resolve conflicts

13 files changed, 2981 insertions, 1698 deletions

diff --git a/usr.sbin/bind/bin/dig/Makefile.in b/usr.sbin/bind/bin/dig/Makefile.in
index 46ccff97998..daf459e0f3c 100644
--- a/usr.sbin/bind/bin/dig/Makefile.in
+++ b/usr.sbin/bind/bin/dig/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $ISC: Makefile.in,v 1.25.12.12 2004/08/18 23:25:57 marka Exp $
+# $ISC: Makefile.in,v 1.33.18.6 2005/09/09 14:11:04 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -45,7 +45,7 @@ DEPLIBS =	${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS} \
 		${LWRESDEPLIBS}
 
 LIBS =		${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCLIBS} \
-		${ISCCFGLIBS} @LIBS@
+		${ISCCFGLIBS} @IDNLIBS@ @LIBS@
 
 SUBDIRS =
 
diff --git a/usr.sbin/bind/bin/dig/dig.1 b/usr.sbin/bind/bin/dig/dig.1
index 68944537e62..52e423a2014 100644
--- a/usr.sbin/bind/bin/dig/dig.1
+++ b/usr.sbin/bind/bin/dig/dig.1
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,13 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $ISC: dig.1,v 1.14.2.4.2.11 2006/06/29 13:02:30 marka Exp $
+.\" $ISC: dig.1,v 1.23.18.22 2007/05/16 06:11:27 marka Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: dig
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: Jun 30, 2000
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -33,7 +33,7 @@
 dig \- DNS lookup utility
 .SH "SYNOPSIS"
 .HP 4
-\fBdig\fR [@server] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfilename\fR\fR] [\fB\-k\ \fR\fB\fIfilename\fR\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [\fB\-y\ \fR\fB\fIname:key\fR\fR] [\fB\-4\fR] [\fB\-6\fR] [name] [type] [class] [queryopt...]
+\fBdig\fR [@server] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfilename\fR\fR] [\fB\-k\ \fR\fB\fIfilename\fR\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIname:key\fR\fR] [\fB\-4\fR] [\fB\-6\fR] [name] [type] [class] [queryopt...]
 .HP 4
 \fBdig\fR [\fB\-h\fR]
 .HP 4
@@ -50,7 +50,7 @@ Although
 \fBdig\fR
 is normally used with command\-line arguments, it also has a batch mode of operation for reading lookup requests from a file. A brief summary of its command\-line arguments and options is printed when the
 \fB\-h\fR
-option is given. Unlike earlier versions, the BIND9 implementation of
+option is given. Unlike earlier versions, the BIND 9 implementation of
 \fBdig\fR
 allows multiple lookups to be issued from the command line.
 .PP
@@ -65,21 +65,30 @@ It is possible to set per\-user defaults for
 \fBdig\fR
 via
 \fI${HOME}/.digrc\fR. This file is read and any options in it are applied before the command line arguments.
+.PP
+The IN and CH class names overlap with the IN and CH top level domains names. Either use the
+\fB\-t\fR
+and
+\fB\-c\fR
+options to specify the type and class or use the
+\fB\-q\fR
+the specify the domain name or use "IN." and "CH." when looking up these top level domains.
 .SH "SIMPLE USAGE"
 .PP
 A typical invocation of
 \fBdig\fR
 looks like:
 .sp
-.RS 3n
+.RS 4
 .nf
  dig @server name type 
 .fi
 .RE
 .sp
 where:
-.TP 3n
+.PP
 \fBserver\fR
+.RS 4
 is the name or IP address of the name server to query. This can be an IPv4 address in dotted\-decimal notation or an IPv6 address in colon\-delimited notation. When the supplied
 \fIserver\fR
 argument is a hostname,
@@ -91,11 +100,15 @@ argument is provided,
 consults
 \fI/etc/resolv.conf\fR
 and queries the name servers listed there. The reply from the name server that responds is displayed.
-.TP 3n
+.RE
+.PP
 \fBname\fR
+.RS 4
 is the name of the resource record that is to be looked up.
-.TP 3n
+.RE
+.PP
 \fBtype\fR
+.RS 4
 indicates what type of query is required \(em ANY, A, MX, SIG, etc.
 \fItype\fR
 can be any valid query type. If no
@@ -103,6 +116,7 @@ can be any valid query type. If no
 argument is supplied,
 \fBdig\fR
 will perform a lookup for an A record.
+.RE
 .SH "OPTIONS"
 .PP
 The
@@ -114,14 +128,14 @@ The default query class (IN for internet) is overridden by the
 \fB\-c\fR
 option.
 \fIclass\fR
-is any valid class, such as HS for Hesiod records or CH for CHAOSNET records.
+is any valid class, such as HS for Hesiod records or CH for Chaosnet records.
 .PP
 The
 \fB\-f\fR
 option makes
 \fBdig \fR
 operate in batch mode by reading a list of lookup requests to process from the file
-\fIfilename\fR. The file contains a number of queries, one per line. Each entry in the file should be organised in the same way they would be presented as queries to
+\fIfilename\fR. The file contains a number of queries, one per line. Each entry in the file should be organized in the same way they would be presented as queries to
 \fBdig\fR
 using the command\-line interface.
 .PP
@@ -146,7 +160,7 @@ to only use IPv6 query transport.
 The
 \fB\-t\fR
 option sets the query type to
-\fItype\fR. It can be any valid query type which is supported in BIND9. The default query type "A", unless the
+\fItype\fR. It can be any valid query type which is supported in BIND 9. The default query type is "A", unless the
 \fB\-x\fR
 option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AXFR. When an incremental zone transfer (IXFR) is required,
 \fItype\fR
@@ -154,7 +168,14 @@ is set to
 ixfr=N. The incremental zone transfer will contain the changes made to the zone since the serial number in the zone's SOA record was
 \fIN\fR.
 .PP
-Reverse lookups \- mapping addresses to names \- are simplified by the
+The
+\fB\-q\fR
+option sets the query name to
+\fIname\fR. This useful do distinguish the
+\fIname\fR
+from other arguments.
+.PP
+Reverse lookups \(em mapping addresses to names \(em are simplified by the
 \fB\-x\fR
 option.
 \fIaddr\fR
@@ -178,6 +199,8 @@ and their responses using transaction signatures (TSIG), specify a TSIG key file
 option. You can also specify the TSIG key itself on the command line using the
 \fB\-y\fR
 option;
+\fIhmac\fR
+is the type of the TSIG, default HMAC\-MD5,
 \fIname\fR
 is the name of the TSIG key and
 \fIkey\fR
@@ -185,7 +208,7 @@ is the actual key. The key is a base\-64 encoded string, typically generated by
 \fBdnssec\-keygen\fR(8). Caution should be taken when using the
 \fB\-y\fR
 option on multi\-user systems as the key can be visible in the output from
-\fBps\fR(1 )
+\fBps\fR(1)
 or in the shell's history file. When using TSIG authentication with
 \fBdig\fR, the name server that is queried needs to know the key and algorithm that is being used. In BIND, this is done by providing appropriate
 \fBkey\fR
@@ -202,19 +225,26 @@ Each query option is identified by a keyword preceded by a plus sign (+). Some k
 no
 to negate the meaning of that keyword. Other keywords assign values to options like the timeout interval. They have the form
 \fB+keyword=value\fR. The query options are:
-.TP 3n
+.PP
 \fB+[no]tcp\fR
-Use [do not use] TCP when querying name servers. The default behaviour is to use UDP unless an AXFR or IXFR query is requested, in which case a TCP connection is used.
-.TP 3n
+.RS 4
+Use [do not use] TCP when querying name servers. The default behavior is to use UDP unless an AXFR or IXFR query is requested, in which case a TCP connection is used.
+.RE
+.PP
 \fB+[no]vc\fR
+.RS 4
 Use [do not use] TCP when querying name servers. This alternate syntax to
 \fI+[no]tcp\fR
 is provided for backwards compatibility. The "vc" stands for "virtual circuit".
-.TP 3n
+.RE
+.PP
 \fB+[no]ignore\fR
+.RS 4
 Ignore truncation in UDP responses instead of retrying with TCP. By default, TCP retries are performed.
-.TP 3n
+.RE
+.PP
 \fB+domain=somename\fR
+.RS 4
 Set the search list to contain the single domain
 \fIsomename\fR, as if specified in a
 \fBdomain\fR
@@ -222,36 +252,59 @@ directive in
 \fI/etc/resolv.conf\fR, and enable search list processing as if the
 \fI+search\fR
 option were given.
-.TP 3n
+.RE
+.PP
 \fB+[no]search\fR
+.RS 4
 Use [do not use] the search list defined by the searchlist or domain directive in
 \fIresolv.conf\fR
 (if any). The search list is not used by default.
-.TP 3n
+.RE
+.PP
+\fB+[no]showsearch\fR
+.RS 4
+Perform [do not perform] a search showing intermediate results.
+.RE
+.PP
 \fB+[no]defname\fR
+.RS 4
 Deprecated, treated as a synonym for
 \fI+[no]search\fR
-.TP 3n
+.RE
+.PP
 \fB+[no]aaonly\fR
+.RS 4
 Sets the "aa" flag in the query.
-.TP 3n
+.RE
+.PP
 \fB+[no]aaflag\fR
+.RS 4
 A synonym for
 \fI+[no]aaonly\fR.
-.TP 3n
+.RE
+.PP
 \fB+[no]adflag\fR
+.RS 4
 Set [do not set] the AD (authentic data) bit in the query. The AD bit currently has a standard meaning only in responses, not in queries, but the ability to set the bit in the query is provided for completeness.
-.TP 3n
+.RE
+.PP
 \fB+[no]cdflag\fR
+.RS 4
 Set [do not set] the CD (checking disabled) bit in the query. This requests the server to not perform DNSSEC validation of responses.
-.TP 3n
+.RE
+.PP
 \fB+[no]cl\fR
+.RS 4
 Display [do not display] the CLASS when printing the record.
-.TP 3n
+.RE
+.PP
 \fB+[no]ttlid\fR
+.RS 4
 Display [do not display] the TTL when printing the record.
-.TP 3n
+.RE
+.PP
 \fB+[no]recurse\fR
+.RS 4
 Toggle the setting of the RD (recursion desired) bit in the query. This bit is set by default, which means
 \fBdig\fR
 normally sends recursive queries. Recursion is automatically disabled when the
@@ -259,75 +312,109 @@ normally sends recursive queries. Recursion is automatically disabled when the
 or
 \fI+trace\fR
 query options are used.
-.TP 3n
+.RE
+.PP
 \fB+[no]nssearch\fR
+.RS 4
 When this option is set,
 \fBdig\fR
 attempts to find the authoritative name servers for the zone containing the name being looked up and display the SOA record that each name server has for the zone.
-.TP 3n
+.RE
+.PP
 \fB+[no]trace\fR
+.RS 4
 Toggle tracing of the delegation path from the root name servers for the name being looked up. Tracing is disabled by default. When tracing is enabled,
 \fBdig\fR
 makes iterative queries to resolve the name being looked up. It will follow referrals from the root servers, showing the answer from each server that was used to resolve the lookup.
-.TP 3n
+.RE
+.PP
 \fB+[no]cmd\fR
-toggles the printing of the initial comment in the output identifying the version of
+.RS 4
+Toggles the printing of the initial comment in the output identifying the version of
 \fBdig\fR
 and the query options that have been applied. This comment is printed by default.
-.TP 3n
+.RE
+.PP
 \fB+[no]short\fR
+.RS 4
 Provide a terse answer. The default is to print the answer in a verbose form.
-.TP 3n
+.RE
+.PP
 \fB+[no]identify\fR
+.RS 4
 Show [or do not show] the IP address and port number that supplied the answer when the
 \fI+short\fR
 option is enabled. If short form answers are requested, the default is not to show the source address and port number of the server that provided the answer.
-.TP 3n
+.RE
+.PP
 \fB+[no]comments\fR
+.RS 4
 Toggle the display of comment lines in the output. The default is to print comments.
-.TP 3n
+.RE
+.PP
 \fB+[no]stats\fR
-This query option toggles the printing of statistics: when the query was made, the size of the reply and so on. The default behaviour is to print the query statistics.
-.TP 3n
+.RS 4
+This query option toggles the printing of statistics: when the query was made, the size of the reply and so on. The default behavior is to print the query statistics.
+.RE
+.PP
 \fB+[no]qr\fR
+.RS 4
 Print [do not print] the query as it is sent. By default, the query is not printed.
-.TP 3n
+.RE
+.PP
 \fB+[no]question\fR
+.RS 4
 Print [do not print] the question section of a query when an answer is returned. The default is to print the question section as a comment.
-.TP 3n
+.RE
+.PP
 \fB+[no]answer\fR
+.RS 4
 Display [do not display] the answer section of a reply. The default is to display it.
-.TP 3n
+.RE
+.PP
 \fB+[no]authority\fR
+.RS 4
 Display [do not display] the authority section of a reply. The default is to display it.
-.TP 3n
+.RE
+.PP
 \fB+[no]additional\fR
+.RS 4
 Display [do not display] the additional section of a reply. The default is to display it.
-.TP 3n
+.RE
+.PP
 \fB+[no]all\fR
+.RS 4
 Set or clear all display flags.
-.TP 3n
+.RE
+.PP
 \fB+time=T\fR
+.RS 4
 Sets the timeout for a query to
 \fIT\fR
-seconds. The default time out is 5 seconds. An attempt to set
+seconds. The default timeout is 5 seconds. An attempt to set
 \fIT\fR
 to less than 1 will result in a query timeout of 1 second being applied.
-.TP 3n
+.RE
+.PP
 \fB+tries=T\fR
+.RS 4
 Sets the number of times to try UDP queries to server to
 \fIT\fR
 instead of the default, 3. If
 \fIT\fR
 is less than or equal to zero, the number of tries is silently rounded up to 1.
-.TP 3n
+.RE
+.PP
 \fB+retry=T\fR
+.RS 4
 Sets the number of times to retry UDP queries to server to
 \fIT\fR
 instead of the default, 2. Unlike
 \fI+tries\fR, this does not include the initial query.
-.TP 3n
+.RE
+.PP
 \fB+ndots=D\fR
+.RS 4
 Set the number of dots that have to appear in
 \fIname\fR
 to
@@ -339,30 +426,51 @@ or
 \fBdomain\fR
 directive in
 \fI/etc/resolv.conf\fR.
-.TP 3n
+.RE
+.PP
 \fB+bufsize=B\fR
+.RS 4
 Set the UDP message buffer size advertised using EDNS0 to
 \fIB\fR
-bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up or down appropriately.
-.TP 3n
+bytes. The maximum and minimum sizes of this buffer are 65535 and 0 respectively. Values outside this range are rounded up or down appropriately. Values other than zero will cause a EDNS query to be sent.
+.RE
+.PP
+\fB+edns=#\fR
+.RS 4
+Specify the EDNS version to query with. Valid values are 0 to 255. Setting the EDNS version will cause a EDNS query to be sent.
+\fB+noedns\fR
+clears the remembered EDNS version.
+.RE
+.PP
 \fB+[no]multiline\fR
+.RS 4
 Print records like the SOA records in a verbose multi\-line format with human\-readable comments. The default is to print each record on a single line, to facilitate machine parsing of the
 \fBdig\fR
 output.
-.TP 3n
+.RE
+.PP
 \fB+[no]fail\fR
-Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behaviour.
-.TP 3n
+.RS 4
+Do not try the next server if you receive a SERVFAIL. The default is to not try the next server which is the reverse of normal stub resolver behavior.
+.RE
+.PP
 \fB+[no]besteffort\fR
+.RS 4
 Attempt to display the contents of messages which are malformed. The default is to not display malformed answers.
-.TP 3n
+.RE
+.PP
 \fB+[no]dnssec\fR
+.RS 4
 Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO) in the OPT record in the additional section of the query.
-.TP 3n
+.RE
+.PP
 \fB+[no]sigchase\fR
+.RS 4
 Chase DNSSEC signature chains. Requires dig be compiled with \-DDIG_SIGCHASE.
-.TP 3n
+.RE
+.PP
 \fB+trusted\-key=####\fR
+.RS 4
 Specifies a file containing trusted keys to be used with
 \fB+sigchase\fR. Each DNSKEY record must be on its own line.
 .sp
@@ -375,9 +483,12 @@ then
 in the current directory.
 .sp
 Requires dig be compiled with \-DDIG_SIGCHASE.
-.TP 3n
+.RE
+.PP
 \fB+[no]topdown\fR
-When chasing DNSSEC signature chains perform a top down validation. Requires dig be compiled with \-DDIG_SIGCHASE.
+.RS 4
+When chasing DNSSEC signature chains perform a top\-down validation. Requires dig be compiled with \-DDIG_SIGCHASE.
+.RE
 .SH "MULTIPLE QUERIES"
 .PP
 The BIND 9 implementation of
@@ -394,7 +505,7 @@ A global set of query options, which should be applied to all queries, can also
 \fB+[no]cmd\fR
 option) can be overridden by a query\-specific set of query options. For example:
 .sp
-.RS 3n
+.RS 4
 .nf
 dig +qr www.isc.org any \-x 127.0.0.1 isc.org ns +noqr
 .fi
@@ -414,6 +525,17 @@ which means that
 \fBdig\fR
 will not print the initial query when it looks up the NS records for
 isc.org.
+.SH "IDN SUPPORT"
+.PP
+If
+\fBdig\fR
+has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names.
+\fBdig\fR
+appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server. If you'd like to turn off the IDN support for some reason, defines the
+\fBIDN_DISABLE\fR
+environment variable. The IDN support is disabled if the variable is set when
+\fBdig\fR
+runs.
 .SH "FILES"
 .PP
 \fI/etc/resolv.conf\fR
@@ -425,8 +547,11 @@ isc.org.
 \fBnamed\fR(8),
 \fBdnssec\-keygen\fR(8),
 RFC1035.
-.SH "BUGS "
+.SH "BUGS"
 .PP
 There are probably too many query options.
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000\-2003 Internet Software Consortium.
+.br
diff --git a/usr.sbin/bind/bin/dig/dig.c b/usr.sbin/bind/bin/dig/dig.c
index 14a5c4a0105..ae9f8721049 100644
--- a/usr.sbin/bind/bin/dig/dig.c
+++ b/usr.sbin/bind/bin/dig/dig.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $ISC: dig.c,v 1.157.2.13.2.31 2006/07/22 23:52:57 marka Exp $ */
+/* $ISC: dig.c,v 1.186.18.29 2007/08/28 07:19:55 tbox Exp $ */
+
+/*! \file */
 
 #include <config.h>
 #include <stdlib.h>
@@ -40,6 +42,7 @@
 #include <dns/rdatatype.h>
 #include <dns/rdataclass.h>
 #include <dns/result.h>
+#include <dns/tsig.h>
 
 #include <bind9/getaddresses.h>
 
@@ -67,6 +70,7 @@ static isc_boolean_t short_form = ISC_FALSE, printcmd = ISC_TRUE,
 	ip6_int = ISC_FALSE, plusquest = ISC_FALSE, pluscomm = ISC_FALSE,
 	multiline = ISC_FALSE, nottl = ISC_FALSE, noclass = ISC_FALSE;
 
+/*% opcode text */
 static const char *opcodetext[] = {
 	"QUERY",
 	"IQUERY",
@@ -86,6 +90,7 @@ static const char *opcodetext[] = {
 	"RESERVED15"
 };
 
+/*% return code text */
 static const char *rcodetext[] = {
 	"NOERROR",
 	"FORMERR",
@@ -106,6 +111,7 @@ static const char *rcodetext[] = {
 	"BADVERS"
 };
 
+/*% print usage */
 static void
 print_usage(FILE *fp) {
 	fputs(
@@ -122,11 +128,13 @@ usage(void) {
 	exit(1);
 }
 
+/*% version */
 static void
 version(void) {
 	fputs("DiG " VERSION "\n", stderr);
 }
 
+/*% help */
 static void
 help(void) {
 	print_usage(stdout);
@@ -141,10 +149,11 @@ help(void) {
 "                 -f filename         (batch mode)\n"
 "                 -b address[#port]   (bind to source address/port)\n"
 "                 -p port             (specify port number)\n"
+"                 -q name             (specify query name)\n"
 "                 -t type             (specify query type)\n"
 "                 -c class            (specify query class)\n"
 "                 -k keyfile          (specify tsig key file)\n"
-"                 -y name:key         (specify named base64 tsig key)\n"
+"                 -y [hmac:]name:key  (specify named base64 tsig key)\n"
 "                 -4                  (use IPv4 query transport only)\n"
 "                 -6                  (use IPv6 query transport only)\n"
 "        d-opt    is of the form +keyword[=value], where keyword is:\n"
@@ -156,7 +165,9 @@ help(void) {
 "                 +domain=###         (Set default domainname)\n"
 "                 +bufsize=###        (Set EDNS0 Max UDP packet size)\n"
 "                 +ndots=###          (Set NDOTS value)\n"
+"                 +edns=###           (Set EDNS version)\n"
 "                 +[no]search         (Set whether to use searchlist)\n"
+"                 +[no]showsearch     (Search with intermediate results)\n"
 "                 +[no]defname        (Ditto)\n"
 "                 +[no]recurse        (Recursive mode)\n"
 "                 +[no]ignore         (Don't revert to TCP for TC responses.)"
@@ -198,7 +209,7 @@ help(void) {
 	stdout);
 }
 
-/*
+/*%
  * Callback from dighost.c to print the received message.
  */
 void
@@ -219,10 +230,12 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 		time(&tnow);
 		printf(";; WHEN: %s", ctime(&tnow));
 		if (query->lookup->doing_xfr) {
-			printf(";; XFR size: %u records (messages %u)\n",
-			       query->rr_count, query->msg_count);
+			printf(";; XFR size: %u records (messages %u, "
+			       "bytes %" ISC_PRINT_QUADFORMAT "u)\n",
+			       query->rr_count, query->msg_count,
+			       query->byte_count);
 		} else {
-			printf(";; MSG SIZE  rcvd: %d\n", bytes);
+			printf(";; MSG SIZE  rcvd: %u\n", bytes);
 
 		}
 		if (key != NULL) {
@@ -236,8 +249,11 @@ received(int bytes, isc_sockaddr_t *from, dig_query_t *query) {
 		puts("");
 	} else if (query->lookup->identify && !short_form) {
 		diff = isc_time_microdiff(&now, &query->time_sent);
-		printf(";; Received %u bytes from %s(%s) in %d ms\n\n",
-		       bytes, fromtext, query->servname,
+		printf(";; Received %" ISC_PRINT_QUADFORMAT "u bytes "
+		       "from %s(%s) in %d ms\n\n",
+		       query->lookup->doing_xfr ?
+				query->byte_count : (isc_uint64_t)bytes,
+		       fromtext, query->servname,
 		       (int)diff/1000);
 	}
 }
@@ -253,7 +269,7 @@ trying(char *frm, dig_lookup_t *lookup) {
 	UNUSED(lookup);
 }
 
-/*
+/*%
  * Internal print routine used to print short form replies.
  */
 static isc_result_t
@@ -283,7 +299,7 @@ say_message(dns_rdata_t *rdata, dig_query_t *query, isc_buffer_t *buf) {
 	return (ISC_R_SUCCESS);
 }
 
-/*
+/*%
  * short_form message print handler.  Calls above say_message()
  */
 static isc_result_t
@@ -475,7 +491,16 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 			       msg->counts[DNS_SECTION_ANSWER],
 			       msg->counts[DNS_SECTION_AUTHORITY],
 			       msg->counts[DNS_SECTION_ADDITIONAL]);
+
+			if (msg != query->lookup->sendmsg &&
+			    (msg->flags & DNS_MESSAGEFLAG_RD) != 0 &&
+			    (msg->flags & DNS_MESSAGEFLAG_RA) == 0)
+				printf(";; WARNING: recursion requested "
+				       "but not available\n");
 		}
+		if (msg != query->lookup->sendmsg && extrabytes != 0U)
+			printf(";; WARNING: Messages has %u extra byte%s at "
+			       "end\n", extrabytes, extrabytes != 0 ? "s" : "");
 	}
 
 repopulate_buffer:
@@ -578,7 +603,7 @@ cleanup:
 	return (result);
 }
 
-/*
+/*%
  * print the greeting message when the program first starts up.
  */
 static void
@@ -616,42 +641,6 @@ printgreeting(int argc, char **argv, dig_lookup_t *lookup) {
 	}
 }
 
-/*
- * Reorder an argument list so that server names all come at the end.
- * This is a bit of a hack, to allow batch-mode processing to properly
- * handle the server options.
- */
-static void
-reorder_args(int argc, char *argv[]) {
-	int i, j;
-	char *ptr;
-	int end;
-
-	debug("reorder_args()");
-	end = argc - 1;
-	while (argv[end][0] == '@') {
-		end--;
-		if (end == 0)
-			return;
-	}
-	debug("arg[end]=%s", argv[end]);
-	for (i = 1; i < end - 1; i++) {
-		if (argv[i][0] == '@') {
-			debug("arg[%d]=%s", i, argv[i]);
-			ptr = argv[i];
-			for (j = i + 1; j < end; j++) {
-				debug("Moving %s to %d", argv[j], j - 1);
-				argv[j - 1] = argv[j];
-			}
-			debug("moving %s to end, %d", ptr, end - 1);
-			argv[end - 1] = ptr;
-			end--;
-			if (end < 1)
-				return;
-		}
-	}
-}
-
 static isc_uint32_t
 parse_uint(char *arg, const char *desc, isc_uint32_t max) {
 	isc_result_t result;
@@ -665,7 +654,7 @@ parse_uint(char *arg, const char *desc, isc_uint32_t max) {
 	return (tmp);
 }
 
-/*
+/*%
  * We're not using isc_commandline_parse() here since the command line
  * syntax of dig is quite a bit different from that which can be described
  * by that routine.
@@ -804,6 +793,8 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 			break;
 		case 'n': /* dnssec */	
 			FULLCHECK("dnssec");
+			if (state && lookup->edns == -1)
+				lookup->edns = 0;
 			lookup->dnssec = state;
 			break;
 		case 'o': /* domain */	
@@ -818,6 +809,16 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 			goto invalid_option;
 		}
 		break;
+	case 'e':
+		FULLCHECK("edns");
+		if (!state) {
+			lookup->edns = -1;
+			break;
+		}
+		if (value == NULL)
+			goto need_value;
+		lookup->edns = (isc_int16_t) parse_uint(value, "edns", 255);
+		break;
 	case 'f': /* fail */
 		FULLCHECK("fail");
 		lookup->servfail_stops = state;
@@ -917,17 +918,30 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 			FULLCHECK("search");
 			usesearch = state;
 			break;
-		case 'h': /* short */
-			FULLCHECK("short");
-			short_form = state;
-			if (state) {
-				printcmd = ISC_FALSE;
-				lookup->section_additional = ISC_FALSE;
-				lookup->section_answer = ISC_TRUE;
-				lookup->section_authority = ISC_FALSE;
-				lookup->section_question = ISC_FALSE;
-				lookup->comments = ISC_FALSE;
-				lookup->stats = ISC_FALSE;
+		case 'h':
+			if (cmd[2] != 'o')
+				goto invalid_option;
+			switch (cmd[3]) {
+			case 'r': /* short */
+				FULLCHECK("short");
+				short_form = state;
+				if (state) {
+					printcmd = ISC_FALSE;
+					lookup->section_additional = ISC_FALSE;
+					lookup->section_answer = ISC_TRUE;
+					lookup->section_authority = ISC_FALSE;
+					lookup->section_question = ISC_FALSE;
+					lookup->comments = ISC_FALSE;
+					lookup->stats = ISC_FALSE;
+				}
+				break;
+			case 'w': /* showsearch */
+				FULLCHECK("showsearch");
+				showsearch = state;
+				usesearch = state;
+				break;
+			default:
+				goto invalid_option;
 			}
 			break;
 #ifdef DIG_SIGCHASE
@@ -1036,16 +1050,18 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 	return;
 }
 
-/*
- * ISC_TRUE returned if value was used
+/*%
+ * #ISC_TRUE returned if value was used
  */
 static const char *single_dash_opts = "46dhimnv";
 static const char *dash_opts = "46bcdfhikmnptvyx";
 static isc_boolean_t
 dash_option(char *option, char *next, dig_lookup_t **lookup,
-	    isc_boolean_t *open_type_class)
+	    isc_boolean_t *open_type_class, isc_boolean_t *need_clone,
+	    isc_boolean_t config_only, int argc, char **argv,
+	    isc_boolean_t *firstarg)
 {
-	char opt, *value, *ptr;
+	char opt, *value, *ptr, *ptr2, *ptr3;
 	isc_result_t result;
 	isc_boolean_t value_from_next;
 	isc_textregion_t tr;
@@ -1177,6 +1193,26 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 	case 'p':
 		port = (in_port_t) parse_uint(value, "port number", MAXPORT);
 		return (value_from_next);
+	case 'q':
+		if (!config_only) {
+			if (*need_clone)
+				(*lookup) = clone_lookup(default_lookup,
+							 ISC_TRUE);
+			*need_clone = ISC_TRUE;
+			strncpy((*lookup)->textname, value, 
+				sizeof((*lookup)->textname));
+			(*lookup)->textname[sizeof((*lookup)->textname)-1]=0;
+			(*lookup)->trace_root = ISC_TF((*lookup)->trace  ||
+						     (*lookup)->ns_search_only);
+			(*lookup)->new_search = ISC_TRUE;
+			if (*firstarg) {
+				printgreeting(argc, argv, *lookup);
+				*firstarg = ISC_FALSE;
+			}
+			ISC_LIST_APPEND(lookup_list, (*lookup), link);
+			debug("looking up %s", (*lookup)->textname);
+		}
+		return (value_from_next);
 	case 't':
 		*open_type_class = ISC_FALSE;
 		if (strncasecmp(value, "ixfr=", 5) == 0) {
@@ -1220,18 +1256,89 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 				 value);
 		return (value_from_next);
 	case 'y':
-		ptr = next_token(&value,":");
+		ptr = next_token(&value,":");	/* hmac type or name */
 		if (ptr == NULL) {
 			usage();
 		}
-		strlcpy(keynametext, ptr, sizeof(keynametext));
-		ptr = next_token(&value, "");
-		if (ptr == NULL)
+		ptr2 = next_token(&value, ":");	/* name or secret */
+		if (ptr2 == NULL)
 			usage();
-		strlcpy(keysecret, ptr, sizeof(keysecret));
+		ptr3 = next_token(&value,":"); /* secret or NULL */
+		if (ptr3 != NULL) {	
+			if (strcasecmp(ptr, "hmac-md5") == 0) {
+				hmacname = DNS_TSIG_HMACMD5_NAME;
+				digestbits = 0;
+			} else if (strncasecmp(ptr, "hmac-md5-", 9) == 0) {
+				hmacname = DNS_TSIG_HMACMD5_NAME;
+				digestbits = parse_uint(&ptr[9],
+							"digest-bits [0..128]",
+							128);
+				digestbits = (digestbits + 7) & ~0x7U;
+			} else if (strcasecmp(ptr, "hmac-sha1") == 0) {
+				hmacname = DNS_TSIG_HMACSHA1_NAME;
+				digestbits = 0;
+			} else if (strncasecmp(ptr, "hmac-sha1-", 10) == 0) {
+				hmacname = DNS_TSIG_HMACSHA1_NAME;
+				digestbits = parse_uint(&ptr[10],
+							"digest-bits [0..160]",
+							160);
+				digestbits = (digestbits + 7) & ~0x7U;
+			} else if (strcasecmp(ptr, "hmac-sha224") == 0) {
+				hmacname = DNS_TSIG_HMACSHA224_NAME;
+				digestbits = 0;
+			} else if (strncasecmp(ptr, "hmac-sha224-", 12) == 0) {
+				hmacname = DNS_TSIG_HMACSHA224_NAME;
+				digestbits = parse_uint(&ptr[12],
+							"digest-bits [0..224]",
+							224);
+				digestbits = (digestbits + 7) & ~0x7U;
+			} else if (strcasecmp(ptr, "hmac-sha256") == 0) {
+				hmacname = DNS_TSIG_HMACSHA256_NAME;
+				digestbits = 0;
+			} else if (strncasecmp(ptr, "hmac-sha256-", 12) == 0) {
+				hmacname = DNS_TSIG_HMACSHA256_NAME;
+				digestbits = parse_uint(&ptr[12],
+							"digest-bits [0..256]",
+							256);
+				digestbits = (digestbits + 7) & ~0x7U;
+			} else if (strcasecmp(ptr, "hmac-sha384") == 0) {
+				hmacname = DNS_TSIG_HMACSHA384_NAME;
+				digestbits = 0;
+			} else if (strncasecmp(ptr, "hmac-sha384-", 12) == 0) {
+				hmacname = DNS_TSIG_HMACSHA384_NAME;
+				digestbits = parse_uint(&ptr[12],
+							"digest-bits [0..384]",
+							384);
+				digestbits = (digestbits + 7) & ~0x7U;
+			} else if (strcasecmp(ptr, "hmac-sha512") == 0) {
+				hmacname = DNS_TSIG_HMACSHA512_NAME;
+				digestbits = 0;
+			} else if (strncasecmp(ptr, "hmac-sha512-", 12) == 0) {
+				hmacname = DNS_TSIG_HMACSHA512_NAME;
+				digestbits = parse_uint(&ptr[12],
+							"digest-bits [0..512]",
+							512);
+				digestbits = (digestbits + 7) & ~0x7U;
+			} else {
+				fprintf(stderr, ";; Warning, ignoring "
+					"invalid TSIG algorithm %s\n", ptr);
+				return (value_from_next);
+			}
+			ptr = ptr2;
+			ptr2 = ptr3;
+		} else  {
+			hmacname = DNS_TSIG_HMACMD5_NAME;
+			digestbits = 0;
+		}
+		strlcpy(keynametext, ptr, sizeof(keynametext));
+		keynametext[sizeof(keynametext)-1]=0;
+		strlcpy(keysecret, ptr2, sizeof(keysecret));
+		keysecret[sizeof(keysecret)-1]=0;
 		return (value_from_next);
 	case 'x':
-		*lookup = clone_lookup(default_lookup, ISC_TRUE);
+		if (*need_clone)
+			*lookup = clone_lookup(default_lookup, ISC_TRUE);
+		*need_clone = ISC_TRUE;
 		if (get_reverse(textname, sizeof(textname), value,
 				ip6_int, ISC_FALSE) == ISC_R_SUCCESS) {
 			strlcpy((*lookup)->textname, textname,
@@ -1245,6 +1352,10 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 			if (!(*lookup)->rdclassset)
 				(*lookup)->rdclass = dns_rdataclass_in;
 			(*lookup)->new_search = ISC_TRUE;
+			if (*firstarg) {
+				printgreeting(argc, argv, *lookup);
+				*firstarg = ISC_FALSE;
+			}
 			ISC_LIST_APPEND(lookup_list, *lookup, link);
 		} else {
 			fprintf(stderr, "Invalid IP address %s\n", value);
@@ -1259,10 +1370,11 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 	return (ISC_FALSE);
 }
 
-/*
+/*%
  * Because we may be trying to do memory allocation recording, we're going
  * to need to parse the arguments for the -m *before* we start the main
  * argument parsing routine.
+ *
  * I'd prefer not to have to do this, but I am not quite sure how else to
  * fix the problem.  Argument parsing in dig involves memory allocation
  * by its nature, so it can't be done in the main argument parser.
@@ -1335,6 +1447,8 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 	char rcfile[256];
 #endif
 	char *input;
+	int i;
+	isc_boolean_t need_clone = ISC_TRUE;
 
 	/*
 	 * The semantics for parsing the args is a bit complex; if
@@ -1382,7 +1496,9 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 				bargv[0] = argv[0];
 				argv0 = argv[0];
 
-				reorder_args(bargc, (char **)bargv);
+				for(i = 0; i < bargc; i++)
+					debug(".digrc argv %d: %s",
+					      i, bargv[i]);
 				parse_args(ISC_TRUE, ISC_TRUE, bargc,
 					   (char **)bargv);
 			}
@@ -1391,7 +1507,12 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 #endif
 	}
 
-	lookup = default_lookup;
+	if (is_batchfile && !config_only) {
+		/* Processing '-f batchfile'. */
+		lookup = clone_lookup(default_lookup, ISC_TRUE);
+		need_clone = ISC_FALSE;
+	} else
+		lookup = default_lookup;
 
 	rc = argc;
 	rv = argv;
@@ -1407,13 +1528,17 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 		} else if (rv[0][0] == '-') {
 			if (rc <= 1) {
 				if (dash_option(&rv[0][1], NULL,
-						&lookup, &open_type_class)) {
+						&lookup, &open_type_class,
+						&need_clone, config_only,
+						argc, argv, &firstarg)) {
 					rc--;
 					rv++;
 				}
 			} else {
 				if (dash_option(&rv[0][1], rv[1],
-						&lookup, &open_type_class)) {
+						&lookup, &open_type_class,
+						&need_clone, config_only,
+						argc, argv, &firstarg)) {
 					rc--;
 					rv++;
 				}
@@ -1481,20 +1606,28 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 					continue;
 				}
 			}
+
 			if (!config_only) {
-				lookup = clone_lookup(default_lookup,
-						      ISC_TRUE);
+				if (need_clone)
+					lookup = clone_lookup(default_lookup,
+								      ISC_TRUE);
+				need_clone = ISC_TRUE;
 				strlcpy(lookup->textname, rv[0], 
 					sizeof(lookup->textname));
 				lookup->trace_root = ISC_TF(lookup->trace  ||
 						     lookup->ns_search_only);
 				lookup->new_search = ISC_TRUE;
+				if (firstarg) {
+					printgreeting(argc, argv, lookup);
+					firstarg = ISC_FALSE;
+				}
 				ISC_LIST_APPEND(lookup_list, lookup, link);
 				debug("looking up %s", lookup->textname);
 			}
 			/* XXX Error message */
 		}
 	}
+
 	/*
 	 * If we have a batchfile, seed the lookup list with the
 	 * first entry, then trust the callback in dighost_shutdown
@@ -1529,15 +1662,20 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 			bargv[0] = argv[0];
 			argv0 = argv[0];
 
-			reorder_args(bargc, (char **)bargv);
+			for(i = 0; i < bargc; i++)
+				debug("batch argv %d: %s", i, bargv[i]);
 			parse_args(ISC_TRUE, ISC_FALSE, bargc, (char **)bargv);
+			return;
 		}
+		return;
 	}
 	/*
 	 * If no lookup specified, search for root
 	 */
 	if ((lookup_list.head == NULL) && !config_only) {
-		lookup = clone_lookup(default_lookup, ISC_TRUE);
+		if (need_clone)
+			lookup = clone_lookup(default_lookup, ISC_TRUE);
+		need_clone = ISC_TRUE;
 		lookup->trace_root = ISC_TF(lookup->trace ||
 					    lookup->ns_search_only);
 		lookup->new_search = ISC_TRUE;
@@ -1549,10 +1687,9 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 			firstarg = ISC_FALSE;
 		}
 		ISC_LIST_APPEND(lookup_list, lookup, link);
-	} else if (!config_only && firstarg) {
-			printgreeting(argc, argv, lookup);
-			firstarg = ISC_FALSE;
 	}
+	if (!need_clone)
+		destroy_lookup(lookup);
 }
 
 /*
@@ -1566,7 +1703,7 @@ dighost_shutdown(void) {
 	int bargc;
 	char *bargv[16];
 	char *input;
-
+	int i;
 
 	if (batchname == NULL) {
 		isc_app_shutdown();
@@ -1594,7 +1731,8 @@ dighost_shutdown(void) {
 
 		bargv[0] = argv0;
 
-		reorder_args(bargc, (char **)bargv);
+		for(i = 0; i < bargc; i++)
+			debug("batch argv %d: %s", i, bargv[i]);
 		parse_args(ISC_TRUE, ISC_FALSE, bargc, (char **)bargv);
 		start_lookup();
 	} else {
@@ -1606,10 +1744,10 @@ dighost_shutdown(void) {
 	}
 }
 
+/*% Main processing routine for dig */
 int
 main(int argc, char **argv) {
 	isc_result_t result;
-	dig_server_t *s, *s2;
 
 	ISC_LIST_INIT(lookup_list);
 	ISC_LIST_INIT(server_list);
@@ -1630,16 +1768,7 @@ main(int argc, char **argv) {
 	result = isc_app_onrun(mctx, global_task, onrun_callback, NULL);
 	check_result(result, "isc_app_onrun");
 	isc_app_run();
-	s = ISC_LIST_HEAD(default_lookup->my_server_list);
-	while (s != NULL) {
-		debug("freeing server %p belonging to %p",
-		      s, default_lookup);
-		s2 = s;
-		s = ISC_LIST_NEXT(s, link);
-		ISC_LIST_DEQUEUE(default_lookup->my_server_list, s2, link);
-		isc_mem_free(mctx, s2);
-	}
-	isc_mem_free(mctx, default_lookup);
+	destroy_lookup(default_lookup);
 	if (batchname != NULL) {
 		if (batchfp != stdin)
 			fclose(batchfp);
diff --git a/usr.sbin/bind/bin/dig/dig.docbook b/usr.sbin/bind/bin/dig/dig.docbook
index 57984c186a8..9019bb929dc 100644
--- a/usr.sbin/bind/bin/dig/dig.docbook
+++ b/usr.sbin/bind/bin/dig/dig.docbook
@@ -1,11 +1,11 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003  Internet Software Consortium.
  -
- - Permission to use, copy, modify, and distribute this software for any
+ - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  -
@@ -18,24 +18,30 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $ISC: dig.docbook,v 1.4.2.7.4.12 2005/08/30 00:50:29 marka Exp $ -->
+<!-- $ISC: dig.docbook,v 1.17.18.21 2007/08/28 07:19:55 tbox Exp $ -->
+<refentry id="man.dig">
 
-<refentry>
+  <refentryinfo>
+    <date>Jun 30, 2000</date>
+  </refentryinfo>
 
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
+  <refmeta>
+    <refentrytitle>dig</refentrytitle>
+    <manvolnum>1</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
 
-<refmeta>
-<refentrytitle>dig</refentrytitle>
-<manvolnum>1</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
+  <refnamediv>
+    <refname>dig</refname>
+    <refpurpose>DNS lookup utility</refpurpose>
+  </refnamediv>
 
   <docinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
+      <year>2006</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -47,595 +53,884 @@
     </copyright>
   </docinfo>
 
-<refnamediv>
-<refname>dig</refname>
-<refpurpose>DNS lookup utility</refpurpose>
-</refnamediv>
-
-<refsynopsisdiv>
-<cmdsynopsis>
-<command>dig</command>
-<arg choice="opt">@server</arg>
-<arg><option>-b <replaceable class="parameter">address</replaceable></option></arg>
-<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-<arg><option>-f <replaceable class="parameter">filename</replaceable></option></arg>
-<arg><option>-k <replaceable class="parameter">filename</replaceable></option></arg>
-<arg><option>-p <replaceable class="parameter">port#</replaceable></option></arg>
-<arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
-<arg><option>-x <replaceable class="parameter">addr</replaceable></option></arg>
-<arg><option>-y <replaceable class="parameter">name:key</replaceable></option></arg>
-<arg><option>-4</option></arg>
-<arg><option>-6</option></arg>
-<arg choice="opt">name</arg>
-<arg choice="opt">type</arg>
-<arg choice="opt">class</arg>
-<arg choice="opt" rep="repeat">queryopt</arg>
-</cmdsynopsis>
-
-<cmdsynopsis>
-<command>dig</command>
-<arg><option>-h</option></arg>
-</cmdsynopsis>
-
-<cmdsynopsis>
-<command>dig</command>
-<arg choice="opt" rep="repeat">global-queryopt</arg>
-<arg choice="opt" rep="repeat">query</arg>
-</cmdsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-<command>dig</command> (domain information groper) is a flexible tool
-for interrogating DNS name servers.  It performs DNS lookups and
-displays the answers that are returned from the name server(s) that
-were queried.  Most DNS administrators use <command>dig</command> to
-troubleshoot DNS problems because of its flexibility, ease of use and
-clarity of output.  Other lookup tools tend to have less functionality
-than <command>dig</command>.
-</para>
-
-<para>
-Although <command>dig</command> is normally used with command-line
-arguments, it also has a batch mode of operation for reading lookup
-requests from a file.  A brief summary of its command-line arguments
-and options is printed when the <option>-h</option> option is given.
-Unlike earlier versions, the BIND9 implementation of
-<command>dig</command> allows multiple lookups to be issued from the
-command line.
-</para>
-
-<para>
-Unless it is told to query a specific name server,
-<command>dig</command> will try each of the servers listed in
-<filename>/etc/resolv.conf</filename>.
-</para>
-
-<para>
-When no command line arguments or options are given, will perform an
-NS query for "." (the root).
-</para>
-
-<para>
-It is possible to set per-user defaults for <command>dig</command> via
-<filename>${HOME}/.digrc</filename>.  This file is read and any options in it
-are applied before the command line arguments.
-</para>
-
-</refsect1>
-
-<refsect1>
-<title>SIMPLE USAGE</title>
-
-<para>
-A typical invocation of <command>dig</command> looks like:
-<programlisting> dig @server name type </programlisting> where:
-
-<variablelist>
-
-<varlistentry><term><constant>server</constant></term>
-<listitem><para>
-is the name or IP address of the name server to query.  This can be an IPv4
-address in dotted-decimal notation or an IPv6
-address in colon-delimited notation.  When the supplied
-<parameter>server</parameter> argument is a hostname,
-<command>dig</command> resolves that name before querying that name
-server.  If no <parameter>server</parameter> argument is provided,
-<command>dig</command> consults <filename>/etc/resolv.conf</filename>
-and queries the name servers listed there.  The reply from the name
-server that responds is displayed.
-</para></listitem></varlistentry>
-
-<varlistentry><term><constant>name</constant></term>
-<listitem><para>
-is the name of the resource record that is to be looked up.
-</para></listitem></varlistentry>
-
-<varlistentry><term><constant>type</constant></term>
-<listitem><para>
-indicates what type of query is required &mdash;
-ANY, A, MX, SIG, etc.
-<parameter>type</parameter> can be any valid query type.  If no
-<parameter>type</parameter> argument is supplied,
-<command>dig</command> will perform a lookup for an A record.
-</para></listitem></varlistentry>
-
-</variablelist>
-</para>
-
-</refsect1>
-
-<refsect1>
-<title>OPTIONS</title>
-
-<para>
-The <option>-b</option> option sets the source IP address of the query
-to <parameter>address</parameter>.  This must be a valid address on
-one of the host's network interfaces or "0.0.0.0" or "::".  An optional port
-may be specified by appending "#&lt;port&gt;"
-</para>
-
-<para>
-The default query class (IN for internet) is overridden by the
-<option>-c</option> option.  <parameter>class</parameter> is any valid
-class, such as HS for Hesiod records or CH for CHAOSNET records.
-</para>
-
-<para>
-The <option>-f</option> option makes <command>dig </command> operate
-in batch mode by reading a list of lookup requests to process from the
-file <parameter>filename</parameter>.  The file contains a number of
-queries, one per line.  Each entry in the file should be organised in
-the same way they would be presented as queries to
-<command>dig</command> using the command-line interface.
-</para>
-
-<para>
-If a non-standard port number is to be queried, the
-<option>-p</option> option is used.  <parameter>port#</parameter> is
-the port number that <command>dig</command> will send its queries
-instead of the standard DNS port number 53.  This option would be used
-to test a name server that has been configured to listen for queries
-on a non-standard port number.
-</para>
-
-<para>
-The <option>-4</option> option forces <command>dig</command> to only
-use IPv4 query transport.  The <option>-6</option> option forces
-<command>dig</command> to only use IPv6 query transport.
-</para>
-
-<para>
-The <option>-t</option> option sets the query type to
-<parameter>type</parameter>.  It can be any valid query type which is
-supported in BIND9.  The default query type "A", unless the
-<option>-x</option> option is supplied to indicate a reverse lookup.
-A zone transfer can be requested by specifying a type of AXFR.  When
-an incremental zone transfer (IXFR) is required,
-<parameter>type</parameter> is set to <literal>ixfr=N</literal>.
-The incremental zone transfer will contain the changes made to the zone
-since the serial number in the zone's SOA record was
-<parameter>N</parameter>.
-</para>
-
-<para>
-Reverse lookups - mapping addresses to names - are simplified by the
-<option>-x</option> option.  <parameter>addr</parameter> is an IPv4
-address in dotted-decimal notation, or a colon-delimited IPv6 address.
-When this option is used, there is no need to provide the
-<parameter>name</parameter>, <parameter>class</parameter> and
-<parameter>type</parameter> arguments.  <command>dig</command>
-automatically performs a lookup for a name like
-<literal>11.12.13.10.in-addr.arpa</literal> and sets the query type and
-class to PTR and IN respectively.  By default, IPv6 addresses are
-looked up using nibble format under the IP6.ARPA domain.
-To use the older RFC1886 method using the IP6.INT domain 
-specify the <option>-i</option> option.  Bit string labels (RFC2874)
-are now experimental and are not attempted.
-</para>
-
-<para>
-To sign the DNS queries sent by <command>dig</command> and their
-responses using transaction signatures (TSIG), specify a TSIG key file
-using the <option>-k</option> option.  You can also specify the TSIG
-key itself on the command line using the <option>-y</option> option;
-<parameter>name</parameter> is the name of the TSIG key and
-<parameter>key</parameter> is the actual key.  The key is a base-64
-encoded string, typically generated by <citerefentry>
-<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
-</citerefentry>.
-
-Caution should be taken when using the <option>-y</option> option on
-multi-user systems as the key can be visible in the output from
-<citerefentry> <refentrytitle>ps</refentrytitle><manvolnum>1
-</manvolnum> </citerefentry> or in the shell's history file.  When
-using TSIG authentication with <command>dig</command>, the name
-server that is queried needs to know the key and algorithm that is
-being used.  In BIND, this is done by providing appropriate
-<command>key</command> and <command>server</command> statements in
-<filename>named.conf</filename>.
-</para>
-
-</refsect1>
-
-<refsect1>
-<title>QUERY OPTIONS</title>
-
-<para>
-<command>dig</command> provides a number of query options which affect
-the way in which lookups are made and the results displayed.  Some of
-these set or reset flag bits in the query header, some determine which
-sections of the answer get printed, and others determine the timeout
-and retry strategies.
-</para>
-
-<para>
-Each query option is identified by a keyword preceded by a plus sign
-(<literal>+</literal>).  Some keywords set or reset an option.  These may be preceded
-by the string <literal>no</literal> to negate the meaning of that keyword.  Other
-keywords assign values to options like the timeout interval.  They
-have the form <option>+keyword=value</option>.
-The query options are:
-
-<variablelist>
-
-<varlistentry><term><option>+[no]tcp</option></term>
-<listitem><para>
-Use [do not use] TCP when querying name servers.  The default
-behaviour is to use UDP unless an AXFR or IXFR query is requested, in
-which case a TCP connection is used.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]vc</option></term>
-<listitem><para>
-Use [do not use] TCP when querying name servers.  This alternate
-syntax to <parameter>+[no]tcp</parameter> is provided for backwards
-compatibility.  The "vc" stands for "virtual circuit".
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]ignore</option></term>
-<listitem><para>
-Ignore truncation in UDP responses instead of retrying with TCP.  By
-default, TCP retries are performed.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+domain=somename</option></term>
-<listitem><para>
-Set the search list to contain the single domain
-<parameter>somename</parameter>, as if specified in a
-<command>domain</command> directive in
-<filename>/etc/resolv.conf</filename>, and enable search list
-processing as if the <parameter>+search</parameter> option were given.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]search</option></term>
-<listitem><para>
-Use [do not use] the search list defined by the searchlist or domain
-directive in <filename>resolv.conf</filename> (if any).
-The search list is not used by default.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]defname</option></term>
-<listitem><para>
-Deprecated, treated as a synonym for <parameter>+[no]search</parameter>
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]aaonly</option></term>
-<listitem><para>
-Sets the "aa" flag in the query.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]aaflag</option></term>
-<listitem><para>
-A synonym for <parameter>+[no]aaonly</parameter>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]adflag</option></term>
-<listitem><para>
-Set [do not set] the AD (authentic data) bit in the query.  The AD bit
-currently has a standard meaning only in responses, not in queries,
-but the ability to set the bit in the query is provided for
-completeness.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]cdflag</option></term>
-<listitem><para>
-Set [do not set] the CD (checking disabled) bit in the query.  This
-requests the server to not perform DNSSEC validation of responses.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]cl</option></term>
-<listitem><para>
-Display [do not display] the CLASS when printing the record.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]ttlid</option></term>
-<listitem><para>
-Display [do not display] the TTL when printing the record.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]recurse</option></term>
-<listitem><para>
-Toggle the setting of the RD (recursion desired) bit in the query.
-This bit is set by default, which means <command>dig</command>
-normally sends recursive queries.  Recursion is automatically disabled
-when the <parameter>+nssearch</parameter> or
-<parameter>+trace</parameter> query options are used.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]nssearch</option></term>
-<listitem><para>
-When this option is set, <command>dig</command> attempts to find the
-authoritative name servers for the zone containing the name being
-looked up and display the SOA record that each name server has for the
-zone.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]trace</option></term>
-<listitem><para>
-Toggle tracing of the delegation path from the root name servers for
-the name being looked up.  Tracing is disabled by default.  When
-tracing is enabled, <command>dig</command> makes iterative queries to
-resolve the name being looked up.  It will follow referrals from the
-root servers, showing the answer from each server that was used to
-resolve the lookup.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]cmd</option></term>
-<listitem><para>
-toggles the printing of the initial comment in the output identifying
-the version of <command>dig</command> and the query options that have
-been applied.  This comment is printed by default.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]short</option></term>
-<listitem><para>
-Provide a terse answer.  The default is to print the answer in a
-verbose form.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]identify</option></term>
-<listitem><para>
-Show [or do not show] the IP address and port number that supplied the
-answer when the <parameter>+short</parameter> option is enabled.  If
-short form answers are requested, the default is not to show the
-source address and port number of the server that provided the answer.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]comments</option></term>
-<listitem><para>
-Toggle the display of comment lines in the output.  The default is to
-print comments.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]stats</option></term>
-<listitem><para>
-This query option toggles the printing of statistics: when the query
-was made, the size of the reply and so on.  The default behaviour is
-to print the query statistics.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]qr</option></term>
-<listitem><para>
-Print [do not print] the query as it is sent.
-By default, the query is not printed.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]question</option></term>
-<listitem><para>
-Print [do not print] the question section of a query when an answer is
-returned.  The default is to print the question section as a comment.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]answer</option></term>
-<listitem><para>
-Display [do not display] the answer section of a reply.  The default
-is to display it.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]authority</option></term>
-<listitem><para>
-Display [do not display] the authority section of a reply.  The
-default is to display it.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]additional</option></term>
-<listitem><para>
-Display [do not display] the additional section of a reply.
-The default is to display it.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]all</option></term>
-<listitem><para>
-Set or clear all display flags.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+time=T</option></term>
-<listitem><para>
-
-Sets the timeout for a query to
-<parameter>T</parameter> seconds.  The default time out is 5 seconds.
-An attempt to set <parameter>T</parameter> to less than 1 will result
-in a query timeout of 1 second being applied.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+tries=T</option></term>
-<listitem><para>
-Sets the number of times to try UDP queries to server to
-<parameter>T</parameter> instead of the default, 3.  If
-<parameter>T</parameter> is less than or equal to zero, the number of
-tries is silently rounded up to 1.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+retry=T</option></term>
-<listitem><para>
-Sets the number of times to retry UDP queries to server to
-<parameter>T</parameter> instead of the default, 2.  Unlike
-<parameter>+tries</parameter>, this does not include the initial
-query.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+ndots=D</option></term>
-<listitem><para>
-Set the number of dots that have to appear in
-<parameter>name</parameter> to <parameter>D</parameter> for it to be
-considered absolute.  The default value is that defined using the
-ndots statement in <filename>/etc/resolv.conf</filename>, or 1 if no
-ndots statement is present.  Names with fewer dots are interpreted as
-relative names and will be searched for in the domains listed in the
-<option>search</option> or <option>domain</option> directive in
-<filename>/etc/resolv.conf</filename>.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+bufsize=B</option></term>
-<listitem><para>
-Set the UDP message buffer size advertised using EDNS0 to
-<parameter>B</parameter> bytes.  The maximum and minimum sizes of this
-buffer are 65535 and 0 respectively.  Values outside this range are
-rounded up or down appropriately.
-</para>
-</listitem></varlistentry>
-
-<varlistentry><term><option>+[no]multiline</option></term>
-<listitem><para>
-Print records like the SOA records in a verbose multi-line
-format with human-readable comments.  The default is to print
-each record on a single line, to facilitate machine parsing 
-of the <command>dig</command> output.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]fail</option></term>
-<listitem><para>
-Do not try the next server if you receive a SERVFAIL.  The default is
-to not try the next server which is the reverse of normal stub resolver
-behaviour.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]besteffort</option></term>
-<listitem><para>
-Attempt to display the contents of messages which are malformed.
-The default is to not display malformed answers.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]dnssec</option></term>
-<listitem><para>
-Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO)
-in the OPT record in the additional section of the query.
-</para></listitem></varlistentry>
-
-<varlistentry><term><option>+[no]sigchase</option></term>
-<listitem><para>
-Chase DNSSEC signature chains.  Requires dig be compiled with
--DDIG_SIGCHASE.
-</para></listitem></varlistentry>
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>dig</command>
+      <arg choice="opt">@server</arg>
+      <arg><option>-b <replaceable class="parameter">address</replaceable></option></arg>
+      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg><option>-f <replaceable class="parameter">filename</replaceable></option></arg>
+      <arg><option>-k <replaceable class="parameter">filename</replaceable></option></arg>
+      <arg><option>-p <replaceable class="parameter">port#</replaceable></option></arg>
+      <arg><option>-q <replaceable class="parameter">name</replaceable></option></arg>
+      <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
+      <arg><option>-x <replaceable class="parameter">addr</replaceable></option></arg>
+      <arg><option>-y <replaceable class="parameter"><optional>hmac:</optional>name:key</replaceable></option></arg>
+      <arg><option>-4</option></arg>
+      <arg><option>-6</option></arg>
+      <arg choice="opt">name</arg>
+      <arg choice="opt">type</arg>
+      <arg choice="opt">class</arg>
+      <arg choice="opt" rep="repeat">queryopt</arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>dig</command>
+      <arg><option>-h</option></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>dig</command>
+      <arg choice="opt" rep="repeat">global-queryopt</arg>
+      <arg choice="opt" rep="repeat">query</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para><command>dig</command>
+      (domain information groper) is a flexible tool
+      for interrogating DNS name servers.  It performs DNS lookups and
+      displays the answers that are returned from the name server(s) that
+      were queried.  Most DNS administrators use <command>dig</command> to
+      troubleshoot DNS problems because of its flexibility, ease of use and
+      clarity of output.  Other lookup tools tend to have less functionality
+      than <command>dig</command>.
+    </para>
+
+    <para>
+      Although <command>dig</command> is normally used with
+      command-line
+      arguments, it also has a batch mode of operation for reading lookup
+      requests from a file.  A brief summary of its command-line arguments
+      and options is printed when the <option>-h</option> option is given.
+      Unlike earlier versions, the BIND 9 implementation of
+      <command>dig</command> allows multiple lookups to be issued
+      from the
+      command line.
+    </para>
+
+    <para>
+      Unless it is told to query a specific name server,
+      <command>dig</command> will try each of the servers listed
+      in
+      <filename>/etc/resolv.conf</filename>.
+    </para>
+
+    <para>
+      When no command line arguments or options are given, will perform an
+      NS query for "." (the root).
+    </para>
+
+    <para>
+      It is possible to set per-user defaults for <command>dig</command> via
+      <filename>${HOME}/.digrc</filename>.  This file is read and
+      any options in it
+      are applied before the command line arguments.
+    </para>
+
+    <para>
+      The IN and CH class names overlap with the IN and CH top level
+      domains names.  Either use the <option>-t</option> and
+      <option>-c</option> options to specify the type and class or
+      use the <option>-q</option> the specify the domain name or
+      use "IN." and "CH." when looking up these top level domains.
+    </para>
+
+  </refsect1>
+
+  <refsect1>
+    <title>SIMPLE USAGE</title>
+
+    <para>
+      A typical invocation of <command>dig</command> looks like:
+      <programlisting> dig @server name type </programlisting>
+      where:
+
+      <variablelist>
+
+        <varlistentry>
+          <term><constant>server</constant></term>
+          <listitem>
+            <para>
+              is the name or IP address of the name server to query.  This can
+              be an IPv4
+              address in dotted-decimal notation or an IPv6
+              address in colon-delimited notation.  When the supplied
+              <parameter>server</parameter> argument is a
+              hostname,
+              <command>dig</command> resolves that name before
+              querying that name
+              server.  If no <parameter>server</parameter>
+              argument is provided,
+              <command>dig</command> consults <filename>/etc/resolv.conf</filename>
+              and queries the name servers listed there.  The reply from the
+              name
+              server that responds is displayed.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><constant>name</constant></term>
+          <listitem>
+            <para>
+              is the name of the resource record that is to be looked up.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><constant>type</constant></term>
+          <listitem>
+            <para>
+              indicates what type of query is required &mdash;
+              ANY, A, MX, SIG, etc.
+              <parameter>type</parameter> can be any valid query
+              type.  If no
+              <parameter>type</parameter> argument is supplied,
+              <command>dig</command> will perform a lookup for an
+              A record.
+            </para>
+          </listitem>
+        </varlistentry>
+
+      </variablelist>
+    </para>
+
+  </refsect1>
+
+  <refsect1>
+    <title>OPTIONS</title>
+
+    <para>
+      The <option>-b</option> option sets the source IP address of the query
+      to <parameter>address</parameter>.  This must be a valid
+      address on
+      one of the host's network interfaces or "0.0.0.0" or "::".  An optional
+      port
+      may be specified by appending "#&lt;port&gt;"
+    </para>
+
+    <para>
+      The default query class (IN for internet) is overridden by the
+      <option>-c</option> option.  <parameter>class</parameter> is
+      any valid
+      class, such as HS for Hesiod records or CH for Chaosnet records.
+    </para>
+
+    <para>
+      The <option>-f</option> option makes <command>dig </command>
+      operate
+      in batch mode by reading a list of lookup requests to process from the
+      file <parameter>filename</parameter>.  The file contains a
+      number of
+      queries, one per line.  Each entry in the file should be organized in
+      the same way they would be presented as queries to
+      <command>dig</command> using the command-line interface.
+    </para>
+
+    <para>
+      If a non-standard port number is to be queried, the
+      <option>-p</option> option is used.  <parameter>port#</parameter> is
+      the port number that <command>dig</command> will send its
+      queries
+      instead of the standard DNS port number 53.  This option would be used
+      to test a name server that has been configured to listen for queries
+      on a non-standard port number.
+    </para>
+
+    <para>
+      The <option>-4</option> option forces <command>dig</command>
+      to only
+      use IPv4 query transport.  The <option>-6</option> option forces
+      <command>dig</command> to only use IPv6 query transport.
+    </para>
+
+    <para>
+      The <option>-t</option> option sets the query type to
+      <parameter>type</parameter>.  It can be any valid query type
+      which is
+      supported in BIND 9.  The default query type is "A", unless the
+      <option>-x</option> option is supplied to indicate a reverse lookup.
+      A zone transfer can be requested by specifying a type of AXFR.  When
+      an incremental zone transfer (IXFR) is required,
+      <parameter>type</parameter> is set to <literal>ixfr=N</literal>.
+      The incremental zone transfer will contain the changes made to the zone
+      since the serial number in the zone's SOA record was
+      <parameter>N</parameter>.
+    </para>
+
+    <para>
+      The <option>-q</option> option sets the query name to 
+      <parameter>name</parameter>.  This useful do distinguish the
+      <parameter>name</parameter> from other arguments.
+    </para>
+
+    <para>
+      Reverse lookups &mdash; mapping addresses to names &mdash; are simplified by the
+      <option>-x</option> option.  <parameter>addr</parameter> is
+      an IPv4
+      address in dotted-decimal notation, or a colon-delimited IPv6 address.
+      When this option is used, there is no need to provide the
+      <parameter>name</parameter>, <parameter>class</parameter> and
+      <parameter>type</parameter> arguments.  <command>dig</command>
+      automatically performs a lookup for a name like
+      <literal>11.12.13.10.in-addr.arpa</literal> and sets the
+      query type and
+      class to PTR and IN respectively.  By default, IPv6 addresses are
+      looked up using nibble format under the IP6.ARPA domain.
+      To use the older RFC1886 method using the IP6.INT domain
+      specify the <option>-i</option> option.  Bit string labels (RFC2874)
+      are now experimental and are not attempted.
+    </para>
+
+    <para>
+      To sign the DNS queries sent by <command>dig</command> and
+      their
+      responses using transaction signatures (TSIG), specify a TSIG key file
+      using the <option>-k</option> option.  You can also specify the TSIG
+      key itself on the command line using the <option>-y</option> option;
+      <parameter>hmac</parameter> is the type of the TSIG, default HMAC-MD5,
+      <parameter>name</parameter> is the name of the TSIG key and
+      <parameter>key</parameter> is the actual key.  The key is a
+      base-64
+      encoded string, typically generated by
+      <citerefentry>
+        <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>.
+
+      Caution should be taken when using the <option>-y</option> option on
+      multi-user systems as the key can be visible in the output from
+      <citerefentry>
+        <refentrytitle>ps</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>
+      or in the shell's history file.  When
+      using TSIG authentication with <command>dig</command>, the name
+      server that is queried needs to know the key and algorithm that is
+      being used.  In BIND, this is done by providing appropriate
+      <command>key</command> and <command>server</command> statements in
+      <filename>named.conf</filename>.
+    </para>
+
+  </refsect1>
+
+  <refsect1>
+    <title>QUERY OPTIONS</title>
+
+    <para><command>dig</command>
+      provides a number of query options which affect
+      the way in which lookups are made and the results displayed.  Some of
+      these set or reset flag bits in the query header, some determine which
+      sections of the answer get printed, and others determine the timeout
+      and retry strategies.
+    </para>
+
+    <para>
+      Each query option is identified by a keyword preceded by a plus sign
+      (<literal>+</literal>).  Some keywords set or reset an
+      option.  These may be preceded
+      by the string <literal>no</literal> to negate the meaning of
+      that keyword.  Other
+      keywords assign values to options like the timeout interval.  They
+      have the form <option>+keyword=value</option>.
+      The query options are:
+
+      <variablelist>
+
+        <varlistentry>
+          <term><option>+[no]tcp</option></term>
+          <listitem>
+            <para>
+              Use [do not use] TCP when querying name servers.  The default
+              behavior is to use UDP unless an AXFR or IXFR query is
+              requested, in
+              which case a TCP connection is used.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]vc</option></term>
+          <listitem>
+            <para>
+              Use [do not use] TCP when querying name servers.  This alternate
+              syntax to <parameter>+[no]tcp</parameter> is
+              provided for backwards
+              compatibility.  The "vc" stands for "virtual circuit".
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]ignore</option></term>
+          <listitem>
+            <para>
+              Ignore truncation in UDP responses instead of retrying with TCP.
+               By
+              default, TCP retries are performed.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+domain=somename</option></term>
+          <listitem>
+            <para>
+              Set the search list to contain the single domain
+              <parameter>somename</parameter>, as if specified in
+              a
+              <command>domain</command> directive in
+              <filename>/etc/resolv.conf</filename>, and enable
+              search list
+              processing as if the <parameter>+search</parameter>
+              option were given.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]search</option></term>
+          <listitem>
+            <para>
+              Use [do not use] the search list defined by the searchlist or
+              domain
+              directive in <filename>resolv.conf</filename> (if
+              any).
+              The search list is not used by default.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]showsearch</option></term>
+          <listitem>
+            <para>
+              Perform [do not perform] a search showing intermediate
+	      results.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]defname</option></term>
+          <listitem>
+            <para>
+              Deprecated, treated as a synonym for <parameter>+[no]search</parameter>
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]aaonly</option></term>
+          <listitem>
+            <para>
+              Sets the "aa" flag in the query.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]aaflag</option></term>
+          <listitem>
+            <para>
+              A synonym for <parameter>+[no]aaonly</parameter>.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]adflag</option></term>
+          <listitem>
+            <para>
+              Set [do not set] the AD (authentic data) bit in the query.  The
+              AD bit
+              currently has a standard meaning only in responses, not in
+              queries,
+              but the ability to set the bit in the query is provided for
+              completeness.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]cdflag</option></term>
+          <listitem>
+            <para>
+              Set [do not set] the CD (checking disabled) bit in the query.
+              This
+              requests the server to not perform DNSSEC validation of
+              responses.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]cl</option></term>
+          <listitem>
+            <para>
+              Display [do not display] the CLASS when printing the record.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]ttlid</option></term>
+          <listitem>
+            <para>
+              Display [do not display] the TTL when printing the record.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]recurse</option></term>
+          <listitem>
+            <para>
+              Toggle the setting of the RD (recursion desired) bit in the
+              query.
+              This bit is set by default, which means <command>dig</command>
+              normally sends recursive queries.  Recursion is automatically
+              disabled
+              when the <parameter>+nssearch</parameter> or
+              <parameter>+trace</parameter> query options are
+              used.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]nssearch</option></term>
+          <listitem>
+            <para>
+              When this option is set, <command>dig</command>
+              attempts to find the
+              authoritative name servers for the zone containing the name
+              being
+              looked up and display the SOA record that each name server has
+              for the
+              zone.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]trace</option></term>
+          <listitem>
+            <para>
+              Toggle tracing of the delegation path from the root name servers
+              for
+              the name being looked up.  Tracing is disabled by default.  When
+              tracing is enabled, <command>dig</command> makes
+              iterative queries to
+              resolve the name being looked up.  It will follow referrals from
+              the
+              root servers, showing the answer from each server that was used
+              to
+              resolve the lookup.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]cmd</option></term>
+          <listitem>
+            <para>
+              Toggles the printing of the initial comment in the output
+              identifying
+              the version of <command>dig</command> and the query
+              options that have
+              been applied.  This comment is printed by default.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]short</option></term>
+          <listitem>
+            <para>
+              Provide a terse answer.  The default is to print the answer in a
+              verbose form.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]identify</option></term>
+          <listitem>
+            <para>
+              Show [or do not show] the IP address and port number that
+              supplied the
+              answer when the <parameter>+short</parameter> option
+              is enabled.  If
+              short form answers are requested, the default is not to show the
+              source address and port number of the server that provided the
+              answer.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]comments</option></term>
+          <listitem>
+            <para>
+              Toggle the display of comment lines in the output.  The default
+              is to
+              print comments.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]stats</option></term>
+          <listitem>
+            <para>
+              This query option toggles the printing of statistics: when the
+              query
+              was made, the size of the reply and so on.  The default
+              behavior is
+              to print the query statistics.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]qr</option></term>
+          <listitem>
+            <para>
+              Print [do not print] the query as it is sent.
+              By default, the query is not printed.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]question</option></term>
+          <listitem>
+            <para>
+              Print [do not print] the question section of a query when an
+              answer is
+              returned.  The default is to print the question section as a
+              comment.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]answer</option></term>
+          <listitem>
+            <para>
+              Display [do not display] the answer section of a reply.  The
+              default
+              is to display it.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]authority</option></term>
+          <listitem>
+            <para>
+              Display [do not display] the authority section of a reply.  The
+              default is to display it.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]additional</option></term>
+          <listitem>
+            <para>
+              Display [do not display] the additional section of a reply.
+              The default is to display it.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]all</option></term>
+          <listitem>
+            <para>
+              Set or clear all display flags.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+time=T</option></term>
+          <listitem>
+            <para>
+
+              Sets the timeout for a query to
+              <parameter>T</parameter> seconds.  The default
+	      timeout is 5 seconds.
+              An attempt to set <parameter>T</parameter> to less
+              than 1 will result
+              in a query timeout of 1 second being applied.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+tries=T</option></term>
+          <listitem>
+            <para>
+              Sets the number of times to try UDP queries to server to
+              <parameter>T</parameter> instead of the default, 3.
+              If
+              <parameter>T</parameter> is less than or equal to
+              zero, the number of
+              tries is silently rounded up to 1.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+retry=T</option></term>
+          <listitem>
+            <para>
+              Sets the number of times to retry UDP queries to server to
+              <parameter>T</parameter> instead of the default, 2.
+              Unlike
+              <parameter>+tries</parameter>, this does not include
+              the initial
+              query.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+ndots=D</option></term>
+          <listitem>
+            <para>
+              Set the number of dots that have to appear in
+              <parameter>name</parameter> to <parameter>D</parameter> for it to be
+              considered absolute.  The default value is that defined using
+              the
+              ndots statement in <filename>/etc/resolv.conf</filename>, or 1 if no
+              ndots statement is present.  Names with fewer dots are
+              interpreted as
+              relative names and will be searched for in the domains listed in
+              the
+              <option>search</option> or <option>domain</option> directive in
+              <filename>/etc/resolv.conf</filename>.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+bufsize=B</option></term>
+          <listitem>
+            <para>
+              Set the UDP message buffer size advertised using EDNS0 to
+              <parameter>B</parameter> bytes.  The maximum and minimum sizes
+	      of this buffer are 65535 and 0 respectively.  Values outside
+	      this range are rounded up or down appropriately.  
+	      Values other than zero will cause a EDNS query to be sent.
+            </para>
+          </listitem>
+        </varlistentry>
 
 	<varlistentry>
-	  <term><option>+trusted-key=####</option></term>
+	  <term><option>+edns=#</option></term>
 	  <listitem>
 	    <para>
-	      Specifies a file containing trusted keys to be used with
+	       Specify the EDNS version to query with.  Valid values
+	       are 0 to 255.  Setting the EDNS version will cause a
+	       EDNS query to be sent.  <option>+noedns</option> clears the
+	       remembered EDNS version.
+	    </para>
+	  </listitem>
+	</varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]multiline</option></term>
+          <listitem>
+            <para>
+              Print records like the SOA records in a verbose multi-line
+              format with human-readable comments.  The default is to print
+              each record on a single line, to facilitate machine parsing
+              of the <command>dig</command> output.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]fail</option></term>
+          <listitem>
+            <para>
+              Do not try the next server if you receive a SERVFAIL.  The
+              default is
+              to not try the next server which is the reverse of normal stub
+              resolver
+              behavior.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]besteffort</option></term>
+          <listitem>
+            <para>
+              Attempt to display the contents of messages which are malformed.
+              The default is to not display malformed answers.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]dnssec</option></term>
+          <listitem>
+            <para>
+              Requests DNSSEC records be sent by setting the DNSSEC OK bit
+              (DO)
+              in the OPT record in the additional section of the query.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]sigchase</option></term>
+          <listitem>
+            <para>
+              Chase DNSSEC signature chains.  Requires dig be compiled with
+              -DDIG_SIGCHASE.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+trusted-key=####</option></term>
+          <listitem>
+            <para>
+              Specifies a file containing trusted keys to be used with
 	      <option>+sigchase</option>.  Each DNSKEY record must be
 	      on its own line.
-	    </para>
+            </para>
 	    <para>
 	      If not specified <command>dig</command> will look for
 	      <filename>/etc/trusted-key.key</filename> then
 	      <filename>trusted-key.key</filename> in the current directory.
 	    </para>
 	    <para>
-	      Requires dig be compiled with -DDIG_SIGCHASE.
+              Requires dig be compiled with -DDIG_SIGCHASE.
 	    </para>
-	  </listitem>
-	</varlistentry>
-
-<varlistentry><term><option>+[no]topdown</option></term>
-<listitem><para>
-When chasing DNSSEC signature chains perform a top down validation.
-Requires dig be compiled with -DDIG_SIGCHASE.
-</para></listitem></varlistentry>
-
-
-
-</variablelist>
-
-</para>
-</refsect1>
-
-<refsect1>
-<title>MULTIPLE QUERIES</title>
-
-<para>
-The BIND 9 implementation of <command>dig </command> supports
-specifying multiple queries on the command line (in addition to
-supporting the <option>-f</option> batch file option).  Each of those
-queries can be supplied with its own set of flags, options and query
-options.
-</para>
-
-<para>
-In this case, each <parameter>query</parameter> argument represent an
-individual query in the command-line syntax described above.  Each
-consists of any of the standard options and flags, the name to be
-looked up, an optional query type and class and any query options that
-should be applied to that query.
-</para>
-
-<para>
-A global set of query options, which should be applied to all queries,
-can also be supplied.  These global query options must precede the
-first tuple of name, class, type, options, flags, and query options
-supplied on the command line.  Any global query options (except
-the <option>+[no]cmd</option> option) can be
-overridden by a query-specific set of query options.  For example:
-<programlisting>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><option>+[no]topdown</option></term>
+          <listitem>
+            <para>
+              When chasing DNSSEC signature chains perform a top-down
+              validation.
+              Requires dig be compiled with -DDIG_SIGCHASE.
+            </para>
+          </listitem>
+        </varlistentry>
+
+
+
+      </variablelist>
+
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>MULTIPLE QUERIES</title>
+
+    <para>
+      The BIND 9 implementation of <command>dig </command>
+      supports
+      specifying multiple queries on the command line (in addition to
+      supporting the <option>-f</option> batch file option).  Each of those
+      queries can be supplied with its own set of flags, options and query
+      options.
+    </para>
+
+    <para>
+      In this case, each <parameter>query</parameter> argument
+      represent an
+      individual query in the command-line syntax described above.  Each
+      consists of any of the standard options and flags, the name to be
+      looked up, an optional query type and class and any query options that
+      should be applied to that query.
+    </para>
+
+    <para>
+      A global set of query options, which should be applied to all queries,
+      can also be supplied.  These global query options must precede the
+      first tuple of name, class, type, options, flags, and query options
+      supplied on the command line.  Any global query options (except
+      the <option>+[no]cmd</option> option) can be
+      overridden by a query-specific set of query options.  For example:
+      <programlisting>
 dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
 </programlisting>
-shows how <command>dig</command> could be used from the command line
-to make three lookups: an ANY query for <literal>www.isc.org</literal>, a
-reverse lookup of 127.0.0.1 and a query for the NS records of
-<literal>isc.org</literal>.
-
-A global query option of <parameter>+qr</parameter> is applied, so
-that <command>dig</command> shows the initial query it made for each
-lookup.  The final query has a local query option of
-<parameter>+noqr</parameter> which means that <command>dig</command>
-will not print the initial query when it looks up the NS records for
-<literal>isc.org</literal>.
-</para>
-
-</refsect1>
-
-<refsect1>
-<title>FILES</title>
-<para>
-<filename>/etc/resolv.conf</filename>
-</para>
-<para>
-<filename>${HOME}/.digrc</filename>
-</para>
-</refsect1>
-
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>host</refentrytitle><manvolnum>1</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
-</citerefentry>,
-<citetitle>RFC1035</citetitle>.
-</para>
-</refsect1>
-
-<refsect1>
-<title>BUGS </title>
-<para>
-There are probably too many query options. 
-</para>
-</refsect1>
-</refentry>
+      shows how <command>dig</command> could be used from the
+      command line
+      to make three lookups: an ANY query for <literal>www.isc.org</literal>, a
+      reverse lookup of 127.0.0.1 and a query for the NS records of
+      <literal>isc.org</literal>.
+
+      A global query option of <parameter>+qr</parameter> is
+      applied, so
+      that <command>dig</command> shows the initial query it made
+      for each
+      lookup.  The final query has a local query option of
+      <parameter>+noqr</parameter> which means that <command>dig</command>
+      will not print the initial query when it looks up the NS records for
+      <literal>isc.org</literal>.
+    </para>
+
+  </refsect1>
+
+  <refsect1>
+    <title>IDN SUPPORT</title>
+    <para>
+      If <command>dig</command> has been built with IDN (internationalized
+      domain name) support, it can accept and display non-ASCII domain names.
+      <command>dig</command> appropriately converts character encoding of
+      domain name before sending a request to DNS server or displaying a
+      reply from the server.
+      If you'd like to turn off the IDN support for some reason, defines
+      the <envar>IDN_DISABLE</envar> environment variable.
+      The IDN support is disabled if the variable is set when 
+      <command>dig</command> runs.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+    <para><filename>/etc/resolv.conf</filename>
+    </para>
+    <para><filename>${HOME}/.digrc</filename>
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para><citerefentry>
+        <refentrytitle>host</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>RFC1035</citetitle>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>BUGS</title>
+    <para>
+      There are probably too many query options.
+    </para>
+  </refsect1>
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/usr.sbin/bind/bin/dig/dig.html b/usr.sbin/bind/bin/dig/dig.html
index 71d76149e75..1065d138203 100644
--- a/usr.sbin/bind/bin/dig/dig.html
+++ b/usr.sbin/bind/bin/dig/dig.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,501 +14,616 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $ISC: dig.html,v 1.6.2.4.2.15 2006/06/29 13:02:30 marka Exp $ -->
+<!-- $ISC: dig.html,v 1.13.18.28 2007/05/16 06:11:27 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>dig</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2482688"></a><div class="titlepage"></div>
+<a name="man.dig"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>dig &#8212; DNS lookup utility</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dig</code>  [@server] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-k <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [<code class="option">-y <em class="replaceable"><code>name:key</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] [name] [type] [class] [queryopt...]</p></div>
+<div class="cmdsynopsis"><p><code class="command">dig</code>  [@server] [<code class="option">-b <em class="replaceable"><code>address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-k <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port#</code></em></code>] [<code class="option">-q <em class="replaceable"><code>name</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-x <em class="replaceable"><code>addr</code></em></code>] [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]name:key</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] [name] [type] [class] [queryopt...]</p></div>
 <div class="cmdsynopsis"><p><code class="command">dig</code>  [<code class="option">-h</code>]</p></div>
 <div class="cmdsynopsis"><p><code class="command">dig</code>  [global-queryopt...] [query...]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549541"></a><h2>DESCRIPTION</h2>
+<a name="id2543508"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">dig</strong></span>
+      (domain information groper) is a flexible tool
+      for interrogating DNS name servers.  It performs DNS lookups and
+      displays the answers that are returned from the name server(s) that
+      were queried.  Most DNS administrators use <span><strong class="command">dig</strong></span> to
+      troubleshoot DNS problems because of its flexibility, ease of use and
+      clarity of output.  Other lookup tools tend to have less functionality
+      than <span><strong class="command">dig</strong></span>.
+    </p>
 <p>
-<span><strong class="command">dig</strong></span> (domain information groper) is a flexible tool
-for interrogating DNS name servers.  It performs DNS lookups and
-displays the answers that are returned from the name server(s) that
-were queried.  Most DNS administrators use <span><strong class="command">dig</strong></span> to
-troubleshoot DNS problems because of its flexibility, ease of use and
-clarity of output.  Other lookup tools tend to have less functionality
-than <span><strong class="command">dig</strong></span>.
-</p>
+      Although <span><strong class="command">dig</strong></span> is normally used with
+      command-line
+      arguments, it also has a batch mode of operation for reading lookup
+      requests from a file.  A brief summary of its command-line arguments
+      and options is printed when the <code class="option">-h</code> option is given.
+      Unlike earlier versions, the BIND 9 implementation of
+      <span><strong class="command">dig</strong></span> allows multiple lookups to be issued
+      from the
+      command line.
+    </p>
 <p>
-Although <span><strong class="command">dig</strong></span> is normally used with command-line
-arguments, it also has a batch mode of operation for reading lookup
-requests from a file.  A brief summary of its command-line arguments
-and options is printed when the <code class="option">-h</code> option is given.
-Unlike earlier versions, the BIND9 implementation of
-<span><strong class="command">dig</strong></span> allows multiple lookups to be issued from the
-command line.
-</p>
+      Unless it is told to query a specific name server,
+      <span><strong class="command">dig</strong></span> will try each of the servers listed
+      in
+      <code class="filename">/etc/resolv.conf</code>.
+    </p>
 <p>
-Unless it is told to query a specific name server,
-<span><strong class="command">dig</strong></span> will try each of the servers listed in
-<code class="filename">/etc/resolv.conf</code>.
-</p>
+      When no command line arguments or options are given, will perform an
+      NS query for "." (the root).
+    </p>
 <p>
-When no command line arguments or options are given, will perform an
-NS query for "." (the root).
-</p>
+      It is possible to set per-user defaults for <span><strong class="command">dig</strong></span> via
+      <code class="filename">${HOME}/.digrc</code>.  This file is read and
+      any options in it
+      are applied before the command line arguments.
+    </p>
 <p>
-It is possible to set per-user defaults for <span><strong class="command">dig</strong></span> via
-<code class="filename">${HOME}/.digrc</code>.  This file is read and any options in it
-are applied before the command line arguments.
-</p>
+      The IN and CH class names overlap with the IN and CH top level
+      domains names.  Either use the <code class="option">-t</code> and
+      <code class="option">-c</code> options to specify the type and class or
+      use the <code class="option">-q</code> the specify the domain name or
+      use "IN." and "CH." when looking up these top level domains.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549600"></a><h2>SIMPLE USAGE</h2>
+<a name="id2543577"></a><h2>SIMPLE USAGE</h2>
 <p>
-A typical invocation of <span><strong class="command">dig</strong></span> looks like:
-</p>
+      A typical invocation of <span><strong class="command">dig</strong></span> looks like:
+      </p>
 <pre class="programlisting"> dig @server name type </pre>
-<p> where:
+<p>
+      where:
 
-</p>
+      </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">server</code></span></dt>
 <dd><p>
-is the name or IP address of the name server to query.  This can be an IPv4
-address in dotted-decimal notation or an IPv6
-address in colon-delimited notation.  When the supplied
-<em class="parameter"><code>server</code></em> argument is a hostname,
-<span><strong class="command">dig</strong></span> resolves that name before querying that name
-server.  If no <em class="parameter"><code>server</code></em> argument is provided,
-<span><strong class="command">dig</strong></span> consults <code class="filename">/etc/resolv.conf</code>
-and queries the name servers listed there.  The reply from the name
-server that responds is displayed.
-</p></dd>
+              is the name or IP address of the name server to query.  This can
+              be an IPv4
+              address in dotted-decimal notation or an IPv6
+              address in colon-delimited notation.  When the supplied
+              <em class="parameter"><code>server</code></em> argument is a
+              hostname,
+              <span><strong class="command">dig</strong></span> resolves that name before
+              querying that name
+              server.  If no <em class="parameter"><code>server</code></em>
+              argument is provided,
+              <span><strong class="command">dig</strong></span> consults <code class="filename">/etc/resolv.conf</code>
+              and queries the name servers listed there.  The reply from the
+              name
+              server that responds is displayed.
+            </p></dd>
 <dt><span class="term"><code class="constant">name</code></span></dt>
 <dd><p>
-is the name of the resource record that is to be looked up.
-</p></dd>
+              is the name of the resource record that is to be looked up.
+            </p></dd>
 <dt><span class="term"><code class="constant">type</code></span></dt>
 <dd><p>
-indicates what type of query is required &#8212;
-ANY, A, MX, SIG, etc.
-<em class="parameter"><code>type</code></em> can be any valid query type.  If no
-<em class="parameter"><code>type</code></em> argument is supplied,
-<span><strong class="command">dig</strong></span> will perform a lookup for an A record.
-</p></dd>
+              indicates what type of query is required &#8212;
+              ANY, A, MX, SIG, etc.
+              <em class="parameter"><code>type</code></em> can be any valid query
+              type.  If no
+              <em class="parameter"><code>type</code></em> argument is supplied,
+              <span><strong class="command">dig</strong></span> will perform a lookup for an
+              A record.
+            </p></dd>
 </dl></div>
 <p>
-</p>
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549747"></a><h2>OPTIONS</h2>
+<a name="id2543668"></a><h2>OPTIONS</h2>
+<p>
+      The <code class="option">-b</code> option sets the source IP address of the query
+      to <em class="parameter"><code>address</code></em>.  This must be a valid
+      address on
+      one of the host's network interfaces or "0.0.0.0" or "::".  An optional
+      port
+      may be specified by appending "#&lt;port&gt;"
+    </p>
 <p>
-The <code class="option">-b</code> option sets the source IP address of the query
-to <em class="parameter"><code>address</code></em>.  This must be a valid address on
-one of the host's network interfaces or "0.0.0.0" or "::".  An optional port
-may be specified by appending "#&lt;port&gt;"
-</p>
+      The default query class (IN for internet) is overridden by the
+      <code class="option">-c</code> option.  <em class="parameter"><code>class</code></em> is
+      any valid
+      class, such as HS for Hesiod records or CH for Chaosnet records.
+    </p>
 <p>
-The default query class (IN for internet) is overridden by the
-<code class="option">-c</code> option.  <em class="parameter"><code>class</code></em> is any valid
-class, such as HS for Hesiod records or CH for CHAOSNET records.
-</p>
+      The <code class="option">-f</code> option makes <span><strong class="command">dig </strong></span>
+      operate
+      in batch mode by reading a list of lookup requests to process from the
+      file <em class="parameter"><code>filename</code></em>.  The file contains a
+      number of
+      queries, one per line.  Each entry in the file should be organized in
+      the same way they would be presented as queries to
+      <span><strong class="command">dig</strong></span> using the command-line interface.
+    </p>
 <p>
-The <code class="option">-f</code> option makes <span><strong class="command">dig </strong></span> operate
-in batch mode by reading a list of lookup requests to process from the
-file <em class="parameter"><code>filename</code></em>.  The file contains a number of
-queries, one per line.  Each entry in the file should be organised in
-the same way they would be presented as queries to
-<span><strong class="command">dig</strong></span> using the command-line interface.
-</p>
+      If a non-standard port number is to be queried, the
+      <code class="option">-p</code> option is used.  <em class="parameter"><code>port#</code></em> is
+      the port number that <span><strong class="command">dig</strong></span> will send its
+      queries
+      instead of the standard DNS port number 53.  This option would be used
+      to test a name server that has been configured to listen for queries
+      on a non-standard port number.
+    </p>
 <p>
-If a non-standard port number is to be queried, the
-<code class="option">-p</code> option is used.  <em class="parameter"><code>port#</code></em> is
-the port number that <span><strong class="command">dig</strong></span> will send its queries
-instead of the standard DNS port number 53.  This option would be used
-to test a name server that has been configured to listen for queries
-on a non-standard port number.
-</p>
+      The <code class="option">-4</code> option forces <span><strong class="command">dig</strong></span>
+      to only
+      use IPv4 query transport.  The <code class="option">-6</code> option forces
+      <span><strong class="command">dig</strong></span> to only use IPv6 query transport.
+    </p>
 <p>
-The <code class="option">-4</code> option forces <span><strong class="command">dig</strong></span> to only
-use IPv4 query transport.  The <code class="option">-6</code> option forces
-<span><strong class="command">dig</strong></span> to only use IPv6 query transport.
-</p>
+      The <code class="option">-t</code> option sets the query type to
+      <em class="parameter"><code>type</code></em>.  It can be any valid query type
+      which is
+      supported in BIND 9.  The default query type is "A", unless the
+      <code class="option">-x</code> option is supplied to indicate a reverse lookup.
+      A zone transfer can be requested by specifying a type of AXFR.  When
+      an incremental zone transfer (IXFR) is required,
+      <em class="parameter"><code>type</code></em> is set to <code class="literal">ixfr=N</code>.
+      The incremental zone transfer will contain the changes made to the zone
+      since the serial number in the zone's SOA record was
+      <em class="parameter"><code>N</code></em>.
+    </p>
 <p>
-The <code class="option">-t</code> option sets the query type to
-<em class="parameter"><code>type</code></em>.  It can be any valid query type which is
-supported in BIND9.  The default query type "A", unless the
-<code class="option">-x</code> option is supplied to indicate a reverse lookup.
-A zone transfer can be requested by specifying a type of AXFR.  When
-an incremental zone transfer (IXFR) is required,
-<em class="parameter"><code>type</code></em> is set to <code class="literal">ixfr=N</code>.
-The incremental zone transfer will contain the changes made to the zone
-since the serial number in the zone's SOA record was
-<em class="parameter"><code>N</code></em>.
-</p>
+      The <code class="option">-q</code> option sets the query name to 
+      <em class="parameter"><code>name</code></em>.  This useful do distinguish the
+      <em class="parameter"><code>name</code></em> from other arguments.
+    </p>
 <p>
-Reverse lookups - mapping addresses to names - are simplified by the
-<code class="option">-x</code> option.  <em class="parameter"><code>addr</code></em> is an IPv4
-address in dotted-decimal notation, or a colon-delimited IPv6 address.
-When this option is used, there is no need to provide the
-<em class="parameter"><code>name</code></em>, <em class="parameter"><code>class</code></em> and
-<em class="parameter"><code>type</code></em> arguments.  <span><strong class="command">dig</strong></span>
-automatically performs a lookup for a name like
-<code class="literal">11.12.13.10.in-addr.arpa</code> and sets the query type and
-class to PTR and IN respectively.  By default, IPv6 addresses are
-looked up using nibble format under the IP6.ARPA domain.
-To use the older RFC1886 method using the IP6.INT domain 
-specify the <code class="option">-i</code> option.  Bit string labels (RFC2874)
-are now experimental and are not attempted.
-</p>
+      Reverse lookups &#8212; mapping addresses to names &#8212; are simplified by the
+      <code class="option">-x</code> option.  <em class="parameter"><code>addr</code></em> is
+      an IPv4
+      address in dotted-decimal notation, or a colon-delimited IPv6 address.
+      When this option is used, there is no need to provide the
+      <em class="parameter"><code>name</code></em>, <em class="parameter"><code>class</code></em> and
+      <em class="parameter"><code>type</code></em> arguments.  <span><strong class="command">dig</strong></span>
+      automatically performs a lookup for a name like
+      <code class="literal">11.12.13.10.in-addr.arpa</code> and sets the
+      query type and
+      class to PTR and IN respectively.  By default, IPv6 addresses are
+      looked up using nibble format under the IP6.ARPA domain.
+      To use the older RFC1886 method using the IP6.INT domain
+      specify the <code class="option">-i</code> option.  Bit string labels (RFC2874)
+      are now experimental and are not attempted.
+    </p>
 <p>
-To sign the DNS queries sent by <span><strong class="command">dig</strong></span> and their
-responses using transaction signatures (TSIG), specify a TSIG key file
-using the <code class="option">-k</code> option.  You can also specify the TSIG
-key itself on the command line using the <code class="option">-y</code> option;
-<em class="parameter"><code>name</code></em> is the name of the TSIG key and
-<em class="parameter"><code>key</code></em> is the actual key.  The key is a base-64
-encoded string, typically generated by <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
+      To sign the DNS queries sent by <span><strong class="command">dig</strong></span> and
+      their
+      responses using transaction signatures (TSIG), specify a TSIG key file
+      using the <code class="option">-k</code> option.  You can also specify the TSIG
+      key itself on the command line using the <code class="option">-y</code> option;
+      <em class="parameter"><code>hmac</code></em> is the type of the TSIG, default HMAC-MD5,
+      <em class="parameter"><code>name</code></em> is the name of the TSIG key and
+      <em class="parameter"><code>key</code></em> is the actual key.  The key is a
+      base-64
+      encoded string, typically generated by
+      <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
 
-Caution should be taken when using the <code class="option">-y</code> option on
-multi-user systems as the key can be visible in the output from
-<span class="citerefentry"><span class="refentrytitle">ps</span>(1
-)</span> or in the shell's history file.  When
-using TSIG authentication with <span><strong class="command">dig</strong></span>, the name
-server that is queried needs to know the key and algorithm that is
-being used.  In BIND, this is done by providing appropriate
-<span><strong class="command">key</strong></span> and <span><strong class="command">server</strong></span> statements in
-<code class="filename">named.conf</code>.
-</p>
+      Caution should be taken when using the <code class="option">-y</code> option on
+      multi-user systems as the key can be visible in the output from
+      <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span>
+      or in the shell's history file.  When
+      using TSIG authentication with <span><strong class="command">dig</strong></span>, the name
+      server that is queried needs to know the key and algorithm that is
+      being used.  In BIND, this is done by providing appropriate
+      <span><strong class="command">key</strong></span> and <span><strong class="command">server</strong></span> statements in
+      <code class="filename">named.conf</code>.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549998"></a><h2>QUERY OPTIONS</h2>
+<a name="id2543939"></a><h2>QUERY OPTIONS</h2>
+<p><span><strong class="command">dig</strong></span>
+      provides a number of query options which affect
+      the way in which lookups are made and the results displayed.  Some of
+      these set or reset flag bits in the query header, some determine which
+      sections of the answer get printed, and others determine the timeout
+      and retry strategies.
+    </p>
 <p>
-<span><strong class="command">dig</strong></span> provides a number of query options which affect
-the way in which lookups are made and the results displayed.  Some of
-these set or reset flag bits in the query header, some determine which
-sections of the answer get printed, and others determine the timeout
-and retry strategies.
-</p>
-<p>
-Each query option is identified by a keyword preceded by a plus sign
-(<code class="literal">+</code>).  Some keywords set or reset an option.  These may be preceded
-by the string <code class="literal">no</code> to negate the meaning of that keyword.  Other
-keywords assign values to options like the timeout interval.  They
-have the form <code class="option">+keyword=value</code>.
-The query options are:
+      Each query option is identified by a keyword preceded by a plus sign
+      (<code class="literal">+</code>).  Some keywords set or reset an
+      option.  These may be preceded
+      by the string <code class="literal">no</code> to negate the meaning of
+      that keyword.  Other
+      keywords assign values to options like the timeout interval.  They
+      have the form <code class="option">+keyword=value</code>.
+      The query options are:
 
-</p>
+      </p>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="option">+[no]tcp</code></span></dt>
 <dd><p>
-Use [do not use] TCP when querying name servers.  The default
-behaviour is to use UDP unless an AXFR or IXFR query is requested, in
-which case a TCP connection is used.
-</p></dd>
+              Use [do not use] TCP when querying name servers.  The default
+              behavior is to use UDP unless an AXFR or IXFR query is
+              requested, in
+              which case a TCP connection is used.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]vc</code></span></dt>
 <dd><p>
-Use [do not use] TCP when querying name servers.  This alternate
-syntax to <em class="parameter"><code>+[no]tcp</code></em> is provided for backwards
-compatibility.  The "vc" stands for "virtual circuit".
-</p></dd>
+              Use [do not use] TCP when querying name servers.  This alternate
+              syntax to <em class="parameter"><code>+[no]tcp</code></em> is
+              provided for backwards
+              compatibility.  The "vc" stands for "virtual circuit".
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]ignore</code></span></dt>
 <dd><p>
-Ignore truncation in UDP responses instead of retrying with TCP.  By
-default, TCP retries are performed.
-</p></dd>
+              Ignore truncation in UDP responses instead of retrying with TCP.
+               By
+              default, TCP retries are performed.
+            </p></dd>
 <dt><span class="term"><code class="option">+domain=somename</code></span></dt>
 <dd><p>
-Set the search list to contain the single domain
-<em class="parameter"><code>somename</code></em>, as if specified in a
-<span><strong class="command">domain</strong></span> directive in
-<code class="filename">/etc/resolv.conf</code>, and enable search list
-processing as if the <em class="parameter"><code>+search</code></em> option were given.
-</p></dd>
+              Set the search list to contain the single domain
+              <em class="parameter"><code>somename</code></em>, as if specified in
+              a
+              <span><strong class="command">domain</strong></span> directive in
+              <code class="filename">/etc/resolv.conf</code>, and enable
+              search list
+              processing as if the <em class="parameter"><code>+search</code></em>
+              option were given.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]search</code></span></dt>
 <dd><p>
-Use [do not use] the search list defined by the searchlist or domain
-directive in <code class="filename">resolv.conf</code> (if any).
-The search list is not used by default.
-</p></dd>
+              Use [do not use] the search list defined by the searchlist or
+              domain
+              directive in <code class="filename">resolv.conf</code> (if
+              any).
+              The search list is not used by default.
+            </p></dd>
+<dt><span class="term"><code class="option">+[no]showsearch</code></span></dt>
+<dd><p>
+              Perform [do not perform] a search showing intermediate
+	      results.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]defname</code></span></dt>
 <dd><p>
-Deprecated, treated as a synonym for <em class="parameter"><code>+[no]search</code></em>
-</p></dd>
+              Deprecated, treated as a synonym for <em class="parameter"><code>+[no]search</code></em>
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]aaonly</code></span></dt>
 <dd><p>
-Sets the "aa" flag in the query.
-</p></dd>
+              Sets the "aa" flag in the query.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]aaflag</code></span></dt>
 <dd><p>
-A synonym for <em class="parameter"><code>+[no]aaonly</code></em>.
-</p></dd>
+              A synonym for <em class="parameter"><code>+[no]aaonly</code></em>.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]adflag</code></span></dt>
 <dd><p>
-Set [do not set] the AD (authentic data) bit in the query.  The AD bit
-currently has a standard meaning only in responses, not in queries,
-but the ability to set the bit in the query is provided for
-completeness.
-</p></dd>
+              Set [do not set] the AD (authentic data) bit in the query.  The
+              AD bit
+              currently has a standard meaning only in responses, not in
+              queries,
+              but the ability to set the bit in the query is provided for
+              completeness.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
 <dd><p>
-Set [do not set] the CD (checking disabled) bit in the query.  This
-requests the server to not perform DNSSEC validation of responses.
-</p></dd>
+              Set [do not set] the CD (checking disabled) bit in the query.
+              This
+              requests the server to not perform DNSSEC validation of
+              responses.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]cl</code></span></dt>
 <dd><p>
-Display [do not display] the CLASS when printing the record.
-</p></dd>
+              Display [do not display] the CLASS when printing the record.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]ttlid</code></span></dt>
 <dd><p>
-Display [do not display] the TTL when printing the record.
-</p></dd>
+              Display [do not display] the TTL when printing the record.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]recurse</code></span></dt>
 <dd><p>
-Toggle the setting of the RD (recursion desired) bit in the query.
-This bit is set by default, which means <span><strong class="command">dig</strong></span>
-normally sends recursive queries.  Recursion is automatically disabled
-when the <em class="parameter"><code>+nssearch</code></em> or
-<em class="parameter"><code>+trace</code></em> query options are used.
-</p></dd>
+              Toggle the setting of the RD (recursion desired) bit in the
+              query.
+              This bit is set by default, which means <span><strong class="command">dig</strong></span>
+              normally sends recursive queries.  Recursion is automatically
+              disabled
+              when the <em class="parameter"><code>+nssearch</code></em> or
+              <em class="parameter"><code>+trace</code></em> query options are
+              used.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]nssearch</code></span></dt>
 <dd><p>
-When this option is set, <span><strong class="command">dig</strong></span> attempts to find the
-authoritative name servers for the zone containing the name being
-looked up and display the SOA record that each name server has for the
-zone.
-</p></dd>
+              When this option is set, <span><strong class="command">dig</strong></span>
+              attempts to find the
+              authoritative name servers for the zone containing the name
+              being
+              looked up and display the SOA record that each name server has
+              for the
+              zone.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]trace</code></span></dt>
 <dd><p>
-Toggle tracing of the delegation path from the root name servers for
-the name being looked up.  Tracing is disabled by default.  When
-tracing is enabled, <span><strong class="command">dig</strong></span> makes iterative queries to
-resolve the name being looked up.  It will follow referrals from the
-root servers, showing the answer from each server that was used to
-resolve the lookup.
-</p></dd>
+              Toggle tracing of the delegation path from the root name servers
+              for
+              the name being looked up.  Tracing is disabled by default.  When
+              tracing is enabled, <span><strong class="command">dig</strong></span> makes
+              iterative queries to
+              resolve the name being looked up.  It will follow referrals from
+              the
+              root servers, showing the answer from each server that was used
+              to
+              resolve the lookup.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]cmd</code></span></dt>
 <dd><p>
-toggles the printing of the initial comment in the output identifying
-the version of <span><strong class="command">dig</strong></span> and the query options that have
-been applied.  This comment is printed by default.
-</p></dd>
+              Toggles the printing of the initial comment in the output
+              identifying
+              the version of <span><strong class="command">dig</strong></span> and the query
+              options that have
+              been applied.  This comment is printed by default.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]short</code></span></dt>
 <dd><p>
-Provide a terse answer.  The default is to print the answer in a
-verbose form.
-</p></dd>
+              Provide a terse answer.  The default is to print the answer in a
+              verbose form.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]identify</code></span></dt>
 <dd><p>
-Show [or do not show] the IP address and port number that supplied the
-answer when the <em class="parameter"><code>+short</code></em> option is enabled.  If
-short form answers are requested, the default is not to show the
-source address and port number of the server that provided the answer.
-</p></dd>
+              Show [or do not show] the IP address and port number that
+              supplied the
+              answer when the <em class="parameter"><code>+short</code></em> option
+              is enabled.  If
+              short form answers are requested, the default is not to show the
+              source address and port number of the server that provided the
+              answer.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]comments</code></span></dt>
 <dd><p>
-Toggle the display of comment lines in the output.  The default is to
-print comments.
-</p></dd>
+              Toggle the display of comment lines in the output.  The default
+              is to
+              print comments.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]stats</code></span></dt>
 <dd><p>
-This query option toggles the printing of statistics: when the query
-was made, the size of the reply and so on.  The default behaviour is
-to print the query statistics.
-</p></dd>
+              This query option toggles the printing of statistics: when the
+              query
+              was made, the size of the reply and so on.  The default
+              behavior is
+              to print the query statistics.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]qr</code></span></dt>
 <dd><p>
-Print [do not print] the query as it is sent.
-By default, the query is not printed.
-</p></dd>
+              Print [do not print] the query as it is sent.
+              By default, the query is not printed.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]question</code></span></dt>
 <dd><p>
-Print [do not print] the question section of a query when an answer is
-returned.  The default is to print the question section as a comment.
-</p></dd>
+              Print [do not print] the question section of a query when an
+              answer is
+              returned.  The default is to print the question section as a
+              comment.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]answer</code></span></dt>
 <dd><p>
-Display [do not display] the answer section of a reply.  The default
-is to display it.
-</p></dd>
+              Display [do not display] the answer section of a reply.  The
+              default
+              is to display it.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]authority</code></span></dt>
 <dd><p>
-Display [do not display] the authority section of a reply.  The
-default is to display it.
-</p></dd>
+              Display [do not display] the authority section of a reply.  The
+              default is to display it.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]additional</code></span></dt>
 <dd><p>
-Display [do not display] the additional section of a reply.
-The default is to display it.
-</p></dd>
+              Display [do not display] the additional section of a reply.
+              The default is to display it.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]all</code></span></dt>
 <dd><p>
-Set or clear all display flags.
-</p></dd>
+              Set or clear all display flags.
+            </p></dd>
 <dt><span class="term"><code class="option">+time=T</code></span></dt>
 <dd><p>
 
-Sets the timeout for a query to
-<em class="parameter"><code>T</code></em> seconds.  The default time out is 5 seconds.
-An attempt to set <em class="parameter"><code>T</code></em> to less than 1 will result
-in a query timeout of 1 second being applied.
-</p></dd>
+              Sets the timeout for a query to
+              <em class="parameter"><code>T</code></em> seconds.  The default
+	      timeout is 5 seconds.
+              An attempt to set <em class="parameter"><code>T</code></em> to less
+              than 1 will result
+              in a query timeout of 1 second being applied.
+            </p></dd>
 <dt><span class="term"><code class="option">+tries=T</code></span></dt>
 <dd><p>
-Sets the number of times to try UDP queries to server to
-<em class="parameter"><code>T</code></em> instead of the default, 3.  If
-<em class="parameter"><code>T</code></em> is less than or equal to zero, the number of
-tries is silently rounded up to 1.
-</p></dd>
+              Sets the number of times to try UDP queries to server to
+              <em class="parameter"><code>T</code></em> instead of the default, 3.
+              If
+              <em class="parameter"><code>T</code></em> is less than or equal to
+              zero, the number of
+              tries is silently rounded up to 1.
+            </p></dd>
 <dt><span class="term"><code class="option">+retry=T</code></span></dt>
 <dd><p>
-Sets the number of times to retry UDP queries to server to
-<em class="parameter"><code>T</code></em> instead of the default, 2.  Unlike
-<em class="parameter"><code>+tries</code></em>, this does not include the initial
-query.
-</p></dd>
+              Sets the number of times to retry UDP queries to server to
+              <em class="parameter"><code>T</code></em> instead of the default, 2.
+              Unlike
+              <em class="parameter"><code>+tries</code></em>, this does not include
+              the initial
+              query.
+            </p></dd>
 <dt><span class="term"><code class="option">+ndots=D</code></span></dt>
 <dd><p>
-Set the number of dots that have to appear in
-<em class="parameter"><code>name</code></em> to <em class="parameter"><code>D</code></em> for it to be
-considered absolute.  The default value is that defined using the
-ndots statement in <code class="filename">/etc/resolv.conf</code>, or 1 if no
-ndots statement is present.  Names with fewer dots are interpreted as
-relative names and will be searched for in the domains listed in the
-<code class="option">search</code> or <code class="option">domain</code> directive in
-<code class="filename">/etc/resolv.conf</code>.
-</p></dd>
+              Set the number of dots that have to appear in
+              <em class="parameter"><code>name</code></em> to <em class="parameter"><code>D</code></em> for it to be
+              considered absolute.  The default value is that defined using
+              the
+              ndots statement in <code class="filename">/etc/resolv.conf</code>, or 1 if no
+              ndots statement is present.  Names with fewer dots are
+              interpreted as
+              relative names and will be searched for in the domains listed in
+              the
+              <code class="option">search</code> or <code class="option">domain</code> directive in
+              <code class="filename">/etc/resolv.conf</code>.
+            </p></dd>
 <dt><span class="term"><code class="option">+bufsize=B</code></span></dt>
 <dd><p>
-Set the UDP message buffer size advertised using EDNS0 to
-<em class="parameter"><code>B</code></em> bytes.  The maximum and minimum sizes of this
-buffer are 65535 and 0 respectively.  Values outside this range are
-rounded up or down appropriately.
-</p></dd>
+              Set the UDP message buffer size advertised using EDNS0 to
+              <em class="parameter"><code>B</code></em> bytes.  The maximum and minimum sizes
+	      of this buffer are 65535 and 0 respectively.  Values outside
+	      this range are rounded up or down appropriately.  
+	      Values other than zero will cause a EDNS query to be sent.
+            </p></dd>
+<dt><span class="term"><code class="option">+edns=#</code></span></dt>
+<dd><p>
+	       Specify the EDNS version to query with.  Valid values
+	       are 0 to 255.  Setting the EDNS version will cause a
+	       EDNS query to be sent.  <code class="option">+noedns</code> clears the
+	       remembered EDNS version.
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]multiline</code></span></dt>
 <dd><p>
-Print records like the SOA records in a verbose multi-line
-format with human-readable comments.  The default is to print
-each record on a single line, to facilitate machine parsing 
-of the <span><strong class="command">dig</strong></span> output.
-</p></dd>
+              Print records like the SOA records in a verbose multi-line
+              format with human-readable comments.  The default is to print
+              each record on a single line, to facilitate machine parsing
+              of the <span><strong class="command">dig</strong></span> output.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]fail</code></span></dt>
 <dd><p>
-Do not try the next server if you receive a SERVFAIL.  The default is
-to not try the next server which is the reverse of normal stub resolver
-behaviour.
-</p></dd>
+              Do not try the next server if you receive a SERVFAIL.  The
+              default is
+              to not try the next server which is the reverse of normal stub
+              resolver
+              behavior.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]besteffort</code></span></dt>
 <dd><p>
-Attempt to display the contents of messages which are malformed.
-The default is to not display malformed answers.
-</p></dd>
+              Attempt to display the contents of messages which are malformed.
+              The default is to not display malformed answers.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]dnssec</code></span></dt>
 <dd><p>
-Requests DNSSEC records be sent by setting the DNSSEC OK bit (DO)
-in the OPT record in the additional section of the query.
-</p></dd>
+              Requests DNSSEC records be sent by setting the DNSSEC OK bit
+              (DO)
+              in the OPT record in the additional section of the query.
+            </p></dd>
 <dt><span class="term"><code class="option">+[no]sigchase</code></span></dt>
 <dd><p>
-Chase DNSSEC signature chains.  Requires dig be compiled with
--DDIG_SIGCHASE.
-</p></dd>
+              Chase DNSSEC signature chains.  Requires dig be compiled with
+              -DDIG_SIGCHASE.
+            </p></dd>
 <dt><span class="term"><code class="option">+trusted-key=####</code></span></dt>
 <dd>
 <p>
-	      Specifies a file containing trusted keys to be used with
+              Specifies a file containing trusted keys to be used with
 	      <code class="option">+sigchase</code>.  Each DNSKEY record must be
 	      on its own line.
-	    </p>
+            </p>
 <p>
 	      If not specified <span><strong class="command">dig</strong></span> will look for
 	      <code class="filename">/etc/trusted-key.key</code> then
 	      <code class="filename">trusted-key.key</code> in the current directory.
 	    </p>
 <p>
-	      Requires dig be compiled with -DDIG_SIGCHASE.
+              Requires dig be compiled with -DDIG_SIGCHASE.
 	    </p>
 </dd>
 <dt><span class="term"><code class="option">+[no]topdown</code></span></dt>
 <dd><p>
-When chasing DNSSEC signature chains perform a top down validation.
-Requires dig be compiled with -DDIG_SIGCHASE.
-</p></dd>
+              When chasing DNSSEC signature chains perform a top-down
+              validation.
+              Requires dig be compiled with -DDIG_SIGCHASE.
+            </p></dd>
 </dl></div>
 <p>
 
-</p>
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2550666"></a><h2>MULTIPLE QUERIES</h2>
+<a name="id2545128"></a><h2>MULTIPLE QUERIES</h2>
 <p>
-The BIND 9 implementation of <span><strong class="command">dig </strong></span> supports
-specifying multiple queries on the command line (in addition to
-supporting the <code class="option">-f</code> batch file option).  Each of those
-queries can be supplied with its own set of flags, options and query
-options.
-</p>
+      The BIND 9 implementation of <span><strong class="command">dig </strong></span>
+      supports
+      specifying multiple queries on the command line (in addition to
+      supporting the <code class="option">-f</code> batch file option).  Each of those
+      queries can be supplied with its own set of flags, options and query
+      options.
+    </p>
 <p>
-In this case, each <em class="parameter"><code>query</code></em> argument represent an
-individual query in the command-line syntax described above.  Each
-consists of any of the standard options and flags, the name to be
-looked up, an optional query type and class and any query options that
-should be applied to that query.
-</p>
+      In this case, each <em class="parameter"><code>query</code></em> argument
+      represent an
+      individual query in the command-line syntax described above.  Each
+      consists of any of the standard options and flags, the name to be
+      looked up, an optional query type and class and any query options that
+      should be applied to that query.
+    </p>
 <p>
-A global set of query options, which should be applied to all queries,
-can also be supplied.  These global query options must precede the
-first tuple of name, class, type, options, flags, and query options
-supplied on the command line.  Any global query options (except
-the <code class="option">+[no]cmd</code> option) can be
-overridden by a query-specific set of query options.  For example:
-</p>
+      A global set of query options, which should be applied to all queries,
+      can also be supplied.  These global query options must precede the
+      first tuple of name, class, type, options, flags, and query options
+      supplied on the command line.  Any global query options (except
+      the <code class="option">+[no]cmd</code> option) can be
+      overridden by a query-specific set of query options.  For example:
+      </p>
 <pre class="programlisting">
 dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
 </pre>
 <p>
-shows how <span><strong class="command">dig</strong></span> could be used from the command line
-to make three lookups: an ANY query for <code class="literal">www.isc.org</code>, a
-reverse lookup of 127.0.0.1 and a query for the NS records of
-<code class="literal">isc.org</code>.
+      shows how <span><strong class="command">dig</strong></span> could be used from the
+      command line
+      to make three lookups: an ANY query for <code class="literal">www.isc.org</code>, a
+      reverse lookup of 127.0.0.1 and a query for the NS records of
+      <code class="literal">isc.org</code>.
 
-A global query option of <em class="parameter"><code>+qr</code></em> is applied, so
-that <span><strong class="command">dig</strong></span> shows the initial query it made for each
-lookup.  The final query has a local query option of
-<em class="parameter"><code>+noqr</code></em> which means that <span><strong class="command">dig</strong></span>
-will not print the initial query when it looks up the NS records for
-<code class="literal">isc.org</code>.
-</p>
+      A global query option of <em class="parameter"><code>+qr</code></em> is
+      applied, so
+      that <span><strong class="command">dig</strong></span> shows the initial query it made
+      for each
+      lookup.  The final query has a local query option of
+      <em class="parameter"><code>+noqr</code></em> which means that <span><strong class="command">dig</strong></span>
+      will not print the initial query when it looks up the NS records for
+      <code class="literal">isc.org</code>.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2550725"></a><h2>FILES</h2>
+<a name="id2545258"></a><h2>IDN SUPPORT</h2>
 <p>
-<code class="filename">/etc/resolv.conf</code>
-</p>
-<p>
-<code class="filename">${HOME}/.digrc</code>
-</p>
+      If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized
+      domain name) support, it can accept and display non-ASCII domain names.
+      <span><strong class="command">dig</strong></span> appropriately converts character encoding of
+      domain name before sending a request to DNS server or displaying a
+      reply from the server.
+      If you'd like to turn off the IDN support for some reason, defines
+      the <code class="envar">IDN_DISABLE</code> environment variable.
+      The IDN support is disabled if the variable is set when 
+      <span><strong class="command">dig</strong></span> runs.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2550744"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
-<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
-<span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
-<em class="citetitle">RFC1035</em>.
-</p>
+<a name="id2545281"></a><h2>FILES</h2>
+<p><code class="filename">/etc/resolv.conf</code>
+    </p>
+<p><code class="filename">${HOME}/.digrc</code>
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2545298"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+      <em class="citetitle">RFC1035</em>.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2550782"></a><h2>BUGS </h2>
+<a name="id2545335"></a><h2>BUGS</h2>
 <p>
-There are probably too many query options. 
-</p>
+      There are probably too many query options.
+    </p>
 </div>
 </div></body>
 </html>
diff --git a/usr.sbin/bind/bin/dig/dighost.c b/usr.sbin/bind/bin/dig/dighost.c
index 06b0d3538c3..072a1912293 100644
--- a/usr.sbin/bind/bin/dig/dighost.c
+++ b/usr.sbin/bind/bin/dig/dighost.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,9 +15,10 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $ISC: dighost.c,v 1.221.2.19.2.36 2006/12/07 01:26:33 marka Exp $ */
+/* $ISC: dighost.c,v 1.259.18.43 2007/08/28 07:19:55 tbox Exp $ */
 
-/*
+/*! \file
+ *  \note
  * Notice to programmers:  Do not use this code as an example of how to
  * use the ISC library to perform DNS lookups.  Dig and Host both operate
  * on the request level, since they allow fine-tuning of output and are
@@ -32,6 +33,17 @@
 #include <string.h>
 #include <limits.h>
 
+#ifdef HAVE_LOCALE_H
+#include <locale.h>
+#endif
+
+#ifdef WITH_IDN
+#include <idn/result.h>
+#include <idn/log.h>
+#include <idn/resconf.h>
+#include <idn/api.h>
+#endif
+
 #include <dns/byaddr.h>
 #ifdef DIG_SIGCHASE
 #include <dns/dnssec.h>
@@ -95,16 +107,19 @@ dig_serverlist_t server_list;
 dig_searchlistlist_t search_list;
 
 isc_boolean_t
+	check_ra = ISC_FALSE,
 	have_ipv4 = ISC_FALSE,
 	have_ipv6 = ISC_FALSE,
 	specified_source = ISC_FALSE,
 	free_now = ISC_FALSE,
 	cancel_now = ISC_FALSE,
 	usesearch = ISC_FALSE,
+	showsearch = ISC_FALSE,
 	qr = ISC_FALSE,
 	is_dst_up = ISC_FALSE;
 in_port_t port = 53;
 unsigned int timeout = 0;
+unsigned int extrabytes;
 isc_mem_t *mctx = NULL;
 isc_taskmgr_t *taskmgr = NULL;
 isc_task_t *global_task = NULL;
@@ -119,20 +134,36 @@ int ndots = -1;
 int tries = 3;
 int lookup_counter = 0;
 
-/*
+#ifdef WITH_IDN
+static void		initialize_idn(void);
+static isc_result_t	output_filter(isc_buffer_t *buffer,
+				      unsigned int used_org,
+				      isc_boolean_t absolute);
+static idn_result_t	append_textname(char *name, const char *origin,
+					size_t namesize);
+static void		idn_check_result(idn_result_t r, const char *msg);
+
+#define MAXDLEN		256
+int  idnoptions	= 0;
+#endif
+
+/*%
  * Exit Codes:
- *   0   Everything went well, including things like NXDOMAIN
- *   1   Usage error
- *   7   Got too many RR's or Names
- *   8   Couldn't open batch file
- *   9   No reply from server
- *   10  Internal error
+ *
+ *\li	0   Everything went well, including things like NXDOMAIN
+ *\li	1   Usage error
+ *\li	7   Got too many RR's or Names
+ *\li	8   Couldn't open batch file
+ *\li	9   No reply from server
+ *\li	10  Internal error
  */
 int exitcode = 0;
 int fatalexit = 0;
 char keynametext[MXNAME];
 char keyfile[MXNAME] = "";
 char keysecret[MXNAME] = "";
+dns_name_t *hmacname = NULL;
+unsigned int digestbits = 0;
 isc_buffer_t *namebuf = NULL;
 dns_tsigkey_t *key = NULL;
 isc_boolean_t validated = ISC_TRUE;
@@ -246,7 +277,7 @@ dns_name_t chase_name; /* the query name */
 /*
  * the current name is the parent name when we follow delegation
  */
-dns_name_t chase_current_name;
+dns_name_t chase_current_name; 
 /*
  * the child name is used for delegation (NS DS responses in AUTHORITY section)
  */
@@ -293,7 +324,7 @@ struct_tk_list tk_list = { {NULL, NULL, NULL, NULL, NULL}, 0};
 
 #define DIG_MAX_ADDRESSES 20
 
-/*
+/*%
  * Apply and clear locks at the event level in global task.
  * Can I get rid of these using shutdown events?  XXX
  */
@@ -377,7 +408,7 @@ hex_dump(isc_buffer_t *b) {
 		printf("\n");
 }
 
-/*
+/*%
  * Append 'len' bytes of 'text' at '*p', failing with
  * ISC_R_NOSPACE if that would advance p past 'end'.
  */
@@ -493,7 +524,7 @@ check_result(isc_result_t result, const char *msg) {
 	}
 }
 
-/*
+/*%
  * Create a server structure, which is part of the lookup structure.
  * This is little more than a linked list of servers to query in hopes
  * of finding the answer the user is looking for
@@ -533,7 +564,7 @@ addr2af(int lwresaddrtype)
 	return (af);
 }
 
-/*
+/*%
  * Create a copy of the server list from the lwres configuration structure.
  * The dest list must have already had ISC_LIST_INIT applied.
  */
@@ -583,7 +614,7 @@ set_nameserver(char *opt) {
 		return;
 
 	result = bind9_getaddresses(opt, 0, sockaddrs,
-				    DIG_MAX_ADDRESSES, &count);
+				    DIG_MAX_ADDRESSES, &count); 
 	if (result != ISC_R_SUCCESS)
 		fatal("couldn't get address for '%s': %s",
 		      opt, isc_result_totext(result));
@@ -628,7 +659,7 @@ add_nameserver(lwres_conf_t *confdata, const char *addr, int af) {
 	return (ISC_R_FAILURE);
 }
 
-/*
+/*%
  * Produce a cloned server list.  The dest list must have already had
  * ISC_LIST_INIT applied.
  */
@@ -646,7 +677,7 @@ clone_server_list(dig_serverlist_t src, dig_serverlist_t *dest) {
 	}
 }
 
-/*
+/*%
  * Create an empty lookup structure, which holds all the information needed
  * to get an answer to a user's question.  This structure contains two
  * linked lists: the server list (servers to query) and the query list
@@ -702,6 +733,7 @@ make_empty_lookup(void) {
 #endif
 #endif
 	looknew->udpsize = 0;
+	looknew->edns = -1;
 	looknew->recurse = ISC_TRUE;
 	looknew->aaonly = ISC_FALSE;
 	looknew->adflag = ISC_FALSE;
@@ -721,13 +753,15 @@ make_empty_lookup(void) {
 	looknew->section_authority = ISC_TRUE;
 	looknew->section_additional = ISC_TRUE;
 	looknew->new_search = ISC_FALSE;
+	looknew->done_as_is = ISC_FALSE;
+	looknew->need_search = ISC_FALSE;
 	ISC_LINK_INIT(looknew, link);
 	ISC_LIST_INIT(looknew->q);
 	ISC_LIST_INIT(looknew->my_server_list);
 	return (looknew);
 }
 
-/*
+/*%
  * Clone a lookup, perhaps copying the server list.  This does not clone
  * the query list, since it will be regenerated by the setup_lookup()
  * function, nor does it queue up the new lookup for processing.
@@ -777,6 +811,7 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
 #endif
 #endif
 	looknew->udpsize = lookold->udpsize;
+	looknew->edns = lookold->edns;
 	looknew->recurse = lookold->recurse;
 	looknew->aaonly = lookold->aaonly;
 	looknew->adflag = lookold->adflag;
@@ -791,6 +826,8 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
 	looknew->section_additional = lookold->section_additional;
 	looknew->retries = lookold->retries;
 	looknew->tsigctx = NULL;
+	looknew->need_search = lookold->need_search;
+	looknew->done_as_is = lookold->done_as_is;
 
 	if (servers)
 		clone_server_list(lookold->my_server_list,
@@ -798,7 +835,7 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
 	return (looknew);
 }
 
-/*
+/*%
  * Requeue a lookup for further processing, perhaps copying the server
  * list.  The new lookup structure is returned to the caller, and is
  * queued for processing.  If servers are not cloned in the requeue, they
@@ -860,14 +897,15 @@ setup_text_key(void) {
 	if (result != ISC_R_SUCCESS)
 		goto failure;
 
-	result = dns_tsigkey_create(&keyname, dns_tsig_hmacmd5_name,
-				    secretstore, secretsize,
-				    ISC_FALSE, NULL, 0, 0, mctx,
+	result = dns_tsigkey_create(&keyname, hmacname, secretstore,
+				    secretsize, ISC_FALSE, NULL, 0, 0, mctx,
 				    NULL, &key);
  failure:
 	if (result != ISC_R_SUCCESS)
 		printf(";; Couldn't create key %s: %s\n",
 		       keynametext, isc_result_totext(result));
+	else
+		dst_key_setbits(key->key, digestbits);
 
 	isc_mem_free(mctx, secretstore);
 	dns_name_invalidate(&keyname);
@@ -888,8 +926,31 @@ setup_file_key(void) {
 		goto failure;
 	}
 
-	result = dns_tsigkey_createfromkey(dst_key_name(dstkey),
-					   dns_tsig_hmacmd5_name,
+	switch (dst_key_alg(dstkey)) {
+	case DST_ALG_HMACMD5:
+		hmacname = DNS_TSIG_HMACMD5_NAME;
+		break;
+	case DST_ALG_HMACSHA1:
+		hmacname = DNS_TSIG_HMACSHA1_NAME;
+		break;
+	case DST_ALG_HMACSHA224:
+		hmacname = DNS_TSIG_HMACSHA224_NAME;
+		break;
+	case DST_ALG_HMACSHA256:
+		hmacname = DNS_TSIG_HMACSHA256_NAME;
+		break;
+	case DST_ALG_HMACSHA384:
+		hmacname = DNS_TSIG_HMACSHA384_NAME;
+		break;
+	case DST_ALG_HMACSHA512:
+		hmacname = DNS_TSIG_HMACSHA512_NAME;
+		break;
+	default:
+		printf(";; Couldn't create key %s: bad algorithm\n",
+		       keynametext);
+		goto failure;
+	}
+	result = dns_tsigkey_createfromkey(dst_key_name(dstkey), hmacname,
 					   dstkey, ISC_FALSE, NULL, 0, 0,
 					   mctx, NULL, &key);
 	if (result != ISC_R_SUCCESS) {
@@ -929,7 +990,7 @@ create_search_list(lwres_conf_t *confdata) {
 	}
 }
 
-/*
+/*%
  * Setup the system as a whole, reading key information and resolv.conf
  * settings.
  */
@@ -983,6 +1044,10 @@ setup_system(void) {
 	if (ISC_LIST_EMPTY(server_list))
 		copy_server_list(lwconf, &server_list);
 
+#ifdef WITH_IDN
+	initialize_idn();
+#endif
+
 	if (keyfile[0] != 0)
 		setup_file_key();
 	else if (keysecret[0] != 0)
@@ -1013,7 +1078,7 @@ clear_searchlist(void) {
 	}
 }
 
-/*
+/*%
  * Override the search list derived from resolv.conf by 'domain'.
  */
 void
@@ -1025,7 +1090,7 @@ set_search_domain(char *domain) {
 	ISC_LIST_APPEND(search_list, search, link);
 }
 
-/*
+/*%
  * Setup the ISC and DNS libraries for use by the system.
  */
 void
@@ -1082,12 +1147,14 @@ setup_libs(void) {
 	dns_result_register();
 }
 
-/*
+/*%
  * Add EDNS0 option record to a message.  Currently, the only supported
  * options are UDP buffer size and the DO bit.
  */
 static void
-add_opt(dns_message_t *msg, isc_uint16_t udpsize, isc_boolean_t dnssec) {
+add_opt(dns_message_t *msg, isc_uint16_t udpsize, isc_uint16_t edns,
+	isc_boolean_t dnssec)
+{
 	dns_rdataset_t *rdataset = NULL;
 	dns_rdatalist_t *rdatalist = NULL;
 	dns_rdata_t *rdata = NULL;
@@ -1106,9 +1173,9 @@ add_opt(dns_message_t *msg, isc_uint16_t udpsize, isc_boolean_t dnssec) {
 	rdatalist->type = dns_rdatatype_opt;
 	rdatalist->covers = 0;
 	rdatalist->rdclass = udpsize;
-	rdatalist->ttl = 0;
+	rdatalist->ttl = edns << 16;
 	if (dnssec)
-		rdatalist->ttl = DNS_MESSAGEEXTFLAG_DO;
+		rdatalist->ttl |= DNS_MESSAGEEXTFLAG_DO;
 	rdata->data = NULL;
 	rdata->length = 0;
 	ISC_LIST_INIT(rdatalist->rdata);
@@ -1118,7 +1185,7 @@ add_opt(dns_message_t *msg, isc_uint16_t udpsize, isc_boolean_t dnssec) {
 	check_result(result, "dns_message_setopt");
 }
 
-/*
+/*%
  * Add a question section to a message, asking for the specified name,
  * type, and class.
  */
@@ -1138,7 +1205,7 @@ add_question(dns_message_t *message, dns_name_t *name,
 	ISC_LIST_APPEND(name->list, rdataset, link);
 }
 
-/*
+/*%
  * Check if we're done with all the queued lookups, which is true iff
  * all sockets, sends, and recvs are accounted for (counters == 0),
  * and the lookup list is empty.
@@ -1159,7 +1226,7 @@ check_if_done(void) {
 	}
 }
 
-/*
+/*%
  * Clear out a query when we're done with it.  WARNING: This routine
  * WILL invalidate the query pointer.
  */
@@ -1198,16 +1265,14 @@ clear_query(dig_query_t *query) {
 		isc_mem_free(mctx, query);
 }
 
-/*
+/*%
  * Try and clear out a lookup if we're done with it.  Return ISC_TRUE if
  * the lookup was successfully cleared.  If ISC_TRUE is returned, the
  * lookup pointer has been invalidated.
  */
 static isc_boolean_t
 try_clear_lookup(dig_lookup_t *lookup) {
-	dig_server_t *s;
 	dig_query_t *q;
-	void *ptr;
 
 	REQUIRE(lookup != NULL);
 
@@ -1228,7 +1293,16 @@ try_clear_lookup(dig_lookup_t *lookup) {
 	 * At this point, we know there are no queries on the lookup,
 	 * so can make it go away also.
 	 */
-	debug("cleared");
+	destroy_lookup(lookup);
+	return (ISC_TRUE);
+}
+
+void
+destroy_lookup(dig_lookup_t *lookup) {
+	dig_server_t *s;
+	void *ptr;
+
+	debug("destroy");
 	s = ISC_LIST_HEAD(lookup->my_server_list);
 	while (s != NULL) {
 		debug("freeing server %p belonging to %p", s, lookup);
@@ -1253,10 +1327,9 @@ try_clear_lookup(dig_lookup_t *lookup) {
 		dst_context_destroy(&lookup->tsigctx);
 
 	isc_mem_free(mctx, lookup);
-	return (ISC_TRUE);
 }
 
-/*
+/*%
  * If we can, start the next lookup in the queue running.
  * This assumes that the lookup on the head of the queue hasn't been
  * started yet.  It also removes the lookup from the head of the queue,
@@ -1332,7 +1405,7 @@ start_lookup(void) {
 			current_lookup->qrdtype_sigchase
 				= current_lookup->qrdtype;
 			current_lookup->qrdtype = dns_rdatatype_ns;
-		
+		   
 			current_lookup->rdclass_sigchase
 				= current_lookup->rdclass;
 			current_lookup->rdclass_sigchaseset
@@ -1369,7 +1442,7 @@ start_lookup(void) {
 	}
 }
 
-/*
+/*%
  * If we can, clear the current lookup and start the next one running.
  * This calls try_clear_lookup, so may invalidate the lookup pointer.
  */
@@ -1390,7 +1463,7 @@ check_next_lookup(dig_lookup_t *lookup) {
 	}
 }
 
-/*
+/*%
  * Create and queue a new lookup as a followup to the current lookup,
  * based on the supplied message and section.  This is used in trace and
  * name server search modes to start a new lookup using servers from
@@ -1407,6 +1480,8 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section)
 	isc_result_t result;
 	isc_boolean_t success = ISC_FALSE;
 	int numLookups = 0;
+	dns_name_t *domain;
+	isc_boolean_t horizontal = ISC_FALSE, bad = ISC_FALSE;
 
 	INSIST(!free_now);
 
@@ -1433,6 +1508,26 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section)
 
 		debug("found NS set");
 
+		if (query->lookup->trace && !query->lookup->trace_root) {
+			dns_namereln_t namereln;
+			unsigned int nlabels;
+			int order;
+
+			domain = dns_fixedname_name(&query->lookup->fdomain);
+			namereln = dns_name_fullcompare(name, domain,
+							&order, &nlabels);
+			if (namereln == dns_namereln_equal) {
+				if (!horizontal)
+					printf(";; BAD (HORIZONTAL) REFERRAL\n");
+				horizontal = ISC_TRUE;
+			} else if (namereln != dns_namereln_subdomain) {
+				if (!bad)
+					printf(";; BAD REFERRAL\n");
+				bad = ISC_TRUE;
+				continue;
+			}
+		}
+
 		for (result = dns_rdataset_first(rdataset);
 		     result == ISC_R_SUCCESS;
 		     result = dns_rdataset_next(rdataset)) {
@@ -1470,6 +1565,9 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section)
 				lookup->trace_root = ISC_FALSE;
 				if (lookup->ns_search_only)
 					lookup->recurse = ISC_FALSE;
+				dns_fixedname_init(&lookup->fdomain);
+				domain = dns_fixedname_name(&lookup->fdomain);
+				dns_name_copy(name, domain, NULL);
 			}
 			srv = make_server(namestr, namestr);
 			debug("adding server %s", srv->servername);
@@ -1483,10 +1581,32 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section)
 	    (query->lookup->trace || query->lookup->ns_search_only))
 		return (followup_lookup(msg, query, DNS_SECTION_AUTHORITY));
 
-	return numLookups;
+	/*
+	 * Randomize the order the nameserver will be tried.
+	 */
+	if (numLookups > 1) {
+		isc_uint32_t i, j;
+		dig_serverlist_t my_server_list;
+
+		ISC_LIST_INIT(my_server_list);
+
+		for (i = numLookups; i > 0; i--) {
+			isc_random_get(&j);
+			j %= i;
+			srv = ISC_LIST_HEAD(lookup->my_server_list);
+			while (j-- > 0)
+				srv = ISC_LIST_NEXT(srv, link);
+			ISC_LIST_DEQUEUE(lookup->my_server_list, srv, link);
+			ISC_LIST_APPEND(my_server_list, srv, link);
+		}
+		ISC_LIST_APPENDLIST(lookup->my_server_list,
+				    my_server_list, link);
+	}
+
+	return (numLookups);
 }
 
-/*
+/*%
  * Create and queue a new lookup using the next origin from the search
  * list, read in setup_system().
  *
@@ -1495,6 +1615,7 @@ followup_lookup(dns_message_t *msg, dig_query_t *query, dns_section_t section)
 static isc_boolean_t
 next_origin(dns_message_t *msg, dig_query_t *query) {
 	dig_lookup_t *lookup;
+	dig_searchlist_t *search;
 
 	UNUSED(msg);
 
@@ -1509,18 +1630,27 @@ next_origin(dns_message_t *msg, dig_query_t *query) {
 		 * about finding the next entry.
 		 */
 		return (ISC_FALSE);
-	if (query->lookup->origin == NULL)
+	if (query->lookup->origin == NULL && !query->lookup->need_search)
 		/*
 		 * Then we just did rootorg; there's nothing left.
 		 */
 		return (ISC_FALSE);
-	lookup = requeue_lookup(query->lookup, ISC_TRUE);
-	lookup->origin = ISC_LIST_NEXT(query->lookup->origin, link);
+	if (query->lookup->origin == NULL && query->lookup->need_search) {
+		lookup = requeue_lookup(query->lookup, ISC_TRUE);
+		lookup->origin = ISC_LIST_HEAD(search_list);
+		lookup->need_search = ISC_FALSE;
+	} else {
+		search = ISC_LIST_NEXT(query->lookup->origin, link);
+		if (search == NULL && query->lookup->done_as_is)
+			return (ISC_FALSE);
+		lookup = requeue_lookup(query->lookup, ISC_TRUE);
+		lookup->origin = search;
+	}
 	cancel_lookup(query->lookup);
 	return (ISC_TRUE);
 }
 
-/*
+/*%
  * Insert an SOA record into the sendmessage in a lookup.  Used for
  * creating IXFR queries.
  */
@@ -1586,7 +1716,7 @@ insert_soa(dig_lookup_t *lookup) {
 	dns_message_addname(lookup->sendmsg, soaname, DNS_SECTION_AUTHORITY);
 }
 
-/*
+/*%
  * Setup the supplied lookup structure, making it ready to start sending
  * queries to servers.  Create and initialize the message to be sent as
  * well as the query structures and buffer space for the replies.  If the
@@ -1602,6 +1732,15 @@ setup_lookup(dig_lookup_t *lookup) {
 	isc_buffer_t b;
 	dns_compress_t cctx;
 	char store[MXNAME];
+#ifdef WITH_IDN
+	idn_result_t mr;
+	char utf8_textname[MXNAME], utf8_origin[MXNAME], idn_textname[MXNAME];
+#endif
+
+#ifdef WITH_IDN
+	result = dns_name_settotextfilter(output_filter);
+	check_result(result, "dns_name_settotextfilter");
+#endif
 
 	REQUIRE(lookup != NULL);
 	INSIST(!free_now);
@@ -1630,6 +1769,17 @@ setup_lookup(dig_lookup_t *lookup) {
 	isc_buffer_init(&lookup->onamebuf, lookup->onamespace,
 			sizeof(lookup->onamespace));
 
+#ifdef WITH_IDN
+	/*
+	 * We cannot convert `textname' and `origin' separately.
+	 * `textname' doesn't contain TLD, but local mapping needs
+	 * TLD.
+	 */
+	mr = idn_encodename(IDN_LOCALCONV | IDN_DELIMMAP, lookup->textname,
+			    utf8_textname, sizeof(utf8_textname));
+	idn_check_result(mr, "convert textname to UTF-8");
+#endif
+
 	/*
 	 * If the name has too many dots, force the origin to be NULL
 	 * (which produces an absolute lookup).  Otherwise, take the origin
@@ -1637,12 +1787,43 @@ setup_lookup(dig_lookup_t *lookup) {
 	 * take the first entry in the searchlist iff either usesearch
 	 * is TRUE or we got a domain line in the resolv.conf file.
 	 */
-	/* XXX New search here? */
-	if ((count_dots(lookup->textname) >= ndots) || !usesearch)
-		lookup->origin = NULL; /* Force abs lookup */
-	else if (lookup->origin == NULL && lookup->new_search && usesearch)
-		lookup->origin = ISC_LIST_HEAD(search_list);
+	if (lookup->new_search) {
+#ifdef WITH_IDN
+		if ((count_dots(utf8_textname) >= ndots) || !usesearch) {
+			lookup->origin = NULL; /* Force abs lookup */
+			lookup->done_as_is = ISC_TRUE;
+			lookup->need_search = usesearch;
+		} else if (lookup->origin == NULL && usesearch) {
+			lookup->origin = ISC_LIST_HEAD(search_list);
+			lookup->need_search = ISC_FALSE;
+		}
+#else
+		if ((count_dots(lookup->textname) >= ndots) || !usesearch) {
+			lookup->origin = NULL; /* Force abs lookup */
+			lookup->done_as_is = ISC_TRUE;
+			lookup->need_search = usesearch;
+		} else if (lookup->origin == NULL && usesearch) {
+			lookup->origin = ISC_LIST_HEAD(search_list);
+			lookup->need_search = ISC_FALSE;
+		}
+#endif
+	}
 
+#ifdef WITH_IDN
+	if (lookup->origin != NULL) {
+		mr = idn_encodename(IDN_LOCALCONV | IDN_DELIMMAP,
+				    lookup->origin->origin, utf8_origin,
+				    sizeof(utf8_origin));
+		idn_check_result(mr, "convert origin to UTF-8");
+		mr = append_textname(utf8_textname, utf8_origin,
+				     sizeof(utf8_textname));
+		idn_check_result(mr, "append origin to textname");
+	}
+	mr = idn_encodename(idnoptions | IDN_LOCALMAP | IDN_NAMEPREP |
+			    IDN_IDNCONV | IDN_LENCHECK, utf8_textname,
+			    idn_textname, sizeof(idn_textname));
+	idn_check_result(mr, "convert UTF-8 textname to IDN encoding");
+#else
 	if (lookup->origin != NULL) {
 		debug("trying origin %s", lookup->origin->origin);
 		result = dns_message_gettempname(lookup->sendmsg,
@@ -1683,11 +1864,22 @@ setup_lookup(dig_lookup_t *lookup) {
 			      lookup->textname, isc_result_totext(result));
 		}
 		dns_message_puttempname(lookup->sendmsg, &lookup->oname);
-	} else {
+	} else
+#endif
+	{
 		debug("using root origin");
 		if (lookup->trace && lookup->trace_root)
 			dns_name_clone(dns_rootname, lookup->name);
 		else {
+#ifdef WITH_IDN
+			len = strlen(idn_textname);
+			isc_buffer_init(&b, idn_textname, len);
+			isc_buffer_add(&b, len);
+			result = dns_name_fromtext(lookup->name, &b,
+						   dns_rootname,
+						   ISC_FALSE,
+						   &lookup->namebuf);
+#else
 			len = strlen(lookup->textname);
 			isc_buffer_init(&b, lookup->textname, len);
 			isc_buffer_add(&b, len);
@@ -1695,6 +1887,7 @@ setup_lookup(dig_lookup_t *lookup) {
 						   dns_rootname,
 						   ISC_FALSE,
 						   &lookup->namebuf);
+#endif
 		}
 		if (result != ISC_R_SUCCESS) {
 			dns_message_puttempname(lookup->sendmsg,
@@ -1789,10 +1982,13 @@ setup_lookup(dig_lookup_t *lookup) {
 	result = dns_message_renderbegin(lookup->sendmsg, &cctx,
 					 &lookup->renderbuf);
 	check_result(result, "dns_message_renderbegin");
-	if (lookup->udpsize > 0 || lookup->dnssec) {
+	if (lookup->udpsize > 0 || lookup->dnssec || lookup->edns > -1) {
 		if (lookup->udpsize == 0)
-			lookup->udpsize = 2048;
-		add_opt(lookup->sendmsg, lookup->udpsize, lookup->dnssec);
+			lookup->udpsize = 4096;
+		if (lookup->edns < 0)
+			lookup->edns = 0;
+		add_opt(lookup->sendmsg, lookup->udpsize,
+			lookup->edns, lookup->dnssec);
 	}
 
 	result = dns_message_rendersection(lookup->sendmsg,
@@ -1840,6 +2036,7 @@ setup_lookup(dig_lookup_t *lookup) {
 		query->userarg = serv->userarg;
 		query->rr_count = 0;
 		query->msg_count = 0;
+		query->byte_count = 0;
 		ISC_LINK_INIT(query, link);
 		ISC_LIST_INIT(query->recvlist);
 		ISC_LIST_INIT(query->lengthlist);
@@ -1858,12 +2055,13 @@ setup_lookup(dig_lookup_t *lookup) {
 	}
 	/* XXX qrflag, print_query, etc... */
 	if (!ISC_LIST_EMPTY(lookup->q) && qr) {
+		extrabytes = 0;
 		printmessage(ISC_LIST_HEAD(lookup->q), lookup->sendmsg,
 			     ISC_TRUE);
 	}
 }
 
-/*
+/*%
  * Event handler for send completion.  Track send counter, and clear out
  * the query if the send was canceled.
  */
@@ -1910,7 +2108,7 @@ send_done(isc_task_t *_task, isc_event_t *event) {
 	UNLOCK_LOOKUP;
 }
 
-/*
+/*%
  * Cancel a lookup, sending isc_socket_cancel() requests to all outstanding
  * IO sockets.  The cancel handlers should take care of cleaning up the
  * query and lookup structures
@@ -1972,7 +2170,7 @@ bringup_timer(dig_query_t *query, unsigned int default_timeout) {
 static void
 connect_done(isc_task_t *task, isc_event_t *event);
 
-/*
+/*%
  * Unlike send_udp, this can't be called multiple times with the same
  * query.  When we retry TCP, we requeue the whole lookup, which should
  * start anew.
@@ -2041,7 +2239,7 @@ send_tcp_connect(dig_query_t *query) {
 	}
 }
 
-/*
+/*%
  * Send a UDP packet to the remote nameserver, possible starting the
  * recv action as well.  Also make sure that the timer is running and
  * is properly reset.
@@ -2102,7 +2300,7 @@ send_udp(dig_query_t *query) {
 	sendcount++;
 }
 
-/*
+/*%
  * IO timeout handler, used for both connect and recv timeouts.  If
  * retries are still allowed, either resend the UDP packet or queue a
  * new TCP lookup.  Otherwise, cancel the lookup.
@@ -2161,7 +2359,7 @@ connect_timeout(isc_task_t *task, isc_event_t *event) {
 	UNLOCK_LOOKUP;
 }
 
-/*
+/*%
  * Event handler for the TCP recv which gets the length header of TCP
  * packets.  Start the next recv of length bytes.
  */
@@ -2245,7 +2443,7 @@ tcp_length_done(isc_task_t *task, isc_event_t *event) {
 	UNLOCK_LOOKUP;
 }
 
-/*
+/*%
  * For transfers that involve multiple recvs (XFR's in particular),
  * launch the next recv.
  */
@@ -2304,7 +2502,7 @@ launch_next_query(dig_query_t *query, isc_boolean_t include_question) {
 	return;
 }
 
-/*
+/*%
  * Event handler for TCP connect complete.  Make sure the connection was
  * successful, then pass into launch_next_query to actually send the
  * question.
@@ -2384,7 +2582,7 @@ connect_done(isc_task_t *task, isc_event_t *event) {
 	UNLOCK_LOOKUP;
 }
 
-/*
+/*%
  * Check if the ongoing XFR needs more data before it's complete, using
  * the semantics of IXFR and AXFR protocols.  Much of the complexity of
  * this routine comes from determining when an IXFR is complete.
@@ -2412,6 +2610,7 @@ check_for_more_data(dig_query_t *query, dns_message_t *msg,
 	 */
 
 	query->msg_count++;
+	query->byte_count += sevent->n;
 	result = dns_message_firstname(msg, DNS_SECTION_ANSWER);
 	if (result != ISC_R_SUCCESS) {
 		puts("; Transfer failed.");
@@ -2527,7 +2726,7 @@ check_for_more_data(dig_query_t *query, dns_message_t *msg,
 	return (ISC_TRUE);
 }
 
-/*
+/*%
  * Event handler for recv complete.  Perform whatever actions are necessary,
  * based on the specifics of the user's request.
  */
@@ -2612,36 +2811,25 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 	}
 
 	if (!l->tcp_mode &&
-	    !isc_sockaddr_equal(&sevent->address, &query->sockaddr)) {
+	    !isc_sockaddr_compare(&sevent->address, &query->sockaddr,
+				  ISC_SOCKADDR_CMPADDR|
+				  ISC_SOCKADDR_CMPPORT|
+				  ISC_SOCKADDR_CMPSCOPE|
+				  ISC_SOCKADDR_CMPSCOPEZERO)) {
 		char buf1[ISC_SOCKADDR_FORMATSIZE];
 		char buf2[ISC_SOCKADDR_FORMATSIZE];
 		isc_sockaddr_t any;
 
-		if (isc_sockaddr_pf(&query->sockaddr) == AF_INET)
+		if (isc_sockaddr_pf(&query->sockaddr) == AF_INET) 
 			isc_sockaddr_any(&any);
 		else
 			isc_sockaddr_any6(&any);
 
-#ifdef ISC_PLATFORM_HAVESCOPEID
-		/*
-		 * Accept answers from any scope if we havn't specified the
-		 * scope as long as the address and port match.
-		 */
-		if (isc_sockaddr_pf(&query->sockaddr) == AF_INET6 &&
-		    query->sockaddr.type.sin6.sin6_scope_id == 0 &&
-		    memcmp(&sevent->address.type.sin6.sin6_addr,
-			   &query->sockaddr.type.sin6.sin6_addr,
-			   sizeof(query->sockaddr.type.sin6.sin6_addr)) == 0 &&
-		    isc_sockaddr_getport(&sevent->address) ==
-		    isc_sockaddr_getport(&query->sockaddr))
-			/* empty */;
-		else
-#endif
 		/*
-		 * We don't expect a match above when the packet is
-		 * sent to 0.0.0.0, :: or to a multicast addresses.
-		 * XXXMPA broadcast needs to be handled here as well.
-		 */
+		* We don't expect a match when the packet is 
+		* sent to 0.0.0.0, :: or to a multicast addresses.
+		* XXXMPA broadcast needs to be handled here as well.
+		*/
 		if ((!isc_sockaddr_eqaddr(&query->sockaddr, &any) &&
 		     !isc_sockaddr_ismulticast(&query->sockaddr)) ||
 		    isc_sockaddr_getport(&query->sockaddr) !=
@@ -2691,6 +2879,9 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 			       "(< header size) message received\n");
 	}
 
+	if (result == ISC_R_SUCCESS && (msgflags & DNS_MESSAGEFLAG_QR) == 0)
+		printf(";; Warning: query response not set\n");
+
 	if (!match) {
 		isc_buffer_invalidate(&query->recvbuf);
 		isc_buffer_init(&query->recvbuf, query->recvspace, COMMSIZE);
@@ -2757,8 +2948,8 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		UNLOCK_LOOKUP;
 		return;
 	}
-	if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0
-	    && !l->ignore && !l->tcp_mode) {
+	if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0 &&
+            !l->ignore && !l->tcp_mode) {
 		printf(";; Truncated, retrying in TCP mode.\n");
 		n = requeue_lookup(l, ISC_TRUE);
 		n->tcp_mode = ISC_TRUE;
@@ -2771,7 +2962,9 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		UNLOCK_LOOKUP;
 		return;
 	}			
-	if (msg->rcode == dns_rcode_servfail && !l->servfail_stops) {
+	if ((msg->rcode == dns_rcode_servfail && !l->servfail_stops) ||
+	    (check_ra && (msg->flags & DNS_MESSAGEFLAG_RA) == 0 && l->recurse))
+	{
 		dig_query_t *next = ISC_LIST_NEXT(query, link);
 		if (l->current_query == query)
 			l->current_query = NULL;
@@ -2789,9 +2982,13 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		 */
 		if ((ISC_LIST_HEAD(l->q) != query) ||
 		    (ISC_LIST_NEXT(query, link) != NULL)) {
-			printf(";; Got SERVFAIL reply from %s, "
-			       "trying next server\n",
-			       query->servname);
+			if( l->comments == ISC_TRUE )
+				printf(";; Got %s from %s, "
+				       "trying next server\n",
+				       msg->rcode == dns_rcode_servfail ?
+				       "SERVFAIL reply" :
+				       "recursion not available",
+				       query->servname);
 			clear_query(query);
 			check_next_lookup(l);
 			dns_message_destroy(&msg);
@@ -2818,6 +3015,8 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		check_result(result,"dns_message_getquerytsig");
 	}
 
+	extrabytes = isc_buffer_remaininglength(b);
+
 	debug("after parse");
 	if (l->doing_xfr && l->xfr_q == NULL) {
 		l->xfr_q = query;
@@ -2852,8 +3051,9 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 	}
 
 	if (!l->doing_xfr || l->xfr_q == query) {
-		if (msg->rcode != dns_rcode_noerror && l->origin != NULL) {
-			if (!next_origin(msg, query)) {
+		if (msg->rcode != dns_rcode_noerror &&
+		    (l->origin != NULL || l->need_search)) {
+			if (!next_origin(msg, query) || showsearch) {
 				printmessage(query, msg, ISC_TRUE);
 				received(b->used, &sevent->address, query);
 			}
@@ -2887,7 +3087,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 
 			if (l->trace_root) {
 				/*
-				 * This is the initial NS query.
+				 * This is the initial NS query. 
 				 */
 				int n;
 
@@ -2902,7 +3102,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 				if (!do_sigchase)
 #endif
 				printmessage(query, msg, ISC_TRUE);
-		}
+		} 
 #ifdef DIG_SIGCHASE
 		if (do_sigchase) {
 			chase_msg = isc_mem_allocate(mctx,
@@ -2921,13 +3121,13 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 
 			isc_buffer_usedregion(b, &r);
 			result = isc_buffer_allocate(mctx, &buf, r.length);
-	
+	   
 			check_result(result, "isc_buffer_allocate");
 			result =  isc_buffer_copyregion(buf, &r);
 			check_result(result, "isc_buffer_copyregion");
-	
+	   
 			result =  dns_message_parse(msg_temp, buf, 0);
-
+ 
 			isc_buffer_free(&buf);
 			chase_msg->msg = msg_temp;
 
@@ -2942,11 +3142,10 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 			chase_msg2->msg = msg;
 		}
 #endif
-	
 	}
-
+       
 #ifdef DIG_SIGCHASE
-	if (l->sigchase && ISC_LIST_EMPTY(lookup_list)) {
+	if (l->sigchase && ISC_LIST_EMPTY(lookup_list)) {   
 		sigchase(msg_temp);
 	}
 #endif
@@ -3005,7 +3204,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 	UNLOCK_LOOKUP;
 }
 
-/*
+/*%
  * Turn a name into an address, using system-supplied routines.  This is
  * used in looking up server names, etc... and needs to use system-supplied
  * routines, since they may be using a non-DNS system for these lookups.
@@ -3024,7 +3223,7 @@ get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) {
 	INSIST(count == 1);
 }
 
-/*
+/*%
  * Initiate either a TCP or UDP lookup
  */
 void
@@ -3040,7 +3239,7 @@ do_lookup(dig_lookup_t *lookup) {
 		send_udp(ISC_LIST_HEAD(lookup->q));
 }
 
-/*
+/*%
  * Start everything in action upon task startup.
  */
 void
@@ -3053,7 +3252,7 @@ onrun_callback(isc_task_t *task, isc_event_t *event) {
 	UNLOCK_LOOKUP;
 }
 
-/*
+/*%
  * Make everything on the lookup queue go away.  Mainly used by the
  * SIGINT handler.
  */
@@ -3097,16 +3296,19 @@ cancel_all(void) {
 	UNLOCK_LOOKUP;
 }
 
-/*
+/*%
  * Destroy all of the libs we are using, and get everything ready for a
  * clean shutdown.
  */
 void
 destroy_libs(void) {
-#ifdef DIG_SIGCHASE
+#ifdef DIG_SIGCHASE 
 	void * ptr;
 	dig_message_t *chase_msg;
 #endif
+#ifdef WITH_IDN
+	isc_result_t result;
+#endif
 
 	debug("destroy_libs()");
 	if (global_task != NULL) {
@@ -3138,6 +3340,13 @@ destroy_libs(void) {
 	flush_server_list();
 
 	clear_searchlist();
+
+#ifdef WITH_IDN
+        result = dns_name_settotextfilter(NULL);
+        check_result(result, "dns_name_settotextfilter");
+#endif
+	dns_name_destroy();
+
 	if (commctx != NULL) {
 		debug("freeing commctx");
 		isc_mempool_destroy(&commctx);
@@ -3214,8 +3423,104 @@ destroy_libs(void) {
 		isc_mem_destroy(&mctx);
 }
 
+#ifdef WITH_IDN
+static void
+initialize_idn(void) {
+	idn_result_t r;
+	isc_result_t result;
 
+#ifdef HAVE_SETLOCALE
+	/* Set locale */
+	(void)setlocale(LC_ALL, "");
+#endif
+	/* Create configuration context. */
+	r = idn_nameinit(1);
+	if (r != idn_success)
+		fatal("idn api initialization failed: %s",
+		      idn_result_tostring(r));
+
+	/* Set domain name -> text post-conversion filter. */
+	result = dns_name_settotextfilter(output_filter);
+	check_result(result, "dns_name_settotextfilter");
+}
 
+static isc_result_t
+output_filter(isc_buffer_t *buffer, unsigned int used_org,
+	      isc_boolean_t absolute)
+{
+	char tmp1[MAXDLEN], tmp2[MAXDLEN];
+	size_t fromlen, tolen;
+	isc_boolean_t end_with_dot;
+
+	/*
+	 * Copy contents of 'buffer' to 'tmp1', supply trailing dot
+	 * if 'absolute' is true, and terminate with NUL.
+	 */
+	fromlen = isc_buffer_usedlength(buffer) - used_org;
+	if (fromlen >= MAXDLEN)
+		return (ISC_R_SUCCESS);
+	memcpy(tmp1, (char *)isc_buffer_base(buffer) + used_org, fromlen);
+	end_with_dot = (tmp1[fromlen - 1] == '.') ? ISC_TRUE : ISC_FALSE;
+	if (absolute && !end_with_dot) {
+		fromlen++;
+		if (fromlen >= MAXDLEN)
+			return (ISC_R_SUCCESS);
+		tmp1[fromlen - 1] = '.';
+	}
+	tmp1[fromlen] = '\0';
+
+	/*
+	 * Convert contents of 'tmp1' to local encoding.
+	 */
+	if (idn_decodename(IDN_DECODE_APP, tmp1, tmp2, MAXDLEN) != idn_success)
+		return (ISC_R_SUCCESS);
+	strcpy(tmp1, tmp2);
+
+	/*
+	 * Copy the converted contents in 'tmp1' back to 'buffer'.
+	 * If we have appended trailing dot, remove it.
+	 */
+	tolen = strlen(tmp1);
+	if (absolute && !end_with_dot && tmp1[tolen - 1] == '.')
+		tolen--;
+
+	if (isc_buffer_length(buffer) < used_org + tolen)
+		return (ISC_R_NOSPACE);
+
+	isc_buffer_subtract(buffer, isc_buffer_usedlength(buffer) - used_org);
+	memcpy(isc_buffer_used(buffer), tmp1, tolen);
+	isc_buffer_add(buffer, tolen);
+
+	return (ISC_R_SUCCESS);
+}
+
+static idn_result_t
+append_textname(char *name, const char *origin, size_t namesize) {
+	size_t namelen = strlen(name);
+	size_t originlen = strlen(origin);
+
+	/* Already absolute? */
+	if (namelen > 0 && name[namelen - 1] == '.')
+		return idn_success;
+
+	/* Append dot and origin */
+
+	if (namelen + 1 + originlen >= namesize)
+		return idn_buffer_overflow;
+
+	name[namelen++] = '.';
+	(void)strcpy(name + namelen, origin);
+	return idn_success;
+}
+ 
+static void
+idn_check_result(idn_result_t r, const char *msg) {
+	if (r != idn_success) {
+		exitcode = 1;
+		fatal("%s: %s", msg, idn_result_tostring(r));
+	}
+}
+#endif /* WITH_IDN */
 
 #ifdef DIG_SIGCHASE
 void
@@ -3243,12 +3548,12 @@ void
 dump_database_section(dns_message_t *msg, int section)
 {
 	dns_name_t *msg_name=NULL;
-
+ 
 	dns_rdataset_t *rdataset;
 
 	do {
 		dns_message_currentname(msg, section, &msg_name);
-
+    
 		for (rdataset = ISC_LIST_HEAD(msg_name->list); rdataset != NULL;
 		     rdataset = ISC_LIST_NEXT(rdataset, link)) {	
 			dns_name_print(msg_name, stdout);
@@ -3267,15 +3572,15 @@ dump_database(void) {
 	for (msg = ISC_LIST_HEAD(chase_message_list);  msg != NULL;
 	     msg = ISC_LIST_NEXT(msg, link)) {
 		if (dns_message_firstname(msg->msg, DNS_SECTION_ANSWER)
-		    == ISC_R_SUCCESS)
+		    == ISC_R_SUCCESS) 
 			dump_database_section(msg->msg, DNS_SECTION_ANSWER);
-
+       
 		if (dns_message_firstname(msg->msg, DNS_SECTION_AUTHORITY)
-		    == ISC_R_SUCCESS)
+		    == ISC_R_SUCCESS) 
 			dump_database_section(msg->msg, DNS_SECTION_AUTHORITY);
 	
 		if (dns_message_firstname(msg->msg, DNS_SECTION_ADDITIONAL)
-		    == ISC_R_SUCCESS)
+		    == ISC_R_SUCCESS) 
 			dump_database_section(msg->msg, DNS_SECTION_ADDITIONAL);
 	}
 }
@@ -3343,7 +3648,7 @@ chase_scanname(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers)
 {
 	dns_rdataset_t *rdataset = NULL;
 	dig_message_t * msg;
-
+ 
 	for (msg = ISC_LIST_HEAD(chase_message_list2);  msg != NULL;
 	     msg = ISC_LIST_NEXT(msg, link)) {
 		if (dns_message_firstname(msg->msg, DNS_SECTION_ANSWER)
@@ -3436,7 +3741,7 @@ insert_trustedkey(dst_key_t * key)
 		return;
 
 	tk_list.key[tk_list.nb_tk++] = key;
-	return;
+	return;   
 }
 
 void
@@ -3459,7 +3764,7 @@ char alphnum[] =
 	"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
 
 isc_result_t
-removetmpkey(isc_mem_t *mctx, const char *file)
+removetmpkey(isc_mem_t *mctx, const char *file) 
 {
 	char *tempnamekey = NULL;
 	int tempnamekeylen;
@@ -3513,14 +3818,14 @@ opentmpkey(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp) {
 			isc_mem_free(mctx, tempname);
 			return (ISC_R_FAILURE);
 		}
-	
+	    
 		x = cp--;
 		while (cp >= tempname && *cp == 'X') {
 			isc_random_get(&which);
 			*cp = alphnum[which % (sizeof(alphnum) - 1)];
 			x = cp--;
 		}
-
+ 
 		tempnamekeylen = tempnamelen+5;
 		tempnamekey = isc_mem_allocate(mctx, tempnamekeylen);
 		if (tempnamekey == NULL)
@@ -3530,7 +3835,7 @@ opentmpkey(isc_mem_t *mctx, const char *file, char **tempp, FILE **fp) {
 		strlcpy(tempnamekey, tempname, tempnamelen);
 		strlcat(tempnamekey ,".key", tempnamelen);
 
-	
+	   
 		if (isc_file_exists(tempnamekey)) {
 			isc_mem_free(mctx, tempnamekey);
 			isc_mem_free(mctx, tempname);
@@ -3565,7 +3870,7 @@ get_trusted_key(isc_mem_t *mctx)
 	char buf[1500];
 	FILE *fp, *fptemp;
 	dst_key_t *key = NULL;
-
+ 
 	result = isc_file_exists(trustedkey);
 	if (result !=  ISC_TRUE) {
 		result = isc_file_exists("/etc/trusted-key.key");
@@ -3643,11 +3948,11 @@ nameFromString(const char *str, dns_name_t *p_ret) {
 
 	result = dns_name_dup(dns_fixedname_name(&fixedname), mctx, p_ret);
 	check_result(result, "nameFromString");
-}
+} 
 
 
 #if DIG_SIGCHASE_TD
-isc_result_t
+isc_result_t 
 prepare_lookup(dns_name_t *name)
 {
 	isc_result_t result;
@@ -3665,7 +3970,7 @@ prepare_lookup(dns_name_t *name)
 	lookup->rdtype = lookup->rdtype_sigchase;
 	lookup->rdtypeset = ISC_TRUE;
 	lookup->qrdtype = lookup->qrdtype_sigchase;
-
+   
 	s = ISC_LIST_HEAD(lookup->my_server_list);
 	while (s != NULL) {
 		debug("freeing server %p belonging to %p",
@@ -3699,11 +4004,11 @@ prepare_lookup(dns_name_t *name)
 		dns_rdataset_current(chase_nsrdataset, &rdata);
 
 		(void)dns_rdata_tostruct(&rdata, &ns, NULL);
-
-
-
+      
+     
+      
 #ifdef __FOLLOW_GLUE__
-
+      
 		result = advanced_rrsearch(&rdataset, &ns.name,
 					   dns_rdatatype_aaaa,
 					   dns_rdatatype_any, &true);
@@ -3727,12 +4032,12 @@ prepare_lookup(dns_name_t *name)
 
 
 				srv = make_server(namestr, namestr);
-	
+	     
 				ISC_LIST_APPEND(lookup->my_server_list,
 						srv, link);
 			}
 		}
-
+      
 		rdataset = NULL;
 		result = advanced_rrsearch(&rdataset, &ns.name, dns_rdatatype_a,
 					   dns_rdatatype_any, &true);
@@ -3754,28 +4059,28 @@ prepare_lookup(dns_name_t *name)
 				isc_buffer_free(&b);
 				dns_rdata_reset(&a);
 				printf("ns name: %s\n", namestr);
-
+      
 
 				srv = make_server(namestr, namestr);
-	
+	     
 				ISC_LIST_APPEND(lookup->my_server_list,
 						srv, link);
 			}
 		}
 #else
-
+       
 		dns_name_format(&ns.name, namestr, sizeof(namestr));
 		printf("ns name: ");
 		dns_name_print(&ns.name, stdout);
 		printf("\n");
 		srv = make_server(namestr, namestr);
-	
+	     
 		ISC_LIST_APPEND(lookup->my_server_list, srv, link);
 
-#endif
+#endif 
 		dns_rdata_freestruct(&ns);
 		dns_rdata_reset(&rdata);
-
+      
 	}
 
 	ISC_LIST_APPEND(lookup_list, lookup, link);
@@ -3829,10 +4134,10 @@ grandfather_pb_test(dns_name_t *zone_name, dns_rdataset_t  *sigrdataset)
 
 	do {
 		dns_rdataset_current(sigrdataset, &sigrdata);
-
+    
 		result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
 		check_result(result, "sigrdata tostruct siginfo");
-
+ 
 		if (dns_name_compare(&siginfo.signer, zone_name) == 0) {
 			dns_rdata_freestruct(&siginfo);
 			dns_rdata_reset(&sigrdata);
@@ -3840,7 +4145,7 @@ grandfather_pb_test(dns_name_t *zone_name, dns_rdataset_t  *sigrdataset)
 		}
 
 		dns_rdata_freestruct(&siginfo);
-
+ 
 	} while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS);
 
 	dns_rdata_reset(&sigrdata);
@@ -3870,7 +4175,7 @@ initialization(dns_name_t *name)
 
 	return (ISC_R_SUCCESS);
 }
-#endif
+#endif 
 
 void
 print_rdataset(dns_name_t *name, dns_rdataset_t *rdataset, isc_mem_t *mctx)
@@ -3894,10 +4199,10 @@ print_rdataset(dns_name_t *name, dns_rdataset_t *rdataset, isc_mem_t *mctx)
 }
 
 
-void
+void 
 dup_name(dns_name_t *source, dns_name_t *target, isc_mem_t *mctx) {
-	isc_result_t result;
-
+	isc_result_t result; 
+ 
 	if (dns_name_dynamic(target))
 		free_name(target, mctx);
 	result = dns_name_dup(source, mctx, target);
@@ -3941,12 +4246,12 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset,
 	do {
 		dns_rdataset_current(rdataset, &rdata);
 		INSIST(rdata.type == dns_rdatatype_dnskey);
-  	
+  	  
 		result = dns_dnssec_keyfromrdata(name, &rdata,
 						 mctx, &dnsseckey);
 		check_result(result, "dns_dnssec_keyfromrdata");
 
-
+    
 		for (i = 0; i < tk_list.nb_tk; i++) {
 			if (dst_key_compare(tk_list.key[i], dnsseckey)
 			    == ISC_TRUE) {
@@ -3966,7 +4271,7 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset,
 				}
 			}
 		}
-
+ 
 		dns_rdata_reset(&rdata);
 		if (dnsseckey != NULL)
 			dst_key_free(&dnsseckey);
@@ -3996,7 +4301,7 @@ sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset,
 	do {
 		dns_rdataset_current(keyrdataset, &keyrdata);
 		INSIST(keyrdata.type == dns_rdatatype_dnskey);
-  	
+  	  
 		result = dns_dnssec_keyfromrdata(name, &keyrdata,
 						 mctx, &dnsseckey);
 		check_result(result, "dns_dnssec_keyfromrdata");
@@ -4028,22 +4333,22 @@ sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset,
 	result = dns_rdataset_first(sigrdataset);
 	check_result(result, "empty RRSIG dataset");
 	dns_rdata_init(&sigrdata);
-
+    
 	do {
 		dns_rdataset_current(sigrdataset, &sigrdata);
 
 		result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
 		check_result(result, "sigrdata tostruct siginfo");
-
+ 
 		/*
 		 * Test if the id of the DNSKEY is
 		 * the id of the DNSKEY signer's
 		 */
 		if (siginfo.keyid == dst_key_id(dnsseckey)) {
-
+    
 			result = dns_rdataset_first(rdataset);
 			check_result(result, "empty DS dataset");
-
+    
 			result = dns_dnssec_verify(name, rdataset, dnsseckey,
 						   ISC_FALSE, mctx, &sigrdata);
 
@@ -4060,7 +4365,7 @@ sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset,
 			}
 		}
 		dns_rdata_freestruct(&siginfo);
-
+ 
 	} while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS);
 
 	dns_rdata_reset(&sigrdata);
@@ -4086,18 +4391,18 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
 	dns_rdata_init(&dsrdata);
 	do {
 		dns_rdataset_current(dsrdataset, &dsrdata);
-
+    
 		result = dns_rdata_tostruct(&dsrdata, &dsinfo, NULL);
 		check_result(result, "dns_rdata_tostruct  for DS");
-
+    
 		result = dns_rdataset_first(keyrdataset);
 		check_result(result, "empty KEY dataset");
-		dns_rdata_init(&keyrdata);	
+		dns_rdata_init(&keyrdata);	  
 
 		do {
 			dns_rdataset_current(keyrdataset, &keyrdata);
 			INSIST(keyrdata.type == dns_rdatatype_dnskey);
-  	
+  	  
 			result = dns_dnssec_keyfromrdata(name, &keyrdata,
 							 mctx, &dnsseckey);
 			check_result(result, "dns_dnssec_keyfromrdata");
@@ -4112,14 +4417,14 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
 				result = dns_ds_buildrdata(name, &keyrdata,
 							   dsinfo.digest_type,
 							   dsbuf, &newdsrdata);
-				dns_rdata_freestruct(&dsinfo);
+				dns_rdata_freestruct(&dsinfo);  
 
 				if (result != ISC_R_SUCCESS) {
 					dns_rdata_reset(&keyrdata);
 					dns_rdata_reset(&newdsrdata);
 					dns_rdata_reset(&dsrdata);
 					dst_key_free(&dnsseckey);
-					dns_rdata_freestruct(&dsinfo);
+					dns_rdata_freestruct(&dsinfo);  
 					printf("Oops: impossible to build"
 					       " new DS rdata\n");
 					return (result);
@@ -4133,7 +4438,7 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
 					printf(";; Now verify that this"
 					       " DNSKEY validates the "
 					       "DNSKEY RRset\n");
-	
+	       
 					result = sigchase_verify_sig_key(name,
 							 keyrdataset,
 							 dnsseckey,
@@ -4144,7 +4449,7 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
 						dns_rdata_reset(&newdsrdata);
 						dns_rdata_reset(&dsrdata);
 						dst_key_free(&dnsseckey);
-		
+		 
 						return (result);
 					}
 				} else {
@@ -4158,12 +4463,12 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
 			dnsseckey = NULL;
 		} while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS);
 		dns_rdata_reset(&keyrdata);
-
+ 
 	} while (dns_rdataset_next(chase_dsrdataset) == ISC_R_SUCCESS);
 #if 0
 	dns_rdata_reset(&dsrdata); WARNING
 #endif
-
+ 
 	return (ISC_R_NOTFOUND);
 }
 
@@ -4176,13 +4481,13 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
  * ISC_R_SUCCESS: if we found the rrset
  * ISC_R_NOTFOUND: we do not found the rrset in cache
  * and we do a query on the net
- * ISC_R_FAILURE: rrset not found
+ * ISC_R_FAILURE: rrset not found 
  */
 isc_result_t
 advanced_rrsearch(dns_rdataset_t **rdataset, dns_name_t *name,
 		  dns_rdatatype_t type, dns_rdatatype_t covers,
 		  isc_boolean_t *lookedup)
-{
+{ 
 	isc_boolean_t  tmplookedup;
 
 	INSIST(rdataset != NULL);
@@ -4257,7 +4562,7 @@ sigchase_td(dns_message_t *msg)
 		}
 	}
 
-
+   
 	if (have_answer) {
 		chase_rdataset
 			= chase_scanname_section(msg, &chase_name,
@@ -4317,7 +4622,7 @@ sigchase_td(dns_message_t *msg)
 						    chase_dsrdataset,
 						    mctx);
 		}
-
+      
 		if (result != ISC_R_SUCCESS) {
 			printf("\n;; chain of trust can't be validated:"
 			       " FAILED\n\n");
@@ -4369,7 +4674,7 @@ sigchase_td(dns_message_t *msg)
 			chase_sigrdataset = NULL;
 			have_response = ISC_FALSE;
 			have_delegation_ns = ISC_FALSE;
-	
+	  
 			dns_name_init(&tmp_name, NULL);
 			result = child_of_zone(&chase_name, &chase_current_name,
 					       &tmp_name);
@@ -4448,8 +4753,8 @@ sigchase_td(dns_message_t *msg)
 		}
 		chase_keyrdataset = NULL;
 		chase_sigkeyrdataset = NULL;
-
-
+    
+ 
 		prepare_lookup(&chase_authority_name);
 	
 		have_response = ISC_FALSE;
@@ -4545,7 +4850,7 @@ sigchase_td(dns_message_t *msg)
 	}
 }
 
-#endif
+#endif 
 
 
 #if DIG_SIGCHASE_BU
@@ -4562,7 +4867,7 @@ getneededrr(dns_message_t *msg)
 	if ((result = dns_message_firstname(msg, DNS_SECTION_ANSWER))
 	    != ISC_R_SUCCESS) {
 		printf(";; NO ANSWERS: %s\n", isc_result_totext(result));
-
+    
 		if (chase_name.ndata == NULL)
 			return (ISC_R_ADDRNOTAVAIL);
 	} else {
@@ -4605,7 +4910,7 @@ getneededrr(dns_message_t *msg)
 	}
 	INSIST(chase_sigrdataset != NULL);
 
-
+ 
 	/* first find the DNSKEY name */
 	result = dns_rdataset_first(chase_sigrdataset);
 	check_result(result, "empty RRSIG dataset");
@@ -4616,7 +4921,7 @@ getneededrr(dns_message_t *msg)
 	dup_name(&siginfo.signer, &chase_signame, mctx);
 	dns_rdata_freestruct(&siginfo);
 	dns_rdata_reset(&sigrdata);
-
+ 
 	/* Do we have a key?  */
 	if (chase_keyrdataset == NULL) {
 		result = advanced_rrsearch(&chase_keyrdataset,
@@ -4685,7 +4990,7 @@ getneededrr(dns_message_t *msg)
 			print_rdataset(&chase_signame, chase_dsrdataset, mctx);
 		}
 	}
-
+ 
 	if (chase_dsrdataset != NULL) {
 		/*
 		 * if there is no RRSIG of DS,
@@ -4744,7 +5049,7 @@ sigchase_bu(dns_message_t *msg)
 		dns_name_init(&query_name, NULL);
 		dns_name_init(&rdata_name, NULL);
 		nameFromString(current_lookup->textname, &query_name);
-
+   
 		result = prove_nx(msg, &query_name, current_lookup->rdclass,
 				  current_lookup->rdtype, &rdata_name,
 				  &rdataset, &sigrdataset);
@@ -4847,7 +5152,7 @@ sigchase_bu(dns_message_t *msg)
 	chase_sigdsrdataset = NULL;
 	chase_siglookedup = chase_keylookedup = ISC_FALSE;
 	chase_dslookedup = chase_sigdslookedup = ISC_FALSE;
-
+ 
 	printf(";; Now, we want to validate the DS :  recursive call\n");
 	sigchase(msg);
 	return;
@@ -4940,7 +5245,7 @@ prove_nx_domain(dns_message_t *msg,
 		       " validate the non-existence : FAILED\n");
 		return (ISC_R_FAILURE);
 	}
-
+ 
 	do {
 		nsecname = NULL;
 		dns_message_currentname(msg, DNS_SECTION_AUTHORITY, &nsecname);
@@ -5086,5 +5391,6 @@ prove_nx(dns_message_t *msg, dns_name_t *name, dns_rdataclass_t class,
 				      rdataset, sigrdataset);
 		return (ret);
 	}
+	/* Never get here */ 
 }
 #endif
diff --git a/usr.sbin/bind/bin/dig/host.1 b/usr.sbin/bind/bin/dig/host.1
index 6ee75c97151..e0f9b482c49 100644
--- a/usr.sbin/bind/bin/dig/host.1
+++ b/usr.sbin/bind/bin/dig/host.1
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2002 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,13 +13,13 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $ISC: host.1,v 1.11.2.1.4.8 2006/06/29 13:02:30 marka Exp $
+.\" $ISC: host.1,v 1.14.18.14 2007/05/09 03:33:12 marka Exp $
 .\"
 .hy 0
 .ad l
 .\"     Title: host
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 .\"      Date: Jun 30, 2000
 .\"    Manual: BIND9
 .\"    Source: BIND9
@@ -33,7 +33,7 @@
 host \- DNS lookup utility
 .SH "SYNOPSIS"
 .HP 5
-\fBhost\fR [\fB\-aCdlnrTwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] [\fB\-4\fR] [\fB\-6\fR] {name} [server]
+\fBhost\fR [\fB\-aCdlnrsTwv\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-N\ \fR\fB\fIndots\fR\fR] [\fB\-R\ \fR\fB\fInumber\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-W\ \fR\fB\fIwait\fR\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-4\fR] [\fB\-6\fR] {name} [server]
 .SH "DESCRIPTION"
 .PP
 \fBhost\fR
@@ -130,7 +130,7 @@ makes. This should mean that the name server receiving the query will not attemp
 \fB\-r\fR
 option enables
 \fBhost\fR
-to mimic the behaviour of a name server by making non\-recursive queries and expecting to receive answers to those queries that are usually referrals to other name servers.
+to mimic the behavior of a name server by making non\-recursive queries and expecting to receive answers to those queries that are usually referrals to other name servers.
 .PP
 By default
 \fBhost\fR
@@ -152,7 +152,7 @@ The
 \fB\-t\fR
 option is used to select the query type.
 \fItype\fR
-can be any recognised query type: CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified,
+can be any recognized query type: CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified,
 \fBhost\fR
 automatically selects an appropriate query type. By default it looks for A records, but if the
 \fB\-C\fR
@@ -179,6 +179,32 @@ is less than one, the wait interval is set to one second. When the
 option is used,
 \fBhost\fR
 will effectively wait forever for a reply. The time to wait for a response will be set to the number of seconds given by the hardware's maximum value for an integer quantity.
+.PP
+The
+\fB\-s\fR
+option tells
+\fBhost\fR
+\fInot\fR
+to send the query to the next nameserver if any server responds with a SERVFAIL response, which is the reverse of normal stub resolver behavior.
+.PP
+The
+\fB\-m\fR
+can be used to set the memory usage debugging flags
+\fIrecord\fR,
+\fIusage\fR
+and
+\fItrace\fR.
+.SH "IDN SUPPORT"
+.PP
+If
+\fBhost\fR
+has been built with IDN (internationalized domain name) support, it can accept and display non\-ASCII domain names.
+\fBhost\fR
+appropriately converts character encoding of domain name before sending a request to DNS server or displaying a reply from the server. If you'd like to turn off the IDN support for some reason, defines the
+\fBIDN_DISABLE\fR
+environment variable. The IDN support is disabled if the variable is set when
+\fBhost\fR
+runs.
 .SH "FILES"
 .PP
 \fI/etc/resolv.conf\fR
@@ -187,4 +213,7 @@ will effectively wait forever for a reply. The time to wait for a response will
 \fBdig\fR(1),
 \fBnamed\fR(8).
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2000\-2002 Internet Software Consortium.
+.br
diff --git a/usr.sbin/bind/bin/dig/host.c b/usr.sbin/bind/bin/dig/host.c
index 0f487876016..329689cc691 100644
--- a/usr.sbin/bind/bin/dig/host.c
+++ b/usr.sbin/bind/bin/dig/host.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,11 +15,25 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $ISC: host.c,v 1.76.2.5.2.16 2006/05/23 04:43:47 marka Exp $ */
+/* $ISC: host.c,v 1.94.18.19 2007/08/28 07:19:55 tbox Exp $ */
+
+/*! \file */
 
 #include <config.h>
+#include <stdlib.h>
 #include <limits.h>
 
+#ifdef HAVE_LOCALE_H
+#include <locale.h>
+#endif
+
+#ifdef WITH_IDN
+#include <idn/result.h>
+#include <idn/log.h>
+#include <idn/resconf.h>
+#include <idn/api.h>
+#endif
+
 #include <isc/app.h>
 #include <isc/commandline.h>
 #include <isc/netaddr.h>
@@ -114,8 +128,8 @@ static void
 show_usage(void) {
 	fputs(
 "Usage: host [-aCdlriTwv] [-c class] [-N ndots] [-t type] [-W time]\n"
-"            [-R number] hostname [server]\n"
-"       -a is equivalent to -v -t *\n"
+"            [-R number] [-m flag] hostname [server]\n"
+"       -a is equivalent to -v -t ANY\n"
 "       -c specifies query class for non-IN data\n"
 "       -C compares SOA records on authoritative nameservers\n"
 "       -d is equivalent to -v\n"
@@ -124,13 +138,15 @@ show_usage(void) {
 "       -N changes the number of dots allowed before root lookup is done\n"
 "       -r disables recursive processing\n"
 "       -R specifies number of retries for UDP packets\n"
+"       -s a SERVFAIL response should stop query\n"
 "       -t specifies the query type\n"
 "       -T enables TCP/IP mode\n"
 "       -v enables verbose output\n"
 "       -w specifies to wait forever for a reply\n"
 "       -W specifies how long to wait for a reply\n"
 "       -4 use IPv4 query transport only\n"
-"       -6 use IPv6 query transport only\n", stderr);
+"       -6 use IPv6 query transport only\n"
+"       -m set memory debugging flag (trace|record|usage)\n", stderr);
 	exit(1);
 }
 
@@ -410,8 +426,10 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 	if (msg->rcode != 0) {
 		char namestr[DNS_NAME_FORMATSIZE];
 		dns_name_format(query->lookup->name, namestr, sizeof(namestr));
-		printf("Host %s not found: %d(%s)\n", namestr,
-		       msg->rcode, rcodetext[msg->rcode]);
+		printf("Host %s not found: %d(%s)\n",
+		       (msg->rcode != dns_rcode_nxdomain) ? namestr :
+		       query->lookup->textname, msg->rcode,
+		       rcodetext[msg->rcode]);
 		return (ISC_R_SUCCESS);
 	}
 
@@ -554,6 +572,53 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 	return (result);
 }
 
+static const char * optstring = "46ac:dilnm:rst:vwCDN:R:TW:";
+
+static void
+pre_parse_args(int argc, char **argv) {
+	int c;
+
+	while ((c = isc_commandline_parse(argc, argv, optstring)) != -1) {
+		switch (c) {
+		case 'm':
+			memdebugging = ISC_TRUE;
+			if (strcasecmp("trace", isc_commandline_argument) == 0)
+				isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
+			else if (!strcasecmp("record",
+					     isc_commandline_argument) == 0)
+				isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
+			else if (strcasecmp("usage",
+					    isc_commandline_argument) == 0)
+				isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;
+			break;
+
+		case '4': break;
+		case '6': break;
+		case 'a': break;
+		case 'c': break;
+		case 'd': break;
+		case 'i': break;
+		case 'l': break;
+		case 'n': break;
+		case 'r': break;
+		case 's': break;
+		case 't': break;
+		case 'v': break;
+		case 'w': break;
+		case 'C': break;
+		case 'D': break;
+		case 'N': break;
+		case 'R': break;
+		case 'T': break;
+		case 'W': break;
+		default:
+			show_usage();
+		}
+	}
+	isc_commandline_reset = ISC_TRUE;
+	isc_commandline_index = 1;
+}
+
 static void
 parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
 	char hostname[MXNAME];
@@ -570,8 +635,10 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
 
 	lookup = make_empty_lookup();
 
-	while ((c = isc_commandline_parse(argc, argv, "lvwrdt:c:aTCN:R:W:Dni46"))
-	       != EOF) {
+	lookup->servfail_stops = ISC_FALSE;
+	lookup->comments = ISC_FALSE;
+
+	while ((c = isc_commandline_parse(argc, argv, optstring)) != -1) {
 		switch (c) {
 		case 'l':
 			lookup->tcp_mode = ISC_TRUE;
@@ -610,6 +677,9 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
 			    lookup->rdtype != dns_rdatatype_axfr)
 				lookup->rdtype = rdtype;
 			lookup->rdtypeset = ISC_TRUE;
+#ifdef WITH_IDN
+			idnoptions = 0;
+#endif
 			if (rdtype == dns_rdatatype_axfr) {
 				/* -l -t any -v */
 				list_type = dns_rdatatype_any;
@@ -618,6 +688,13 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
 			} else if (rdtype == dns_rdatatype_ixfr) {
 				lookup->ixfr_serial = serial;
 				list_type = rdtype;
+#ifdef WITH_IDN
+			} else if (rdtype == dns_rdatatype_a ||
+				   rdtype == dns_rdatatype_aaaa ||
+				   rdtype == dns_rdatatype_mx) {
+				idnoptions = IDN_ASCCHECK;
+				list_type = rdtype;
+#endif
 			} else
 				list_type = rdtype;
 			list_addresses = ISC_FALSE;
@@ -655,6 +732,9 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
 		case 'n':
 			/* deprecated */
 			break;
+		case 'm':
+			/* Handled by pre_parse_args(). */
+			break;
 		case 'w':
 			/*
 			 * The timer routines are coded such that
@@ -708,6 +788,9 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
 			} else
 				fatal("can't find IPv6 networking");
 			break;
+		case 's':
+			lookup->servfail_stops = ISC_TRUE;
+			break;
 		}
 	}
 
@@ -721,7 +804,8 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
 		set_nameserver(argv[isc_commandline_index+1]);
 		debug("server is %s", argv[isc_commandline_index+1]);
 		listed_server = ISC_TRUE;
-	}
+	} else
+		check_ra = ISC_TRUE;
 
 	lookup->pending = ISC_FALSE;
 	if (get_reverse(store, sizeof(store), hostname,
@@ -750,9 +834,13 @@ main(int argc, char **argv) {
 	ISC_LIST_INIT(search_list);
 	
 	fatalexit = 1;
+#ifdef WITH_IDN
+	idnoptions = IDN_ASCCHECK;
+#endif
 
 	debug("main()");
 	progname = argv[0];
+	pre_parse_args(argc, argv);
 	result = isc_app_start();
 	check_result(result, "isc_app_start");
 	setup_libs();
@@ -766,4 +854,3 @@ main(int argc, char **argv) {
 	isc_app_finish();
 	return ((seen_error == 0) ? 0 : 1);
 }
-
diff --git a/usr.sbin/bind/bin/dig/host.docbook b/usr.sbin/bind/bin/dig/host.docbook
index 12cecbf15b9..f8ec62fe415 100644
--- a/usr.sbin/bind/bin/dig/host.docbook
+++ b/usr.sbin/bind/bin/dig/host.docbook
@@ -1,11 +1,11 @@
-<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
-               "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2002  Internet Software Consortium.
  -
- - Permission to use, copy, modify, and distribute this software for any
+ - Permission to use, copy, modify, and/or distribute this software for any
  - purpose with or without fee is hereby granted, provided that the above
  - copyright notice and this permission notice appear in all copies.
  -
@@ -18,24 +18,29 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $ISC: host.docbook,v 1.2.2.2.4.7 2005/05/13 01:22:32 marka Exp $ -->
+<!-- $ISC: host.docbook,v 1.5.18.11 2007/08/28 07:19:55 tbox Exp $ -->
+<refentry id="man.host">
 
-<refentry>
+  <refentryinfo>
+    <date>Jun 30, 2000</date>
+  </refentryinfo>
 
-<refentryinfo>
-<date>Jun 30, 2000</date>
-</refentryinfo>
+  <refmeta>
+    <refentrytitle>host</refentrytitle>
+    <manvolnum>1</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
 
-<refmeta>
-<refentrytitle>host</refentrytitle>
-<manvolnum>1</manvolnum>
-<refmiscinfo>BIND9</refmiscinfo>
-</refmeta>
+  <refnamediv>
+    <refname>host</refname>
+    <refpurpose>DNS lookup utility</refpurpose>
+  </refnamediv>
 
   <docinfo>
     <copyright>
       <year>2004</year>
       <year>2005</year>
+      <year>2007</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -46,183 +51,227 @@
     </copyright>
   </docinfo>
 
-<refnamediv>
-<refname>host</refname>
-<refpurpose>DNS lookup utility</refpurpose>
-</refnamediv>
-
-<refsynopsisdiv>
-<cmdsynopsis>
-  <command>host</command>
-  <arg><option>-aCdlnrTwv</option></arg>
-  <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
-  <arg><option>-N <replaceable class="parameter">ndots</replaceable></option></arg>
-  <arg><option>-R <replaceable class="parameter">number</replaceable></option></arg>
-  <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
-  <arg><option>-W <replaceable class="parameter">wait</replaceable></option></arg>
-  <arg><option>-4</option></arg>
-  <arg><option>-6</option></arg>
-  <arg choice="req">name</arg>
-  <arg choice="opt">server</arg>
-</cmdsynopsis>
-</refsynopsisdiv>
-
-<refsect1>
-<title>DESCRIPTION</title>
-<para>
-<command>host</command>
-is a simple utility for performing DNS lookups.
-It is normally used to convert names to IP addresses and vice versa.
-When no arguments or options are given,
-<command>host</command>
-prints a short summary of its command line arguments and options.
-</para>
-
-<para>
-<parameter>name</parameter> is the domain name that is to be looked
-up.  It can also be a dotted-decimal IPv4 address or a colon-delimited
-IPv6 address, in which case <command>host</command> will by default
-perform a reverse lookup for that address.
-<parameter>server</parameter> is an optional argument which is either
-the name or IP address of the name server that <command>host</command>
-should query instead of the server or servers listed in
-<filename>/etc/resolv.conf</filename>.
-</para>
-
-<para>
-The <option>-a</option> (all) option is equivalent to setting the
-<option>-v</option> option and asking <command>host</command> to make
-a query of type ANY.
-</para>
-
-<para>
-When the <option>-C</option> option is used, <command>host</command>
-will attempt to display the SOA records for zone
-<parameter>name</parameter> from all the listed authoritative name
-servers for that zone.  The list of name servers is defined by the NS
-records that are found for the zone.
-</para>
-
-<para>
-The <option>-c</option> option instructs to make a DNS query of class
-<parameter>class</parameter>.  This can be used to lookup Hesiod or
-Chaosnet class resource records.  The default class is IN (Internet).
-</para>
-
-<para>
-Verbose output is generated by <command>host</command> when the
-<option>-d</option> or <option>-v</option> option is used.  The two
-options are equivalent.  They have been provided for backwards
-compatibility.  In previous versions, the <option>-d</option> option
-switched on debugging traces and <option>-v</option> enabled verbose
-output.
-</para>
-
-<para>
-List mode is selected by the <option>-l</option> option.  This makes
-<command>host</command> perform a zone transfer for zone
-<parameter>name</parameter>.  Transfer the zone printing out the NS, PTR
-and address records (A/AAAA).  If combined with <option>-a</option>
-all records will be printed.  
-</para>
-
-<para>
-The <option>-i</option>
-option specifies that reverse lookups of IPv6 addresses should
-use the IP6.INT domain as defined in RFC1886.
-The default is to use IP6.ARPA.
-</para>
-
-<para>
-The <option>-N</option> option sets the number of dots that have to be
-in <parameter>name</parameter> for it to be considered absolute.  The
-default value is that defined using the ndots statement in
-<filename>/etc/resolv.conf</filename>, or 1 if no ndots statement is
-present.  Names with fewer dots are interpreted as relative names and
-will be searched for in the domains listed in the <type>search</type>
-or <type>domain</type> directive in
-<filename>/etc/resolv.conf</filename>.
-</para>
-
-<para>
-The number of UDP retries for a lookup can be changed with the
-<option>-R</option> option.  <parameter>number</parameter> indicates
-how many times <command>host</command> will repeat a query that does
-not get answered.  The default number of retries is 1.  If
-<parameter>number</parameter> is negative or zero, the number of
-retries will default to 1.
-</para>
-
-<para>
-Non-recursive queries can be made via the <option>-r</option> option.
-Setting this option clears the <type>RD</type> &mdash; recursion
-desired &mdash; bit in the query which <command>host</command> makes.
-This should mean that the name server receiving the query will not
-attempt to resolve <parameter>name</parameter>.  The
-<option>-r</option> option enables <command>host</command> to mimic
-the behaviour of a name server by making non-recursive queries and
-expecting to receive answers to those queries that are usually
-referrals to other name servers.
-</para>
-
-<para>
-By default <command>host</command> uses UDP when making queries.  The
-<option>-T</option> option makes it use a TCP connection when querying
-the name server.  TCP will be automatically selected for queries that
-require it, such as zone transfer (AXFR) requests.
-</para>
-
-<para>
-The <option>-4</option> option forces <command>host</command> to only
-use IPv4 query transport.  The <option>-6</option> option forces
-<command>host</command> to only use IPv6 query transport.
-</para>
-
-<para>
-The <option>-t</option> option is used to select the query type.
-<parameter>type</parameter> can be any recognised query type: CNAME,
-NS, SOA, SIG, KEY, AXFR, etc.  When no query type is specified,
-<command>host</command> automatically selects an appropriate query
-type.  By default it looks for A records, but if the
-<option>-C</option> option was given, queries will be made for SOA
-records, and if <parameter>name</parameter> is a dotted-decimal IPv4
-address or colon-delimited IPv6 address, <command>host</command> will
-query for PTR records.  If a query type of IXFR is chosen the starting
-serial number can be specified by appending an equal followed by the
-starting serial number (e.g. -t IXFR=12345678).
-</para>
-
-<para>
-The time to wait for a reply can be controlled through the
-<option>-W</option> and <option>-w</option> options.  The
-<option>-W</option> option makes <command>host</command> wait for
-<parameter>wait</parameter> seconds.  If <parameter>wait</parameter>
-is less than one, the wait interval is set to one second.  When the
-<option>-w</option> option is used, <command>host</command> will
-effectively wait forever for a reply.  The time to wait for a response
-will be set to the number of seconds given by the hardware's maximum
-value for an integer quantity.
-</para>
-
-</refsect1>
-
-<refsect1>
-<title>FILES</title>
-<para>
-<filename>/etc/resolv.conf</filename>
-</para>
-</refsect1>
-
-<refsect1>
-<title>SEE ALSO</title>
-<para>
-<citerefentry>
-<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
-</citerefentry>,
-<citerefentry>
-<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
-</citerefentry>.
-</para>
-
-</refsect1>
-</refentry>
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>host</command>
+      <arg><option>-aCdlnrsTwv</option></arg>
+      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg><option>-N <replaceable class="parameter">ndots</replaceable></option></arg>
+      <arg><option>-R <replaceable class="parameter">number</replaceable></option></arg>
+      <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
+      <arg><option>-W <replaceable class="parameter">wait</replaceable></option></arg>
+      <arg><option>-m <replaceable class="parameter">flag</replaceable></option></arg>
+      <arg><option>-4</option></arg>
+      <arg><option>-6</option></arg>
+      <arg choice="req">name</arg>
+      <arg choice="opt">server</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+
+    <para><command>host</command>
+      is a simple utility for performing DNS lookups.
+      It is normally used to convert names to IP addresses and vice versa.
+      When no arguments or options are given,
+      <command>host</command>
+      prints a short summary of its command line arguments and options.
+    </para>
+
+    <para><parameter>name</parameter> is the domain name that is to be
+      looked
+      up.  It can also be a dotted-decimal IPv4 address or a colon-delimited
+      IPv6 address, in which case <command>host</command> will by
+      default
+      perform a reverse lookup for that address.
+      <parameter>server</parameter> is an optional argument which
+      is either
+      the name or IP address of the name server that <command>host</command>
+      should query instead of the server or servers listed in
+      <filename>/etc/resolv.conf</filename>.
+    </para>
+
+    <para>
+      The <option>-a</option> (all) option is equivalent to setting the
+      <option>-v</option> option and asking <command>host</command> to make
+      a query of type ANY.
+    </para>
+
+    <para>
+      When the <option>-C</option> option is used, <command>host</command>
+      will attempt to display the SOA records for zone
+      <parameter>name</parameter> from all the listed
+      authoritative name
+      servers for that zone.  The list of name servers is defined by the NS
+      records that are found for the zone.
+    </para>
+
+    <para>
+      The <option>-c</option> option instructs to make a DNS query of class
+      <parameter>class</parameter>.  This can be used to lookup
+      Hesiod or
+      Chaosnet class resource records.  The default class is IN (Internet).
+    </para>
+
+    <para>
+      Verbose output is generated by <command>host</command> when
+      the
+      <option>-d</option> or <option>-v</option> option is used.  The two
+      options are equivalent.  They have been provided for backwards
+      compatibility.  In previous versions, the <option>-d</option> option
+      switched on debugging traces and <option>-v</option> enabled verbose
+      output.
+    </para>
+
+    <para>
+      List mode is selected by the <option>-l</option> option.  This makes
+      <command>host</command> perform a zone transfer for zone
+      <parameter>name</parameter>.  Transfer the zone printing out
+      the NS, PTR
+      and address records (A/AAAA).  If combined with <option>-a</option>
+      all records will be printed.
+    </para>
+
+    <para>
+      The <option>-i</option>
+      option specifies that reverse lookups of IPv6 addresses should
+      use the IP6.INT domain as defined in RFC1886.
+      The default is to use IP6.ARPA.
+    </para>
+
+    <para>
+      The <option>-N</option> option sets the number of dots that have to be
+      in <parameter>name</parameter> for it to be considered
+      absolute.  The
+      default value is that defined using the ndots statement in
+      <filename>/etc/resolv.conf</filename>, or 1 if no ndots
+      statement is
+      present.  Names with fewer dots are interpreted as relative names and
+      will be searched for in the domains listed in the <type>search</type>
+      or <type>domain</type> directive in
+      <filename>/etc/resolv.conf</filename>.
+    </para>
+
+    <para>
+      The number of UDP retries for a lookup can be changed with the
+      <option>-R</option> option.  <parameter>number</parameter>
+      indicates
+      how many times <command>host</command> will repeat a query
+      that does
+      not get answered.  The default number of retries is 1.  If
+      <parameter>number</parameter> is negative or zero, the
+      number of
+      retries will default to 1.
+    </para>
+
+    <para>
+      Non-recursive queries can be made via the <option>-r</option> option.
+      Setting this option clears the <type>RD</type> &mdash; recursion
+      desired &mdash; bit in the query which <command>host</command> makes.
+      This should mean that the name server receiving the query will not
+      attempt to resolve <parameter>name</parameter>.  The
+      <option>-r</option> option enables <command>host</command>
+      to mimic
+      the behavior of a name server by making non-recursive queries and
+      expecting to receive answers to those queries that are usually
+      referrals to other name servers.
+    </para>
+
+    <para>
+      By default <command>host</command> uses UDP when making
+      queries.  The
+      <option>-T</option> option makes it use a TCP connection when querying
+      the name server.  TCP will be automatically selected for queries that
+      require it, such as zone transfer (AXFR) requests.
+    </para>
+
+    <para>
+      The <option>-4</option> option forces <command>host</command> to only
+      use IPv4 query transport.  The <option>-6</option> option forces
+      <command>host</command> to only use IPv6 query transport.
+    </para>
+
+    <para>
+      The <option>-t</option> option is used to select the query type.
+      <parameter>type</parameter> can be any recognized query
+      type: CNAME,
+      NS, SOA, SIG, KEY, AXFR, etc.  When no query type is specified,
+      <command>host</command> automatically selects an appropriate
+      query
+      type.  By default it looks for A records, but if the
+      <option>-C</option> option was given, queries will be made for SOA
+      records, and if <parameter>name</parameter> is a
+      dotted-decimal IPv4
+      address or colon-delimited IPv6 address, <command>host</command> will
+      query for PTR records.  If a query type of IXFR is chosen the starting
+      serial number can be specified by appending an equal followed by the
+      starting serial number (e.g. -t IXFR=12345678).
+    </para>
+
+    <para>
+      The time to wait for a reply can be controlled through the
+      <option>-W</option> and <option>-w</option> options.  The
+      <option>-W</option> option makes <command>host</command>
+      wait for
+      <parameter>wait</parameter> seconds.  If <parameter>wait</parameter>
+      is less than one, the wait interval is set to one second.  When the
+      <option>-w</option> option is used, <command>host</command>
+      will
+      effectively wait forever for a reply.  The time to wait for a response
+      will be set to the number of seconds given by the hardware's maximum
+      value for an integer quantity.
+    </para>
+
+    <para>
+      The <option>-s</option> option tells <command>host</command> 
+      <emphasis>not</emphasis> to send the query to the next nameserver
+      if any server responds with a SERVFAIL response, which is the
+      reverse of normal stub resolver behavior.
+    </para>
+
+    <para>
+      The <option>-m</option> can be used to set the memory usage debugging
+      flags
+      <parameter>record</parameter>, <parameter>usage</parameter> and
+      <parameter>trace</parameter>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>IDN SUPPORT</title>
+    <para>
+      If <command>host</command> has been built with IDN (internationalized
+      domain name) support, it can accept and display non-ASCII domain names. 
+      <command>host</command> appropriately converts character encoding of
+      domain name before sending a request to DNS server or displaying a
+      reply from the server.
+      If you'd like to turn off the IDN support for some reason, defines
+      the <envar>IDN_DISABLE</envar> environment variable.
+      The IDN support is disabled if the variable is set when
+      <command>host</command> runs.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+    <para><filename>/etc/resolv.conf</filename>
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para><citerefentry>
+        <refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>.
+    </para>
+
+  </refsect1>
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/usr.sbin/bind/bin/dig/host.html b/usr.sbin/bind/bin/dig/host.html
index 7830a91dcd8..5ee597dc71d 100644
--- a/usr.sbin/bind/bin/dig/host.html
+++ b/usr.sbin/bind/bin/dig/host.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2002 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,158 +14,199 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $ISC: host.html,v 1.4.2.1.4.14 2006/06/29 13:02:30 marka Exp $ -->
+<!-- $ISC: host.html,v 1.7.18.20 2007/05/09 03:33:12 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
 <title>host</title>
-<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2482688"></a><div class="titlepage"></div>
+<a name="man.host"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
 <p>host &#8212; DNS lookup utility</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">host</code>  [<code class="option">-aCdlnrTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div>
+<div class="cmdsynopsis"><p><code class="command">host</code>  [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549466"></a><h2>DESCRIPTION</h2>
-<p>
-<span><strong class="command">host</strong></span>
-is a simple utility for performing DNS lookups.
-It is normally used to convert names to IP addresses and vice versa.
-When no arguments or options are given,
-<span><strong class="command">host</strong></span>
-prints a short summary of its command line arguments and options.
-</p>
-<p>
-<em class="parameter"><code>name</code></em> is the domain name that is to be looked
-up.  It can also be a dotted-decimal IPv4 address or a colon-delimited
-IPv6 address, in which case <span><strong class="command">host</strong></span> will by default
-perform a reverse lookup for that address.
-<em class="parameter"><code>server</code></em> is an optional argument which is either
-the name or IP address of the name server that <span><strong class="command">host</strong></span>
-should query instead of the server or servers listed in
-<code class="filename">/etc/resolv.conf</code>.
-</p>
-<p>
-The <code class="option">-a</code> (all) option is equivalent to setting the
-<code class="option">-v</code> option and asking <span><strong class="command">host</strong></span> to make
-a query of type ANY.
-</p>
-<p>
-When the <code class="option">-C</code> option is used, <span><strong class="command">host</strong></span>
-will attempt to display the SOA records for zone
-<em class="parameter"><code>name</code></em> from all the listed authoritative name
-servers for that zone.  The list of name servers is defined by the NS
-records that are found for the zone.
-</p>
-<p>
-The <code class="option">-c</code> option instructs to make a DNS query of class
-<em class="parameter"><code>class</code></em>.  This can be used to lookup Hesiod or
-Chaosnet class resource records.  The default class is IN (Internet).
-</p>
-<p>
-Verbose output is generated by <span><strong class="command">host</strong></span> when the
-<code class="option">-d</code> or <code class="option">-v</code> option is used.  The two
-options are equivalent.  They have been provided for backwards
-compatibility.  In previous versions, the <code class="option">-d</code> option
-switched on debugging traces and <code class="option">-v</code> enabled verbose
-output.
-</p>
-<p>
-List mode is selected by the <code class="option">-l</code> option.  This makes
-<span><strong class="command">host</strong></span> perform a zone transfer for zone
-<em class="parameter"><code>name</code></em>.  Transfer the zone printing out the NS, PTR
-and address records (A/AAAA).  If combined with <code class="option">-a</code>
-all records will be printed.  
-</p>
-<p>
-The <code class="option">-i</code>
-option specifies that reverse lookups of IPv6 addresses should
-use the IP6.INT domain as defined in RFC1886.
-The default is to use IP6.ARPA.
-</p>
-<p>
-The <code class="option">-N</code> option sets the number of dots that have to be
-in <em class="parameter"><code>name</code></em> for it to be considered absolute.  The
-default value is that defined using the ndots statement in
-<code class="filename">/etc/resolv.conf</code>, or 1 if no ndots statement is
-present.  Names with fewer dots are interpreted as relative names and
-will be searched for in the domains listed in the <span class="type">search</span>
-or <span class="type">domain</span> directive in
-<code class="filename">/etc/resolv.conf</code>.
-</p>
-<p>
-The number of UDP retries for a lookup can be changed with the
-<code class="option">-R</code> option.  <em class="parameter"><code>number</code></em> indicates
-how many times <span><strong class="command">host</strong></span> will repeat a query that does
-not get answered.  The default number of retries is 1.  If
-<em class="parameter"><code>number</code></em> is negative or zero, the number of
-retries will default to 1.
-</p>
-<p>
-Non-recursive queries can be made via the <code class="option">-r</code> option.
-Setting this option clears the <span class="type">RD</span> &#8212; recursion
-desired &#8212; bit in the query which <span><strong class="command">host</strong></span> makes.
-This should mean that the name server receiving the query will not
-attempt to resolve <em class="parameter"><code>name</code></em>.  The
-<code class="option">-r</code> option enables <span><strong class="command">host</strong></span> to mimic
-the behaviour of a name server by making non-recursive queries and
-expecting to receive answers to those queries that are usually
-referrals to other name servers.
-</p>
-<p>
-By default <span><strong class="command">host</strong></span> uses UDP when making queries.  The
-<code class="option">-T</code> option makes it use a TCP connection when querying
-the name server.  TCP will be automatically selected for queries that
-require it, such as zone transfer (AXFR) requests.
-</p>
-<p>
-The <code class="option">-4</code> option forces <span><strong class="command">host</strong></span> to only
-use IPv4 query transport.  The <code class="option">-6</code> option forces
-<span><strong class="command">host</strong></span> to only use IPv6 query transport.
-</p>
-<p>
-The <code class="option">-t</code> option is used to select the query type.
-<em class="parameter"><code>type</code></em> can be any recognised query type: CNAME,
-NS, SOA, SIG, KEY, AXFR, etc.  When no query type is specified,
-<span><strong class="command">host</strong></span> automatically selects an appropriate query
-type.  By default it looks for A records, but if the
-<code class="option">-C</code> option was given, queries will be made for SOA
-records, and if <em class="parameter"><code>name</code></em> is a dotted-decimal IPv4
-address or colon-delimited IPv6 address, <span><strong class="command">host</strong></span> will
-query for PTR records.  If a query type of IXFR is chosen the starting
-serial number can be specified by appending an equal followed by the
-starting serial number (e.g. -t IXFR=12345678).
-</p>
-<p>
-The time to wait for a reply can be controlled through the
-<code class="option">-W</code> and <code class="option">-w</code> options.  The
-<code class="option">-W</code> option makes <span><strong class="command">host</strong></span> wait for
-<em class="parameter"><code>wait</code></em> seconds.  If <em class="parameter"><code>wait</code></em>
-is less than one, the wait interval is set to one second.  When the
-<code class="option">-w</code> option is used, <span><strong class="command">host</strong></span> will
-effectively wait forever for a reply.  The time to wait for a response
-will be set to the number of seconds given by the hardware's maximum
-value for an integer quantity.
-</p>
+<a name="id2543428"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">host</strong></span>
+      is a simple utility for performing DNS lookups.
+      It is normally used to convert names to IP addresses and vice versa.
+      When no arguments or options are given,
+      <span><strong class="command">host</strong></span>
+      prints a short summary of its command line arguments and options.
+    </p>
+<p><em class="parameter"><code>name</code></em> is the domain name that is to be
+      looked
+      up.  It can also be a dotted-decimal IPv4 address or a colon-delimited
+      IPv6 address, in which case <span><strong class="command">host</strong></span> will by
+      default
+      perform a reverse lookup for that address.
+      <em class="parameter"><code>server</code></em> is an optional argument which
+      is either
+      the name or IP address of the name server that <span><strong class="command">host</strong></span>
+      should query instead of the server or servers listed in
+      <code class="filename">/etc/resolv.conf</code>.
+    </p>
+<p>
+      The <code class="option">-a</code> (all) option is equivalent to setting the
+      <code class="option">-v</code> option and asking <span><strong class="command">host</strong></span> to make
+      a query of type ANY.
+    </p>
+<p>
+      When the <code class="option">-C</code> option is used, <span><strong class="command">host</strong></span>
+      will attempt to display the SOA records for zone
+      <em class="parameter"><code>name</code></em> from all the listed
+      authoritative name
+      servers for that zone.  The list of name servers is defined by the NS
+      records that are found for the zone.
+    </p>
+<p>
+      The <code class="option">-c</code> option instructs to make a DNS query of class
+      <em class="parameter"><code>class</code></em>.  This can be used to lookup
+      Hesiod or
+      Chaosnet class resource records.  The default class is IN (Internet).
+    </p>
+<p>
+      Verbose output is generated by <span><strong class="command">host</strong></span> when
+      the
+      <code class="option">-d</code> or <code class="option">-v</code> option is used.  The two
+      options are equivalent.  They have been provided for backwards
+      compatibility.  In previous versions, the <code class="option">-d</code> option
+      switched on debugging traces and <code class="option">-v</code> enabled verbose
+      output.
+    </p>
+<p>
+      List mode is selected by the <code class="option">-l</code> option.  This makes
+      <span><strong class="command">host</strong></span> perform a zone transfer for zone
+      <em class="parameter"><code>name</code></em>.  Transfer the zone printing out
+      the NS, PTR
+      and address records (A/AAAA).  If combined with <code class="option">-a</code>
+      all records will be printed.
+    </p>
+<p>
+      The <code class="option">-i</code>
+      option specifies that reverse lookups of IPv6 addresses should
+      use the IP6.INT domain as defined in RFC1886.
+      The default is to use IP6.ARPA.
+    </p>
+<p>
+      The <code class="option">-N</code> option sets the number of dots that have to be
+      in <em class="parameter"><code>name</code></em> for it to be considered
+      absolute.  The
+      default value is that defined using the ndots statement in
+      <code class="filename">/etc/resolv.conf</code>, or 1 if no ndots
+      statement is
+      present.  Names with fewer dots are interpreted as relative names and
+      will be searched for in the domains listed in the <span class="type">search</span>
+      or <span class="type">domain</span> directive in
+      <code class="filename">/etc/resolv.conf</code>.
+    </p>
+<p>
+      The number of UDP retries for a lookup can be changed with the
+      <code class="option">-R</code> option.  <em class="parameter"><code>number</code></em>
+      indicates
+      how many times <span><strong class="command">host</strong></span> will repeat a query
+      that does
+      not get answered.  The default number of retries is 1.  If
+      <em class="parameter"><code>number</code></em> is negative or zero, the
+      number of
+      retries will default to 1.
+    </p>
+<p>
+      Non-recursive queries can be made via the <code class="option">-r</code> option.
+      Setting this option clears the <span class="type">RD</span> &#8212; recursion
+      desired &#8212; bit in the query which <span><strong class="command">host</strong></span> makes.
+      This should mean that the name server receiving the query will not
+      attempt to resolve <em class="parameter"><code>name</code></em>.  The
+      <code class="option">-r</code> option enables <span><strong class="command">host</strong></span>
+      to mimic
+      the behavior of a name server by making non-recursive queries and
+      expecting to receive answers to those queries that are usually
+      referrals to other name servers.
+    </p>
+<p>
+      By default <span><strong class="command">host</strong></span> uses UDP when making
+      queries.  The
+      <code class="option">-T</code> option makes it use a TCP connection when querying
+      the name server.  TCP will be automatically selected for queries that
+      require it, such as zone transfer (AXFR) requests.
+    </p>
+<p>
+      The <code class="option">-4</code> option forces <span><strong class="command">host</strong></span> to only
+      use IPv4 query transport.  The <code class="option">-6</code> option forces
+      <span><strong class="command">host</strong></span> to only use IPv6 query transport.
+    </p>
+<p>
+      The <code class="option">-t</code> option is used to select the query type.
+      <em class="parameter"><code>type</code></em> can be any recognized query
+      type: CNAME,
+      NS, SOA, SIG, KEY, AXFR, etc.  When no query type is specified,
+      <span><strong class="command">host</strong></span> automatically selects an appropriate
+      query
+      type.  By default it looks for A records, but if the
+      <code class="option">-C</code> option was given, queries will be made for SOA
+      records, and if <em class="parameter"><code>name</code></em> is a
+      dotted-decimal IPv4
+      address or colon-delimited IPv6 address, <span><strong class="command">host</strong></span> will
+      query for PTR records.  If a query type of IXFR is chosen the starting
+      serial number can be specified by appending an equal followed by the
+      starting serial number (e.g. -t IXFR=12345678).
+    </p>
+<p>
+      The time to wait for a reply can be controlled through the
+      <code class="option">-W</code> and <code class="option">-w</code> options.  The
+      <code class="option">-W</code> option makes <span><strong class="command">host</strong></span>
+      wait for
+      <em class="parameter"><code>wait</code></em> seconds.  If <em class="parameter"><code>wait</code></em>
+      is less than one, the wait interval is set to one second.  When the
+      <code class="option">-w</code> option is used, <span><strong class="command">host</strong></span>
+      will
+      effectively wait forever for a reply.  The time to wait for a response
+      will be set to the number of seconds given by the hardware's maximum
+      value for an integer quantity.
+    </p>
+<p>
+      The <code class="option">-s</code> option tells <span><strong class="command">host</strong></span> 
+      <span class="emphasis"><em>not</em></span> to send the query to the next nameserver
+      if any server responds with a SERVFAIL response, which is the
+      reverse of normal stub resolver behavior.
+    </p>
+<p>
+      The <code class="option">-m</code> can be used to set the memory usage debugging
+      flags
+      <em class="parameter"><code>record</code></em>, <em class="parameter"><code>usage</code></em> and
+      <em class="parameter"><code>trace</code></em>.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549874"></a><h2>FILES</h2>
-<p>
-<code class="filename">/etc/resolv.conf</code>
-</p>
+<a name="id2543725"></a><h2>IDN SUPPORT</h2>
+<p>
+      If <span><strong class="command">host</strong></span> has been built with IDN (internationalized
+      domain name) support, it can accept and display non-ASCII domain names. 
+      <span><strong class="command">host</strong></span> appropriately converts character encoding of
+      domain name before sending a request to DNS server or displaying a
+      reply from the server.
+      If you'd like to turn off the IDN support for some reason, defines
+      the <code class="envar">IDN_DISABLE</code> environment variable.
+      The IDN support is disabled if the variable is set when
+      <span><strong class="command">host</strong></span> runs.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2549886"></a><h2>SEE ALSO</h2>
-<p>
-<span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
-<span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
-</p>
+<a name="id2543748"></a><h2>FILES</h2>
+<p><code class="filename">/etc/resolv.conf</code>
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543828"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
+    </p>
 </div>
 </div></body>
 </html>
diff --git a/usr.sbin/bind/bin/dig/include/dig/dig.h b/usr.sbin/bind/bin/dig/include/dig/dig.h
index d5cab9eda83..850d7164777 100644
--- a/usr.sbin/bind/bin/dig/include/dig/dig.h
+++ b/usr.sbin/bind/bin/dig/include/dig/dig.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $ISC: dig.h,v 1.71.2.6.2.14 2006/12/07 01:26:33 marka Exp $ */
+/* $ISC: dig.h,v 1.82.18.23 2007/08/28 07:19:55 tbox Exp $ */
 
 #ifndef DIG_H
 #define DIG_H
 
+/*! \file */
+
 #include <dns/rdatalist.h>
 
 #include <dst/dst.h>
@@ -38,29 +40,36 @@
 #define MXSERV 20
 #define MXNAME (DNS_NAME_MAXTEXT+1)
 #define MXRD 32
+/*% Buffer Size */
 #define BUFSIZE 512
 #define COMMSIZE 0xffff
 #ifndef RESOLV_CONF
+/*% location of resolve.conf */
 #define RESOLV_CONF "/etc/resolv.conf"
 #endif
+/*% output buffer */
 #define OUTPUTBUF 32767
+/*% Max RR Limit */
 #define MAXRRLIMIT 0xffffffff
 #define MAXTIMEOUT 0xffff
+/*% Max number of tries */
 #define MAXTRIES 0xffffffff
+/*% Max number of dots */
 #define MAXNDOTS 0xffff
+/*% Max number of ports */
 #define MAXPORT 0xffff
+/*% Max serial number */
 #define MAXSERIAL 0xffffffff
 
-/*
- * Default timeout values
- */
+/*% Default TCP Timeout */
 #define TCP_TIMEOUT 10
+/*% Default UDP Timeout */
 #define UDP_TIMEOUT 5
 
 #define SERVER_TIMEOUT 1
 
 #define LOOKUP_LIMIT 64
-/*
+/*%
  * Lookup_limit is just a limiter, keeping too many lookups from being
  * created.  It's job is mainly to prevent the program from running away
  * in a tight loop of constant lookups.  It's value is arbitrary.
@@ -90,22 +99,23 @@ typedef struct dig_message dig_message_t;
 typedef ISC_LIST(dig_server_t) dig_serverlist_t;
 typedef struct dig_searchlist dig_searchlist_t;
 
+/*% The dig_lookup structure */
 struct dig_lookup {
 	isc_boolean_t
-	        pending, /* Pending a successful answer */
+	        pending, /*%< Pending a successful answer */
 		waiting_connect,
 		doing_xfr,
-		ns_search_only, /* dig +nssearch, host -C */
-		identify, /* Append an "on server <foo>" message */
-		identify_previous_line, /* Prepend a "Nameserver <foo>:"
+		ns_search_only, /*%< dig +nssearch, host -C */
+		identify, /*%< Append an "on server <foo>" message */
+		identify_previous_line, /*% Prepend a "Nameserver <foo>:"
 					   message, with newline and tab */
 		ignore,
 		recurse,
 		aaonly,
 		adflag,
 		cdflag,
-		trace, /* dig +trace */
-		trace_root, /* initial query for either +trace or +nssearch */
+		trace, /*% dig +trace */
+		trace_root, /*% initial query for either +trace or +nssearch */
 		tcp_mode,
 		ip6_int,
 		comments,
@@ -116,6 +126,8 @@ struct dig_lookup {
 		section_additional,
 		servfail_stops,
 		new_search,
+		need_search,
+		done_as_is,
 		besteffort,
 		dnssec;
 #ifdef DIG_SIGCHASE
@@ -130,7 +142,7 @@ isc_boolean_t	sigchase;
 #endif
 #endif
 	
-	char textname[MXNAME]; /* Name we're going to be looking up */
+	char textname[MXNAME]; /*% Name we're going to be looking up */
 	char cmdline[MXNAME];
 	dns_rdatatype_t rdtype;
 	dns_rdatatype_t qrdtype;
@@ -162,14 +174,17 @@ isc_boolean_t	sigchase;
 	isc_uint32_t retries;
 	int nsfound;
 	isc_uint16_t udpsize;
+	isc_int16_t edns;
 	isc_uint32_t ixfr_serial;
 	isc_buffer_t rdatabuf;
 	char rdatastore[MXNAME];
 	dst_context_t *tsigctx;
 	isc_buffer_t *querysig;
 	isc_uint32_t msgcounter;
+	dns_fixedname_t fdomain;
 };
 
+/*% The dig_query structure */
 struct dig_query {
 	dig_lookup_t *lookup;
 	isc_boolean_t waiting_connect,
@@ -200,6 +215,7 @@ struct dig_query {
 	ISC_LINK(dig_query_t) link;
 	isc_sockaddr_t sockaddr;
 	isc_time_t time_sent;
+	isc_uint64_t byte_count;
 	isc_buffer_t sendbuf;
 };
 
@@ -230,9 +246,10 @@ typedef ISC_LIST(dig_lookup_t) dig_lookuplist_t;
 extern dig_lookuplist_t lookup_list;
 extern dig_serverlist_t server_list;
 extern dig_searchlistlist_t search_list;
+extern unsigned int extrabytes;
 
-extern isc_boolean_t have_ipv4, have_ipv6, specified_source,
-        usesearch, qr;
+extern isc_boolean_t check_ra, have_ipv4, have_ipv6, specified_source,
+        usesearch, showsearch, qr;
 extern in_port_t port;
 extern unsigned int timeout;
 extern isc_mem_t *mctx;
@@ -245,6 +262,8 @@ extern isc_sockaddr_t bind_address;
 extern char keynametext[MXNAME];
 extern char keyfile[MXNAME];
 extern char keysecret[MXNAME];
+extern dns_name_t *hmacname;
+extern unsigned int digestbits;
 #ifdef DIG_SIGCHASE
 extern char trustedkey[MXNAME];
 #endif
@@ -258,6 +277,9 @@ extern isc_boolean_t debugging, memdebugging;
 extern char *progname;
 extern int tries;
 extern int fatalexit;
+#ifdef WITH_IDN
+extern int idnoptions;
+#endif
 
 /*
  * Routines in dighost.c.
@@ -282,6 +304,9 @@ void
 setup_lookup(dig_lookup_t *lookup);
 
 void
+destroy_lookup(dig_lookup_t *lookup);
+
+void
 do_lookup(dig_lookup_t *lookup);
 
 void
@@ -346,13 +371,13 @@ printrdataset(dns_name_t *owner_name, dns_rdataset_t *rdataset,
 
 isc_result_t
 printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers);
-/*
+/*%<
  * Print the final result of the lookup.
  */
 
 void
 received(int bytes, isc_sockaddr_t *from, dig_query_t *query);
-/*
+/*%<
  * Print a message about where and when the response
  * was received from, like the final comment in the
  * output of "dig".
diff --git a/usr.sbin/bind/bin/dig/nslookup.1 b/usr.sbin/bind/bin/dig/nslookup.1
index 6bb946b0e5e..d58234d32ce 100644
--- a/usr.sbin/bind/bin/dig/nslookup.1
+++ b/usr.sbin/bind/bin/dig/nslookup.1
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -12,14 +12,17 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $ISC: nslookup.1,v 1.1.6.5 2005/10/13 02:33:43 marka Exp $
+.\" $ISC: nslookup.1,v 1.1.10.14 2007/05/16 06:11:27 marka Exp $
 .\"
 .hy 0
 .ad l
-.\" ** You probably do not want to edit this file directly **
-.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
-.\" Instead of manually editing it, you probably should edit the DocBook XML
-.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
+.\"     Title: nslookup
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: Jun 30, 2000
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
 .TH "NSLOOKUP" "1" "Jun 30, 2000" "BIND9" "BIND9"
 .\" disable hyphenation
 .nh
@@ -39,30 +42,34 @@ has two modes: interactive and non\-interactive. Interactive mode allows the use
 .SH "ARGUMENTS"
 .PP
 Interactive mode is entered in the following cases:
-.TP 3
+.TP 4
 1.
 when no arguments are given (the default name server will be used)
-.TP
+.TP 4
 2.
 when the first argument is a hyphen (\-) and the second argument is the host name or Internet address of a name server.
+.sp
+.RE
 .PP
 Non\-interactive mode is used when the name or Internet address of the host to be looked up is given as the first argument. The optional second argument specifies the host name or address of a name server.
 .PP
 Options can also be specified on the command line if they precede the arguments and are prefixed with a hyphen. For example, to change the default query type to host information, and the initial timeout to 10 seconds, type:
-.IP
-.nf
-nslookup \-query=hinfo \-timeout=10
-.fi
+.sp .RS 4 .nf nslookup \-query=hinfo \-timeout=10 .fi .RE
 .SH "INTERACTIVE COMMANDS"
-.TP
-host [server]
+.PP
+\fBhost\fR [server]
+.RS 4
 Look up information for host using the current default server or using server, if specified. If host is an Internet address and the query type is A or PTR, the name of the host is returned. If host is a name and does not have a trailing period, the search list is used to qualify the name.
 .sp
 To look up a host not in the current domain, append a period to the name.
-.TP
+.RE
+.PP
 \fBserver\fR \fIdomain\fR
-.TP
+.RS 4
+.RE
+.PP
 \fBlserver\fR \fIdomain\fR
+.RS 4
 Change the default server to
 \fIdomain\fR;
 \fBlserver\fR
@@ -70,107 +77,165 @@ uses the initial server to look up information about
 \fIdomain\fR, while
 \fBserver\fR
 uses the current default server. If an authoritative answer can't be found, the names of servers that might have the answer are returned.
-.TP
+.RE
+.PP
 \fBroot\fR
+.RS 4
 not implemented
-.TP
+.RE
+.PP
 \fBfinger\fR
+.RS 4
 not implemented
-.TP
+.RE
+.PP
 \fBls\fR
+.RS 4
 not implemented
-.TP
+.RE
+.PP
 \fBview\fR
+.RS 4
 not implemented
-.TP
+.RE
+.PP
 \fBhelp\fR
+.RS 4
 not implemented
-.TP
+.RE
+.PP
 \fB?\fR
+.RS 4
 not implemented
-.TP
+.RE
+.PP
 \fBexit\fR
+.RS 4
 Exits the program.
-.TP
+.RE
+.PP
 \fBset\fR \fIkeyword\fR\fI[=value]\fR
+.RS 4
 This command is used to change state information that affects the lookups. Valid keywords are:
-.RS
-.TP
+.RS 4
+.PP
 \fBall\fR
+.RS 4
 Prints the current values of the frequently used options to
 \fBset\fR. Information about the current default server and host is also printed.
-.TP
+.RE
+.PP
 \fBclass=\fR\fIvalue\fR
+.RS 4
 Change the query class to one of:
-.RS
-.TP
+.RS 4
+.PP
 \fBIN\fR
+.RS 4
 the Internet class
-.TP
+.RE
+.PP
 \fBCH\fR
+.RS 4
 the Chaos class
-.TP
+.RE
+.PP
 \fBHS\fR
+.RS 4
 the Hesiod class
-.TP
+.RE
+.PP
 \fBANY\fR
+.RS 4
 wildcard
 .RE
-.IP
+.RE
+.IP "" 4
 The class specifies the protocol group of the information.
 .sp
 (Default = IN; abbreviation = cl)
-.TP
-\fB\fI[no]\fR\fR\fBdebug\fR
-Turn debugging mode on. A lot more information is printed about the packet sent to the server and the resulting answer.
+.RE
+.PP
+\fB \fR\fB\fI[no]\fR\fR\fBdebug\fR
+.RS 4
+Turn on or off the display of the full response packet and any intermediate response packets when searching.
 .sp
 (Default = nodebug; abbreviation =
 [no]deb)
-.TP
-\fB\fI[no]\fR\fR\fBd2\fR
-Turn debugging mode on. A lot more information is printed about the packet sent to the server and the resulting answer.
+.RE
+.PP
+\fB \fR\fB\fI[no]\fR\fR\fBd2\fR
+.RS 4
+Turn debugging mode on or off. This displays more about what nslookup is doing.
 .sp
 (Default = nod2)
-.TP
+.RE
+.PP
 \fBdomain=\fR\fIname\fR
+.RS 4
 Sets the search list to
 \fIname\fR.
-.TP
-\fB\fI[no]\fR\fR\fBsearch\fR
+.RE
+.PP
+\fB \fR\fB\fI[no]\fR\fR\fBsearch\fR
+.RS 4
 If the lookup request contains at least one period but doesn't end with a trailing period, append the domain names in the domain search list to the request until an answer is received.
 .sp
 (Default = search)
-.TP
+.RE
+.PP
 \fBport=\fR\fIvalue\fR
+.RS 4
 Change the default TCP/UDP name server port to
 \fIvalue\fR.
 .sp
 (Default = 53; abbreviation = po)
-.TP
+.RE
+.PP
 \fBquerytype=\fR\fIvalue\fR
-.TP
-\fBtype=\fIvalue\fB\fR
+.RS 4
+.RE
+.PP
+\fBtype=\fR\fIvalue\fR
+.RS 4
 Change the type of the information query.
 .sp
 (Default = A; abbreviations = q, ty)
-.TP
-\fB\fI[no]\fR\fR\fBrecurse\fR
+.RE
+.PP
+\fB \fR\fB\fI[no]\fR\fR\fBrecurse\fR
+.RS 4
 Tell the name server to query other servers if it does not have the information.
 .sp
 (Default = recurse; abbreviation = [no]rec)
-.TP
+.RE
+.PP
 \fBretry=\fR\fInumber\fR
+.RS 4
 Set the number of retries to number.
-.TP
+.RE
+.PP
 \fBtimeout=\fR\fInumber\fR
+.RS 4
 Change the initial timeout interval for waiting for a reply to number seconds.
-.TP
-\fB\fI[no]\fR\fR\fBvc\fR
+.RE
+.PP
+\fB \fR\fB\fI[no]\fR\fR\fBvc\fR
+.RS 4
 Always use a virtual circuit when sending requests to the server.
 .sp
 (Default = novc)
 .RE
-.IP
+.PP
+\fB \fR\fB\fI[no]\fR\fR\fBfail\fR
+.RS 4
+Try the next nameserver if a nameserver responds with SERVFAIL or a referral (nofail) or terminate query (fail) on such a response.
+.sp
+(Default = nofail)
+.RE
+.RE
+.IP "" 4
+.RE
 .SH "FILES"
 .PP
 \fI/etc/resolv.conf\fR
@@ -182,3 +247,6 @@ Always use a virtual circuit when sending requests to the server.
 .SH "AUTHOR"
 .PP
 Andrew Cherenson
+.SH "COPYRIGHT"
+Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/usr.sbin/bind/bin/dig/nslookup.c b/usr.sbin/bind/bin/dig/nslookup.c
index f29890d895a..d30cc85ca81 100644
--- a/usr.sbin/bind/bin/dig/nslookup.c
+++ b/usr.sbin/bind/bin/dig/nslookup.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $ISC: nslookup.c,v 1.90.2.4.2.12 2006/06/09 23:50:53 marka Exp $ */
+/* $ISC: nslookup.c,v 1.101.18.15 2007/08/28 07:19:55 tbox Exp $ */
 
 #include <config.h>
 
@@ -50,7 +50,8 @@ static isc_boolean_t short_form = ISC_TRUE,
 	comments = ISC_TRUE, section_question = ISC_TRUE,
 	section_answer = ISC_TRUE, section_authority = ISC_TRUE,
 	section_additional = ISC_TRUE, recurse = ISC_TRUE,
-	aaonly = ISC_FALSE;
+	aaonly = ISC_FALSE, nofail = ISC_TRUE;
+
 static isc_boolean_t in_use = ISC_FALSE;
 static char defclass[MXRD] = "IN";
 static char deftype[MXRD] = "A";
@@ -409,8 +410,9 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 		char nametext[DNS_NAME_FORMATSIZE];
 		dns_name_format(query->lookup->name,
 				nametext, sizeof(nametext));
-		printf("** server can't find %s: %s\n", nametext,
-		       rcodetext[msg->rcode]);
+		printf("** server can't find %s: %s\n",
+		       (msg->rcode != dns_rcode_nxdomain) ? nametext :
+		       query->lookup->textname, rcodetext[msg->rcode]);
 		debug("returning with rcode == 0");
 		return (ISC_R_SUCCESS);
 	}
@@ -618,8 +620,10 @@ setoption(char *opt) {
 		tcpmode = ISC_FALSE;
  	} else if (strncasecmp(opt, "deb", 3) == 0) {
 		short_form = ISC_FALSE;
+		showsearch = ISC_TRUE;
 	} else if (strncasecmp(opt, "nodeb", 5) == 0) {
 		short_form = ISC_TRUE;
+		showsearch = ISC_FALSE;
  	} else if (strncasecmp(opt, "d2", 2) == 0) {
 		debugging = ISC_TRUE;
 	} else if (strncasecmp(opt, "nod2", 4) == 0) {
@@ -630,6 +634,10 @@ setoption(char *opt) {
 		usesearch = ISC_FALSE;
 	} else if (strncasecmp(opt, "sil", 3) == 0) {
 		/* deprecation_msg = ISC_FALSE; */
+	} else if (strncasecmp(opt, "fail", 3) == 0) {
+		nofail=ISC_FALSE;
+	} else if (strncasecmp(opt, "nofail", 3) == 0) {
+		nofail=ISC_TRUE;
 	} else {
 		printf("*** Invalid option: %s\n", opt);	
 	}
@@ -688,6 +696,8 @@ addlookup(char *opt) {
 	lookup->section_authority = section_authority;
 	lookup->section_additional = section_additional;
 	lookup->new_search = ISC_TRUE;
+	if (nofail)
+		lookup->servfail_stops = ISC_FALSE;
 	ISC_LIST_INIT(lookup->q);
 	ISC_LINK_INIT(lookup, link);
 	ISC_LIST_APPEND(lookup_list, lookup, link);
@@ -727,6 +737,7 @@ get_next_command(void) {
 		 (strcasecmp(ptr, "lserver") == 0)) {
 		isc_app_block();
 		set_nameserver(arg);
+		check_ra = ISC_FALSE;
 		isc_app_unblock();
 		show_settings(ISC_TRUE, ISC_TRUE);
 	} else if (strcasecmp(ptr, "exit") == 0) {
@@ -765,9 +776,10 @@ parse_args(int argc, char **argv) {
 				have_lookup = ISC_TRUE;
 				in_use = ISC_TRUE;
 				addlookup(argv[0]);
-			}
-			else
+			} else {
 				set_nameserver(argv[0]);
+				check_ra = ISC_FALSE;
+			}
 		}
 	}
 }
@@ -843,6 +855,8 @@ main(int argc, char **argv) {
 	ISC_LIST_INIT(server_list);
 	ISC_LIST_INIT(search_list);
 
+	check_ra = ISC_TRUE;
+
 	result = isc_app_start();
 	check_result(result, "isc_app_start");