
 	      break
 	    fi
-	    output="$output_objdir/$outputname"i
+	    output=$output_objdir/${outputname}i
 	    # Replace all uninstalled libtool libraries with the installed ones
 	    newdependency_libs=
 	    for deplib in $dependency_libs; do
 	      case $deplib in
 	      *.la)
 		func_basename "$deplib"
-		name="$func_basename_result"
+		name=$func_basename_result
 		func_resolve_sysroot "$deplib"
-		eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $func_resolve_sysroot_result`
+		eval libdir=`$SED -n -e 's/^libdir=\(.*\)$/\1/p' $func_resolve_sysroot_result`
 		test -z "$libdir" && \
-		  func_fatal_error "\`$deplib' is not a valid libtool archive"
+		  func_fatal_error "'$deplib' is not a valid libtool archive"
 		func_append newdependency_libs " ${lt_sysroot:+=}$libdir/$name"
 		;;
 	      -L*)
@@ -9349,23 +10792,23 @@ EOF
 	      *) func_append newdependency_libs " $deplib" ;;
 	      esac
 	    done
-	    dependency_libs="$newdependency_libs"
+	    dependency_libs=$newdependency_libs
 	    newdlfiles=
 
 	    for lib in $dlfiles; do
 	      case $lib in
 	      *.la)
 	        func_basename "$lib"
-		name="$func_basename_result"
-		eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
+		name=$func_basename_result
+		eval libdir=`$SED -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
 		test -z "$libdir" && \
-		  func_fatal_error "\`$lib' is not a valid libtool archive"
+		  func_fatal_error "'$lib' is not a valid libtool archive"
 		func_append newdlfiles " ${lt_sysroot:+=}$libdir/$name"
 		;;
 	      *) func_append newdlfiles " $lib" ;;
 	      esac
 	    done
-	    dlfiles="$newdlfiles"
+	    dlfiles=$newdlfiles
 	    newdlprefiles=
 	    for lib in $dlprefiles; do
 	      case $lib in
@@ -9375,34 +10818,34 @@ EOF
 		# didn't already link the preopened objects directly into
 		# the library:
 		func_basename "$lib"
-		name="$func_basename_result"
-		eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
+		name=$func_basename_result
+		eval libdir=`$SED -n -e 's/^libdir=\(.*\)$/\1/p' $lib`
 		test -z "$libdir" && \
-		  func_fatal_error "\`$lib' is not a valid libtool archive"
+		  func_fatal_error "'$lib' is not a valid libtool archive"
 		func_append newdlprefiles " ${lt_sysroot:+=}$libdir/$name"
 		;;
 	      esac
 	    done
-	    dlprefiles="$newdlprefiles"
+	    dlprefiles=$newdlprefiles
 	  else
 	    newdlfiles=
 	    for lib in $dlfiles; do
 	      case $lib in
-		[\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;;
+		[\\/]* | [A-Za-z]:[\\/]*) abs=$lib ;;
 		*) abs=`pwd`"/$lib" ;;
 	      esac
 	      func_append newdlfiles " $abs"
 	    done
-	    dlfiles="$newdlfiles"
+	    dlfiles=$newdlfiles
 	    newdlprefiles=
 	    for lib in $dlprefiles; do
 	      case $lib in
-		[\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;;
+		[\\/]* | [A-Za-z]:[\\/]*) abs=$lib ;;
 		*) abs=`pwd`"/$lib" ;;
 	      esac
 	      func_append newdlprefiles " $abs"
 	    done
-	    dlprefiles="$newdlprefiles"
+	    dlprefiles=$newdlprefiles
 	  fi
 	  $RM $output
 	  # place dlname in correct position for cygwin
@@ -9418,10 +10861,9 @@ EOF
 	  case $host,$output,$installed,$module,$dlname in
 	    *cygwin*,*lai,yes,no,*.dll | *mingw*,*lai,yes,no,*.dll | *cegcc*,*lai,yes,no,*.dll)
 	      # If a -bindir argument was supplied, place the dll there.
-	      if test "x$bindir" != x ;
-	      then
+	      if test -n "$bindir"; then
 		func_relative_path "$install_libdir" "$bindir"
-		tdlname=$func_relative_path_result$dlname
+		tdlname=$func_relative_path_result/$dlname
 	      else
 		# Otherwise fall back on heuristic.
 		tdlname=../bin/$dlname
@@ -9430,7 +10872,7 @@ EOF
 	  esac
 	  $ECHO > $output "\
 # $outputname - a libtool library file
-# Generated by $PROGRAM (GNU $PACKAGE$TIMESTAMP) $VERSION
+# Generated by $PROGRAM (GNU $PACKAGE) $VERSION
 #
 # Please DO NOT delete this file!
 # It is necessary for linking the library.
@@ -9444,7 +10886,7 @@ library_names='$library_names'
 # The name of the static archive.
 old_library='$old_library'
 
-# Linker flags that can not go in dependency_libs.
+# Linker flags that cannot go in dependency_libs.
 inherited_linker_flags='$new_inherited_linker_flags'
 
 # Libraries that this one depends upon.
@@ -9470,7 +10912,7 @@ dlpreopen='$dlprefiles'
 
 # Directory that this library needs to be installed in:
 libdir='$install_libdir'"
-	  if test "$installed" = no && test "$need_relink" = yes; then
+	  if test no,yes = "$installed,$need_relink"; then
 	    $ECHO >> $output "\
 relink_command=\"$relink_command\""
 	  fi
@@ -9485,27 +10927,29 @@ relink_command=\"$relink_command\""
     exit $EXIT_SUCCESS
 }
 
-{ test "$opt_mode" = link || test "$opt_mode" = relink; } &&
-    func_mode_link ${1+"$@"}
+if test link = "$opt_mode" || test relink = "$opt_mode"; then
+  func_mode_link ${1+"$@"}
+fi
 
 
 # func_mode_uninstall arg...
 func_mode_uninstall ()
 {
-    $opt_debug
-    RM="$nonopt"
+    $debug_cmd
+
+    RM=$nonopt
     files=
-    rmforce=
+    rmforce=false
     exit_status=0
 
     # This variable tells wrapper scripts just to set variables rather
     # than running their programs.
-    libtool_install_magic="$magic"
+    libtool_install_magic=$magic
 
     for arg
     do
       case $arg in
-      -f) func_append RM " $arg"; rmforce=yes ;;
+      -f) func_append RM " $arg"; rmforce=: ;;
       -*) func_append RM " $arg" ;;
       *) func_append files " $arg" ;;
       esac
@@ -9518,18 +10962,18 @@ func_mode_uninstall ()
 
     for file in $files; do
       func_dirname "$file" "" "."
-      dir="$func_dirname_result"
-      if test "X$dir" = X.; then
-	odir="$objdir"
+      dir=$func_dirname_result
+      if test . = "$dir"; then
+	odir=$objdir
       else
-	odir="$dir/$objdir"
+	odir=$dir/$objdir
       fi
       func_basename "$file"
-      name="$func_basename_result"
-      test "$opt_mode" = uninstall && odir="$dir"
+      name=$func_basename_result
+      test uninstall = "$opt_mode" && odir=$dir
 
       # Remember odir for removal later, being careful to avoid duplicates
-      if test "$opt_mode" = clean; then
+      if test clean = "$opt_mode"; then
 	case " $rmdirs " in
 	  *" $odir "*) ;;
 	  *) func_append rmdirs " $odir" ;;
@@ -9544,11 +10988,11 @@ func_mode_uninstall ()
       elif test -d "$file"; then
 	exit_status=1
 	continue
-      elif test "$rmforce" = yes; then
+      elif $rmforce; then
 	continue
       fi
 
-      rmfiles="$file"
+      rmfiles=$file
 
       case $name in
       *.la)
@@ -9562,7 +11006,7 @@ func_mode_uninstall ()
 	  done
 	  test -n "$old_library" && func_append rmfiles " $odir/$old_library"
 
-	  case "$opt_mode" in
+	  case $opt_mode in
 	  clean)
 	    case " $library_names " in
 	    *" $dlname "*) ;;
@@ -9573,12 +11017,12 @@ func_mode_uninstall ()
 	  uninstall)
 	    if test -n "$library_names"; then
 	      # Do each command in the postuninstall commands.
-	      func_execute_cmds "$postuninstall_cmds" 'test "$rmforce" = yes || exit_status=1'
+	      func_execute_cmds "$postuninstall_cmds" '$rmforce || exit_status=1'
 	    fi
 
 	    if test -n "$old_library"; then
 	      # Do each command in the old_postuninstall commands.
-	      func_execute_cmds "$old_postuninstall_cmds" 'test "$rmforce" = yes || exit_status=1'
+	      func_execute_cmds "$old_postuninstall_cmds" '$rmforce || exit_status=1'
 	    fi
 	    # FIXME: should reinstall the best remaining shared library.
 	    ;;
@@ -9594,21 +11038,19 @@ func_mode_uninstall ()
 	  func_source $dir/$name
 
 	  # Add PIC object to the list of files to remove.
-	  if test -n "$pic_object" &&
-	     test "$pic_object" != none; then
+	  if test -n "$pic_object" && test none != "$pic_object"; then
 	    func_append rmfiles " $dir/$pic_object"
 	  fi
 
 	  # Add non-PIC object to the list of files to remove.
-	  if test -n "$non_pic_object" &&
-	     test "$non_pic_object" != none; then
+	  if test -n "$non_pic_object" && test none != "$non_pic_object"; then
 	    func_append rmfiles " $dir/$non_pic_object"
 	  fi
 	fi
 	;;
 
       *)
-	if test "$opt_mode" = clean ; then
+	if test clean = "$opt_mode"; then
 	  noexename=$name
 	  case $file in
 	  *.exe)
@@ -9635,12 +11077,12 @@ func_mode_uninstall ()
 
 	    # note $name still contains .exe if it was in $file originally
 	    # as does the version of $file that was added into $rmfiles
-	    func_append rmfiles " $odir/$name $odir/${name}S.${objext}"
-	    if test "$fast_install" = yes && test -n "$relink_command"; then
+	    func_append rmfiles " $odir/$name $odir/${name}S.$objext"
+	    if test yes = "$fast_install" && test -n "$relink_command"; then
 	      func_append rmfiles " $odir/lt-$name"
 	    fi
-	    if test "X$noexename" != "X$name" ; then
-	      func_append rmfiles " $odir/lt-${noexename}.c"
+	    if test "X$noexename" != "X$name"; then
+	      func_append rmfiles " $odir/lt-$noexename.c"
 	    fi
 	  fi
 	fi
@@ -9649,7 +11091,7 @@ func_mode_uninstall ()
       func_show_eval "$RM $rmfiles" 'exit_status=1'
     done
 
-    # Try to remove the ${objdir}s in the directories where we deleted files
+    # Try to remove the $objdir's in the directories where we deleted files
     for dir in $rmdirs; do
       if test -d "$dir"; then
 	func_show_eval "rmdir $dir >/dev/null 2>&1"
@@ -9659,16 +11101,17 @@ func_mode_uninstall ()
     exit $exit_status
 }
 
-{ test "$opt_mode" = uninstall || test "$opt_mode" = clean; } &&
-    func_mode_uninstall ${1+"$@"}
+if test uninstall = "$opt_mode" || test clean = "$opt_mode"; then
+  func_mode_uninstall ${1+"$@"}
+fi
 
 test -z "$opt_mode" && {
-  help="$generic_help"
+  help=$generic_help
   func_fatal_help "you must specify a MODE"
 }
 
 test -z "$exec_cmd" && \
-  func_fatal_help "invalid operation mode \`$opt_mode'"
+  func_fatal_help "invalid operation mode '$opt_mode'"
 
 if test -n "$exec_cmd"; then
   eval exec "$exec_cmd"
@@ -9679,7 +11122,7 @@ exit $exit_status
 
 
 # The TAGs below are defined such that we never get into a situation
-# in which we disable both kinds of libraries.  Given conflicting
+# where we disable both kinds of libraries.  Given conflicting
 # choices, we go for a static library, that is the most portable,
 # since we can't tell whether shared libraries were disabled because
 # the user asked for that or because the platform doesn't support
@@ -9702,5 +11145,3 @@ build_old_libs=`case $build_libtool_libs in yes) echo no;; *) echo yes;; esac`
 # mode:shell-script
 # sh-indentation:2
 # End:
-# vi:sw=2
-
diff --git a/usr.sbin/bind/make/rules.in b/usr.sbin/bind/make/rules.in
index b8ec113cfe5..6768294652e 100644
--- a/usr.sbin/bind/make/rules.in
+++ b/usr.sbin/bind/make/rules.in
@@ -1,5 +1,4 @@
-# Copyright (C) 2004-2009, 2011-2016  Internet Systems Consortium, Inc. ("ISC")
-# Copyright (C) 1998-2003  Internet Software Consortium.
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -87,7 +86,7 @@ install:: all
 
 install uninstall clean distclean maintainer-clean doc docclean man manclean::
 	@for i in ${ALL_SUBDIRS} ${ALL_TESTDIRS}; do \
-		if [ "$$i" != "nulldir" -a -d $$i ]; then \
+		if [ "$$i" != "nulldir" -a -d $$i -a -f $$i/Makefile ]; then \
 			echo "making $@ in `pwd`/$$i"; \
 			(cd $$i; ${MAKE} ${MAKEDEFS} DESTDIR="${DESTDIR}" $@) || exit 1; \
 		fi; \
@@ -316,6 +315,7 @@ LATEX =			@LATEX@
 PDFLATEX =		@PDFLATEX@
 DBLATEX =		@DBLATEX@
 W3M =			@W3M@
+PANDOC =		@PANDOC@
 
 ###
 ### Script language program used to create internal symbol tables
diff --git a/usr.sbin/bind/util/bindkeys.pl b/usr.sbin/bind/util/bindkeys.pl
index 6e613822481..baafd5a6640 100644
--- a/usr.sbin/bind/util/bindkeys.pl
+++ b/usr.sbin/bind/util/bindkeys.pl
@@ -1,6 +1,6 @@
 #!/usr/bin/env perl
 #
-# Copyright (C) 2009-2012, 2014, 2017  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
 #
 # Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -34,6 +34,9 @@ $lines =~ s/managed-keys/trusted-keys/;
 $lines =~ s/\s+initial-key//g;
 my $tkey = '#define TRUSTED_KEYS "\\' . "\n" . $lines . "\"\n";
 
+print "#ifndef BIND_KEYS_H\n";
+print "#define BIND_KEYS_H 1\n";
 print $tkey;
 print "\n";
 print $mkey;
+print "#endif /* BIND_KEYS_H */\n";
diff --git a/usr.sbin/bind/version b/usr.sbin/bind/version
index 38db4316133..10e7d793297 100644
--- a/usr.sbin/bind/version
+++ b/usr.sbin/bind/version
@@ -5,7 +5,7 @@ PRODUCT=BIND
 DESCRIPTION=
 MAJORVER=9
 MINORVER=10
-PATCHVER=5
+PATCHVER=8
 RELEASETYPE=-P
-RELEASEVER=3
+RELEASEVER=1
 EXTENSIONS=