ISC BIND version 9.2.2rc1

10 files changed, 1146 insertions, 0 deletions

diff --git a/usr.sbin/bind/doc/misc/Makefile.in b/usr.sbin/bind/doc/misc/Makefile.in
new file mode 100644
index 00000000000..1542821661b
--- /dev/null
+++ b/usr.sbin/bind/doc/misc/Makefile.in
@@ -0,0 +1,36 @@
+# Copyright (C) 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+# $ISC: Makefile.in,v 1.1 2001/07/26 21:31:12 gson Exp $
+
+srcdir =	@srcdir@
+VPATH =		@srcdir@
+top_srcdir =	@top_srcdir@
+
+@BIND9_MAKE_RULES@
+
+PERL = @PERL@
+
+MANOBJS = options
+
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+	rm -f options
+
+options: 
+	../../bin/tests/cfg_test --named --grammar | \
+		${PERL} ${srcdir}/format-options.pl >options || \
+		rm -f options
diff --git a/usr.sbin/bind/doc/misc/dnssec b/usr.sbin/bind/doc/misc/dnssec
new file mode 100644
index 00000000000..ed4b4a9efc9
--- /dev/null
+++ b/usr.sbin/bind/doc/misc/dnssec
@@ -0,0 +1,91 @@
+Copyright (C) 2000-2002  Internet Software Consortium.
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+DNSSEC Release Notes
+
+This document summarizes the state of the DNSSEC implementation in
+this release of BIND9.
+
+
+OpenSSL Library Required
+
+To support DNSSEC, BIND 9 must be linked with version 0.9.5a or newer of
+the OpenSSL library.  As of BIND 9.2, the library is no longer
+included in the distribution - it must be provided by the operating
+system or installed separately.
+
+To build BIND 9 with OpenSSL, use "configure --with-openssl".  If
+the OpenSSL library is installed in a nonstandard location, you can
+specify a path as in "configure --with-openssl=/var".
+
+
+Key Generation and Signing
+
+The tools for generating DNSSEC keys and signatures are now in the
+bin/dnssec directory.  Documentation for these programs can be found
+in doc/arm/Bv9ARM.4.html and the man pages.
+
+The random data used in generating DNSSEC keys and signatures comes
+from either /dev/random (if the OS supports it) or keyboard input.
+Alternatively, a device or file containing entropy/random data can be
+specified.
+
+
+Serving Secure Zones
+
+When acting as an authoritative name server, BIND9 includes KEY, SIG
+and NXT records in responses as specified in RFC2535 when the request
+has the DO flag set in the query.
+
+Response generation for wildcard records in secure zones is not fully
+supported.  Responses indicating the nonexistence of a name include a
+NXT record proving the nonexistence of the name itself, but do not
+include any NXT records to prove the nonexistence of a matching
+wildcard record.  Positive responses resulting from wildcard expansion
+do not include the NXT records to prove the nonexistence of a
+non-wildcard match or a more specific wildcard match.
+
+
+Secure Resolution
+
+Basic support for validation of DNSSEC signatures in responses has
+been implemented but should still be considered experimental.
+
+When acting as a caching name server, BIND9 is capable of performing
+basic DNSSEC validation of positive as well as nonexistence responses.
+This functionality is enabled by including a "trusted-keys" clause
+in the configuration file, containing the top-level zone key of the
+the DNSSEC tree.
+
+Validation of wildcard responses is not currently supported.  In
+particular, a "name does not exist" response will validate
+successfully even if it does not contain the NXT records to prove the
+nonexistence of a matching wildcard.
+
+Proof of insecure status for insecure zones delegated from secure
+zones works when the zones are completely insecure.  Privately
+secured zones delegated from secure zones will not work in all cases,
+such as when the privately secured zone is served by the same server
+as an ancestor (but not parent) zone.
+
+Handling of the CD bit in queries is now fully implemented.  Validation
+is not attempted for recursive queries if CD is set.
+
+
+Secure Dynamic Update
+
+Dynamic update of secure zones has been implemented, but may not be
+complete.  Affected NXT and SIG records are updated by the server when
+an update occurs.  Advanced access control is possible using the
+"update-policy" statement in the zone definition.
+
+
+Secure Zone Transfers
+
+BIND 9 does not implement the zone transfer security mechanisms of
+RFC2535 section 5.6, and we have no plans to implement them in the
+future as we consider them inferior to the use of TSIG or SIG(0) to
+ensure the integrity of zone transfers.
+
+
+$ISC: dnssec,v 1.14.2.3 2002/02/08 03:57:24 marka Exp $
diff --git a/usr.sbin/bind/doc/misc/format-options.pl b/usr.sbin/bind/doc/misc/format-options.pl
new file mode 100644
index 00000000000..4f3a1ab74d4
--- /dev/null
+++ b/usr.sbin/bind/doc/misc/format-options.pl
@@ -0,0 +1,36 @@
+#!/usr/bin/perl
+#
+# Copyright (C) 2001  Internet Software Consortium.
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+# INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+
+# $ISC: format-options.pl,v 1.1 2001/07/26 21:31:12 gson Exp $
+
+print <<END;
+
+This is a summary of the named.conf options supported by 
+this version of BIND 9.
+
+END
+
+# Break long lines
+while (<>) {
+	s/\t/        /g;
+	if (length >= 79) {
+		m!^( *)!;
+		my $indent = $1;
+		s!^(.{0,75}) (.*)$!\1\n$indent    \2!;
+	}
+	print;
+}
diff --git a/usr.sbin/bind/doc/misc/ipv6 b/usr.sbin/bind/doc/misc/ipv6
new file mode 100644
index 00000000000..c2cdfb1393d
--- /dev/null
+++ b/usr.sbin/bind/doc/misc/ipv6
@@ -0,0 +1,99 @@
+Copyright (C) 2000, 2001  Internet Software Consortium.
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+Currently, there are multiple interesting problems with ipv6
+implementations on various platforms.  These problems range from not
+being able to use ipv6 with bind9 (or in particular the ISC socket
+library, contained in libisc) to listen-on lists not being respected,
+to strange warnings but seemingly correct behavior of named.
+
+COMPILE-TIME ISSUES
+-------------------
+
+The socket library requires a certain level of support from the
+operating system.  In particular, it must follow the advanced ipv6
+socket API to be usable.  The systems which do not follow this will
+currently not get any warnings or errors, but ipv6 will simply not
+function on them.
+
+These systems currently include, but are not limited to:
+
+	AIX 3.4 (with ipv6 patches)
+
+
+RUN-TIME ISSUES
+---------------
+
+In the original drafts of the ipv6 RFC documents, binding an ipv6
+socket to the ipv6 wildcard address would also cause the socket to
+accept ipv4 connections and datagrams.  When an ipv4 packet is
+received on these systems, it is mapped into an ipv6 address.  For
+example, 1.2.3.4 would be mapped into ffff::1.2.3.4.  The intent of
+this mapping was to make transition from an ipv4-only application into
+ipv6 easier, by only requiring one socket to be open on a given port.
+
+Later, it was discovered that this was generally a bad idea.  For one,
+many firewalls will block connection to 1.2.3.4, but will let through
+ffff::1.2.3.4.  This, of course, is bad.  Also, access control lists
+written to accept only ipv4 addresses were suddenly ignored unless
+they were rewritten to handle the ipv6 mapped addresses as well.
+
+In bind9, we always bind to the ipv6 wildcard port for both TCP and
+UDP, and specific addresses for ipv4 sockets.  This causes some
+interesting behavior depending on the system implementation of ipv6.
+
+
+IPV6 Sockets Accept IPV4, Specific IPV4 Addresses Bindings Fail
+---------------------------------------------------------------
+
+The only OS which seems to do this is linux.  If an ipv6 socket is
+bound to the ipv6 wildcard socket, and a specific ipv4 socket is
+later bound (say, to 1.2.3.4 port 53) the ipv4 binding will fail.
+
+What this means to bind9 is that the application will log warnings
+about being unable to bind to a socket because the address is already
+in use.  Since the ipv6 socket will accept ipv4 packets and map them,
+however, the ipv4 addresses continue to function.
+
+The effect is that the config file listen-on directive will not be
+respected on these systems.
+
+
+IPV6 Sockets Accept IPV4, Specific IPV4 Address Bindings Succeed
+----------------------------------------------------------------
+
+In this case, the system allows opening an ipv6 wildcard address
+socket and then binding to a more specific ipv4 address later.  An
+example of this type of system is Digital Unix with ipv6 patches
+applied.
+
+What this means to bind9 is that the application will respect
+listen-on in regards to ipv4 sockets, but it will use mapped ipv6
+addresses for any that do not match the listen-on list.  This, in
+effect, makes listen-on useless for these machines as well.
+
+
+IPV6 Sockets Do Not Accept IPV4
+-------------------------------
+
+On these systems, opening an IPV6 socket does not implicitly open any
+ipv4 sockets.  An example of these systems are NetBSD-current with the
+latest KAME patch, and other systems which use the latest KAME patches
+as their ipv6 implementation.
+
+On these systems, listen-on is fully functional, as the ipv6 socket
+only accepts ipv6 packets, and the ipv4 sockets will handle the ipv4
+packets.
+
+
+RELEVANT RFCs
+-------------
+
+2373:  IP Version 6 Addressing Architecture
+
+2553:  Basic Socket Interface Extensions for IPv6
+
+draft-ietf-ipngwg-rfc2292bis-01:  Advanced Sockets API for IPv6 (draft)
+
+
+$ISC: ipv6,v 1.5 2001/01/09 21:50:27 bwelling Exp $
diff --git a/usr.sbin/bind/doc/misc/migration b/usr.sbin/bind/doc/misc/migration
new file mode 100644
index 00000000000..916cde19b88
--- /dev/null
+++ b/usr.sbin/bind/doc/misc/migration
@@ -0,0 +1,246 @@
+Copyright (C) 2000, 2001  Internet Software Consortium.
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+                   BIND 8 to BIND 9 Migration Notes
+
+BIND 9 is designed to be mostly upwards compatible with BIND 8, but
+there is still a number of caveats you should be aware of when
+upgrading an existing BIND 8 installation to use BIND 9.
+
+
+1. Configuration File Compatibility
+
+1.1. Unimplemented Options and Changed Defaults
+
+BIND 9 supports most, but not all of the named.conf options of BIND 8.
+For a complete list of implemented options, see doc/misc/options.
+
+If your named.conf file uses an unimplemented option, named will log a
+warning message.  A message is also logged about each option whose
+default has changed unless the option is set explicitly in named.conf.
+
+The default of the "transfer-format" option has changed from
+"one-answer" to "many-answers".  If you have slave servers that do not
+understand the many-answers zone transfer format (e.g., BIND 4.9.5 or
+older) you need to explicitly specify "transfer-format one-answer;" in
+either the options block or a server statement.
+
+1.2. Handling of Configuration File Errors
+
+In BIND 9, named refuses to start if it detects an error in
+named.conf.  Earlier versions would start despite errors, causing the
+server to run with a partial configuration.  Errors detected during
+subsequent reloads do not cause the server to exit.
+
+Errors in master files do not cause the server to exit, but they
+do cause the zone not to load.
+
+1.3. Logging
+
+The set of logging categories in BIND 9 is different from that
+in BIND 8.  If you have customized your logging on a per-category
+basis, you need to modify your logging statement to use the
+new categories.
+
+Another difference is that the "logging" statement only takes effect
+after the entire named.conf file has been read.  This means that when
+the server starts up, any messages about errors in the configuration
+file are always logged to the default destination (syslog) when the
+server first starts up, regardless of the contents of the "logging"
+statement.  In BIND 8, the new logging configuration took effect
+immediately after the "logging" statement was read.
+
+1.4. Notify messages and Refesh queries
+
+The source address and port for these is now controlled by
+"notify-source" and "transfer-source", respectively, rather that
+query-source as in BIND 8.
+
+1.5. Multiple Classes.
+
+Multiple classes have to be put into explicit views for each class.
+
+
+2. Zone File Compatibility
+
+2.1. Strict RFC1035 Interpretation of TTLs in Zone Files
+
+BIND 9 strictly complies with the RFC1035 and RFC2308 rules regarding
+omitted TTLs in zone files.  Omitted TTLs are replaced by the value
+specified with the $TTL directive, or by the previous explicit TTL if
+there is no $TTL directive.
+
+If there is no $TTL directive and the first RR in the file does not
+have an explicit TTL field, the zone file is illegal according to
+RFC1035 since the TTL of the first RR is undefined.  Unfortunately,
+BIND 4 and many versions of BIND 8 accept such files without warning
+and use the value of the SOA MINTTL field as a default for missing TTL
+values.
+
+BIND 9.0 and 9.1 completely refused to load such files.  BIND 9.2
+emulates the nonstandard BIND 4/8 SOA MINTTL behavior and loads the
+files anyway (provided the SOA is the first record in the file), but
+will issue the warning message "no TTL specified; using SOA MINTTL
+instad".
+
+To avoid problems, we recommend that you use a $TTL directive in each
+zone file.
+
+2.2. Periods in SOA Serial Numbers Deprecated
+
+Some versions of BIND allow SOA serial numbers with an embedded
+period, like "3.002", and convert them into integers in a rather
+unintuitive way.  This feature is not supported by BIND 9; serial
+numbers must be integers.
+
+2.3. Handling of Unbalanced Quotes
+
+TXT records with unbalanced quotes, like 'host TXT "foo', were not
+treated as errors in some versions of BIND.  If your zone files
+contain such records, you will get potentially confusing error
+messages like "unexpected end of file" because BIND 9 will interpret
+everything up to the next quote character as a literal string.
+
+2.4. Handling of Line Breaks
+
+Some versions of BIND accept RRs containing line breaks that are not
+properly quoted with parentheses, like the following SOA:
+
+	@	IN SOA	ns.example. hostmaster.example.
+			( 1 3600 1800 1814400 3600 )
+
+This is not legal master file syntax and will be treated as an error
+by BIND 9.  The fix is to move the opening parenthesis to the first
+line.
+
+2.5. Unimplemented BIND 8 Extensions
+
+$GENERATE: The "$$" construct for getting a literal $ into a domain
+name is deprecated.  Use \$ instead.
+
+
+3. Interoperability Impact of New Protocol Features
+
+3.1. EDNS0
+
+BIND 9 uses EDNS0 (RFC2671) to advertise its receive buffer size.  It
+also sets an EDNS flag bit in queries to indicate that it wishes to
+receive DNSSEC responses; this flag bit usage is not yet standardized,
+but we hope it will be.
+
+Most older servers that do not support EDNS0, including prior versions
+of BIND, will send a FORMERR or NOTIMP response to these queries.
+When this happens, BIND 9 will automatically retry the query without
+EDNS0.
+
+Unfortunately, there exists at least one non-BIND name server
+implementation that silently ignores these queries instead of sending
+an error response.  Resolving names in zones where all or most
+authoritative servers use this server will be very slow or fail
+completely.  We have contacted the manufacturer of the name server in
+case, and they are working on a solution.
+
+When BIND 9 communicates with a server that does support EDNS0, such as
+another BIND 9 server, responses of up to 4096 bytes may be
+transmitted as a single UDP datagram which is subject to fragmentation
+at the IP level.  If a firewall incorrectly drops IP fragments, it can
+cause resolution to slow down dramatically or fail.
+
+3.2. Zone Transfers
+
+Outgoing zone transfers now use the "many-answers" format by default.
+This format is not understood by certain old versions of BIND 4.  
+You can work around this problem using the option "transfer-format
+one-answer;", but since these old versions all have known security
+problems, the correct fix is to upgrade the slave servers.
+
+Zone transfers to Windows 2000 DNS servers sometimes fail due to a bug
+in the Windows 2000 DNS server where DNS messages larger than 16K are
+not handled properly.  There will be a hot fix available from
+Microsoft to address this issue.  In the meantime, the problem can
+be worked around by setting "transfer-format one-answer;".
+[As of May 4 2001 the hotfix was still being prepared]
+
+
+4. Unrestricted Character Set
+
+BIND 9 does not restrict the character set of domain names - it is
+fully 8-bit clean in accordance with RFC2181 section 11.
+
+It is strongly recommended that hostnames published in the DNS follow
+the RFC952 rules, but BIND 9 will not enforce this restriction.
+
+Historically, some applications have suffered from security flaws
+where data originating from the network, such as names returned by
+gethostbyaddr(), are used with insufficient checking and may cause a
+breach of security when containing unexpected characters; see
+<http://www.cert.org/advisories/CA-96.04.corrupt_info_from_servers.html>
+for details.  Some earlier versions of BIND attempt to protect these
+flawed applications from attack by discarding data containing
+characters deemed inappropriate in host names or mail addresses, under
+the control of the "check-names" option in named.conf and/or "options
+no-check-names" in resolv.conf.  BIND 9 provides no such protection;
+if applications with these flaws are still being used, they should
+be upgraded.
+
+
+5. Server Administration Tools
+
+5.1 Ndc Replaced by Rndc
+
+The "ndc" program has been replaced by "rndc", which is capable of
+remote operation.  Unlike ndc, rndc requires a configuration file.
+The easiest way to generate a configuration file is to run
+"rndc-confgen -a"; see the man pages for rndc(8), rndc-confgen(8),
+and rndc.conf(5) for details.
+
+5.2. Nsupdate Differences
+
+The BIND 8 implementation of nsupdate had an undocumented feature
+where an update request would be broken down into multiple requests
+based upon the discovered zones that contained the records.  This
+behaviour has not been implemented in BIND 9.  Each update request
+must pertain to a single zone, but it is still possible to do multiple
+updates in a single invocation of nsupdate by terminating each update
+with an empty line or a "send" command.
+
+
+6. No Information Leakage between Zones
+
+BIND 9 stores the authoritative data for each zone in a separate data
+structure, as recommended in RFC1035 and as required by DNSSEC and
+IXFR.  When a BIND 9 server is authoritative for both a child zone and
+its parent, it will have two distinct sets of NS records at the
+delegation point: the authoritative NS records at the child's apex,
+and a set of glue NS records in the parent.
+
+BIND 8 was unable to properly distinguish between these two sets of NS
+records and would "leak" the child's NS records into the parent,
+effectively causing the parent zone to be silently modified: responses
+and zone transfers from the parent contained the child's NS records
+rather than the glue configured into the parent (if any).  In the case
+of children of type "stub", this behavior was documented as a feature,
+allowing the glue NS records to be omitted from the parent
+configuration.
+
+Sites that were relying on this BIND 8 behavior need to add any
+omitted glue NS records, and any necessary glue A records, to the
+parent zone.
+
+Although stub zones can no longer be used as a mechanism for injecting
+NS records into their parent zones, they are still useful as a way of
+directing queries for a given domain to a particular set of name
+servers.
+
+
+7. Umask not Modified
+
+The BIND 8 named unconditionally sets the umask to 022.  BIND 9 does
+not; the umask inherited from the parent process remains in effect.
+This may cause files created by named, such as journal files, to be
+created with different file permissions than they did in BIND 8.  If
+necessary, the umask should be set explicitly in the script used to
+start the named process.
+
+
+$ISC: migration,v 1.37.2.1 2001/09/21 17:49:58 gson Exp $
diff --git a/usr.sbin/bind/doc/misc/migration-4to9 b/usr.sbin/bind/doc/misc/migration-4to9
new file mode 100644
index 00000000000..6666136234c
--- /dev/null
+++ b/usr.sbin/bind/doc/misc/migration-4to9
@@ -0,0 +1,56 @@
+Copyright (C) 2001  Internet Software Consortium.
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+$ISC: migration-4to9,v 1.3 2001/05/19 01:20:16 gson Exp $
+
+		   BIND 4 to BIND 9 Migration Notes
+
+To transition from BIND 4 to BIND 9 you first need to convert your
+configuration file to the new format.  There is a conversion tool in
+contrib/named-bootconf that allows you to do this.
+
+	named-bootconf.sh < /etc/named.boot > /etc/named.conf
+
+BIND 9 uses a system assigned port for the UDP queries it makes rather
+than port 53 that BIND 4 uses.  This may conflict with some firewalls.
+The following directives in /etc/named.conf allows you to specify
+a port to use.
+
+	query-source address * port 53;
+	transfer-source * port 53;
+	notify-source * port 53;
+
+BIND 9 no longer uses the minimum field to specify the TTL of records
+without a explicit TTL.  Use the $TTL directive to specify a default TTL
+before the first record without a explicit TTL.
+
+	$TTL 3600
+	@	IN	SOA	ns1.example.com. hostmaster.example.com. (
+				2001021100
+				7200
+				1200
+				3600000
+				7200 )
+
+BIND 9 does not support multiple CNAMEs with the same owner name.
+	
+	Illegal:
+	www.example.com. CNAME host1.example.com.
+	www.example.com. CNAME host2.example.com.
+
+BIND 9 does not support "CNAMEs with other data" with the same owner name,
+ignoring the DNSSEC records (SIG, NXT, KEY) that BIND 4 did not support.
+
+	Illegal:
+	www.example.com. CNAME host1.example.com.
+	www.example.com. MX 10 host2.example.com.
+
+BIND 9 is less tolerant of errors in master files, so check your logs and
+fix any errors reported.  The named-checkzone program can also be to check
+master files.
+
+Outgoing zone transfers now use the "many-answers" format by default.
+This format is not understood by certain old versions of BIND 4.  
+You can work around this problem using the option "transfer-format
+one-answer;", but since these old versions all have known security
+problems, the correct fix is to upgrade the slave servers.
diff --git a/usr.sbin/bind/doc/misc/options b/usr.sbin/bind/doc/misc/options
new file mode 100644
index 00000000000..7d8e2861bc8
--- /dev/null
+++ b/usr.sbin/bind/doc/misc/options
@@ -0,0 +1,307 @@
+
+This is a summary of the named.conf options supported by 
+this version of BIND 9.
+
+options {
+        blackhole { <address_match_element>; ... };
+        coresize <size>;
+        datasize <size>;
+        deallocate-on-exit <boolean>; // obsolete
+        directory <quoted_string>;
+        dump-file <quoted_string>;
+        fake-iquery <boolean>; // obsolete
+        files <size>;
+        has-old-clients <boolean>; // obsolete
+        heartbeat-interval <integer>;
+        host-statistics <boolean>; // not implemented
+        interface-interval <integer>;
+        listen-on [ port <integer> ] { <address_match_element>; ... };
+        listen-on-v6 [ port <integer> ] { <address_match_element>; ... };
+        match-mapped-addresses <boolean>;
+        memstatistics-file <quoted_string>; // not implemented
+        multiple-cnames <boolean>; // obsolete
+        named-xfer <quoted_string>; // obsolete
+        pid-file <quoted_string>;
+        port <integer>;
+        random-device <quoted_string>;
+        recursive-clients <integer>;
+        rrset-order { [ class <string> ] [ type <string> ] [ name
+            <quoted_string> ] <string> <string>; ... }; // not implemented
+        serial-queries <integer>; // obsolete
+        serial-query-rate <integer>;
+        stacksize <size>;
+        statistics-file <quoted_string>;
+        statistics-interval <integer>; // not yet implemented
+        tcp-clients <integer>;
+        tkey-dhkey <quoted_string> <integer>;
+        tkey-gssapi-credential <quoted_string>;
+        tkey-domain <quoted_string>;
+        transfers-per-ns <integer>;
+        transfers-in <integer>;
+        transfers-out <integer>;
+        treat-cr-as-space <boolean>; // obsolete
+        use-id-pool <boolean>; // obsolete
+        use-ixfr <boolean>;
+        version <quoted_string>;
+        allow-recursion { <address_match_element>; ... };
+        allow-v6-synthesis { <address_match_element>; ... };
+        sortlist { <address_match_element>; ... };
+        topology { <address_match_element>; ... }; // not implemented
+        auth-nxdomain <boolean>; // default changed
+        minimal-responses <boolean>;
+        recursion <boolean>;
+        provide-ixfr <boolean>;
+        request-ixfr <boolean>;
+        fetch-glue <boolean>; // obsolete
+        rfc2308-type1 <boolean>; // not yet implemented
+        additional-from-auth <boolean>;
+        additional-from-cache <boolean>;
+        query-source <querysource4>;
+        query-source-v6 <querysource6>;
+        cleaning-interval <integer>;
+        min-roots <integer>; // not implemented
+        lame-ttl <integer>;
+        max-ncache-ttl <integer>;
+        max-cache-ttl <integer>;
+        transfer-format ( many-answers | one-answer );
+        max-cache-size <size_no_default>;
+        check-names <string> <string>; // not implemented
+        cache-file <quoted_string>;
+        allow-query { <address_match_element>; ... };
+        allow-transfer { <address_match_element>; ... };
+        allow-update-forwarding { <address_match_element>; ... };
+        allow-notify { <address_match_element>; ... };
+        notify <notifytype>;
+        notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
+        notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
+        also-notify [ port <integer> ] { ( <ipv4_address> | <ipv6_address>
+            ) [ port <integer> ]; ... };
+        dialup <dialuptype>;
+        forward ( first | only );
+        forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
+            [ port <integer> ]; ... };
+        maintain-ixfr-base <boolean>; // obsolete
+        max-ixfr-log-size <size>; // obsolete
+        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
+        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
+        max-transfer-time-in <integer>;
+        max-transfer-time-out <integer>;
+        max-transfer-idle-in <integer>;
+        max-transfer-idle-out <integer>;
+        max-retry-time <integer>;
+        min-retry-time <integer>;
+        max-refresh-time <integer>;
+        min-refresh-time <integer>;
+        sig-validity-interval <integer>;
+        zone-statistics <boolean>;
+};
+
+controls {
+        inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | *
+            ) ] allow { <address_match_element>; ... } [ keys { <string>; ... } ];
+        unix <unsupported>; // not implemented
+};
+
+acl <string> { <address_match_element>; ... };
+
+logging {
+        channel <string> {
+                file <logfile>;
+                syslog <optional_facility>;
+                null;
+                stderr;
+                severity <logseverity>;
+                print-time <boolean>;
+                print-severity <boolean>;
+                print-category <boolean>;
+        };
+        category <string> { <string>; ... };
+};
+
+view <string> <optional_class> {
+        match-clients { <address_match_element>; ... };
+        match-destinations { <address_match_element>; ... };
+        match-recursive-only <boolean>;
+        key <string> {
+                algorithm <string>;
+                secret <string>;
+        };
+        zone <string> <optional_class> {
+                type ( master | slave | stub | hint | forward );
+                allow-update { <address_match_element>; ... };
+                file <quoted_string>;
+                ixfr-base <quoted_string>; // obsolete
+                ixfr-tmp-file <quoted_string>; // obsolete
+                masters [ port <integer> ] { ( <ipv4_address> |
+                    <ipv6_address> ) [ port <integer> ] [ key <string> ]; ... };
+                pubkey <integer> <integer> <integer> <quoted_string>; //
+                    obsolete
+                update-policy { ( grant | deny ) <string> ( name |
+                    subdomain | wildcard | self ) <string> <rrtypelist>; ... };
+                database <string>;
+                check-names <string>; // not implemented
+                allow-query { <address_match_element>; ... };
+                allow-transfer { <address_match_element>; ... };
+                allow-update-forwarding { <address_match_element>; ... };
+                allow-notify { <address_match_element>; ... };
+                notify <notifytype>;
+                notify-source ( <ipv4_address> | * ) [ port ( <integer> | *
+                    ) ];
+                notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer>
+                    | * ) ];
+                also-notify [ port <integer> ] { ( <ipv4_address> |
+                    <ipv6_address> ) [ port <integer> ]; ... };
+                dialup <dialuptype>;
+                forward ( first | only );
+                forwarders [ port <integer> ] { ( <ipv4_address> |
+                    <ipv6_address> ) [ port <integer> ]; ... };
+                maintain-ixfr-base <boolean>; // obsolete
+                max-ixfr-log-size <size>; // obsolete
+                transfer-source ( <ipv4_address> | * ) [ port ( <integer> |
+                    * ) ];
+                transfer-source-v6 ( <ipv6_address> | * ) [ port (
+                    <integer> | * ) ];
+                max-transfer-time-in <integer>;
+                max-transfer-time-out <integer>;
+                max-transfer-idle-in <integer>;
+                max-transfer-idle-out <integer>;
+                max-retry-time <integer>;
+                min-retry-time <integer>;
+                max-refresh-time <integer>;
+                min-refresh-time <integer>;
+                sig-validity-interval <integer>;
+                zone-statistics <boolean>;
+        };
+        server {
+                bogus <boolean>;
+                provide-ixfr <boolean>;
+                request-ixfr <boolean>;
+                support-ixfr <boolean>; // obsolete
+                transfers <integer>;
+                transfer-format ( many-answers | one-answer );
+                keys <server_key>;
+                edns <boolean>;
+        };
+        trusted-keys { <string> <integer> <integer> <integer>
+            <quoted_string>; ... };
+        allow-recursion { <address_match_element>; ... };
+        allow-v6-synthesis { <address_match_element>; ... };
+        sortlist { <address_match_element>; ... };
+        topology { <address_match_element>; ... }; // not implemented
+        auth-nxdomain <boolean>; // default changed
+        minimal-responses <boolean>;
+        recursion <boolean>;
+        provide-ixfr <boolean>;
+        request-ixfr <boolean>;
+        fetch-glue <boolean>; // obsolete
+        rfc2308-type1 <boolean>; // not yet implemented
+        additional-from-auth <boolean>;
+        additional-from-cache <boolean>;
+        query-source <querysource4>;
+        query-source-v6 <querysource6>;
+        cleaning-interval <integer>;
+        min-roots <integer>; // not implemented
+        lame-ttl <integer>;
+        max-ncache-ttl <integer>;
+        max-cache-ttl <integer>;
+        transfer-format ( many-answers | one-answer );
+        max-cache-size <size_no_default>;
+        check-names <string> <string>; // not implemented
+        cache-file <quoted_string>;
+        allow-query { <address_match_element>; ... };
+        allow-transfer { <address_match_element>; ... };
+        allow-update-forwarding { <address_match_element>; ... };
+        allow-notify { <address_match_element>; ... };
+        notify <notifytype>;
+        notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
+        notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
+        also-notify [ port <integer> ] { ( <ipv4_address> | <ipv6_address>
+            ) [ port <integer> ]; ... };
+        dialup <dialuptype>;
+        forward ( first | only );
+        forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
+            [ port <integer> ]; ... };
+        maintain-ixfr-base <boolean>; // obsolete
+        max-ixfr-log-size <size>; // obsolete
+        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
+        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
+        max-transfer-time-in <integer>;
+        max-transfer-time-out <integer>;
+        max-transfer-idle-in <integer>;
+        max-transfer-idle-out <integer>;
+        max-retry-time <integer>;
+        min-retry-time <integer>;
+        max-refresh-time <integer>;
+        min-refresh-time <integer>;
+        sig-validity-interval <integer>;
+        zone-statistics <boolean>;
+};
+
+lwres {
+        listen-on [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
+            [ port <integer> ]; ... };
+        view <string> <optional_class>;
+        search { <string>; ... };
+        ndots <integer>;
+};
+
+key <string> {
+        algorithm <string>;
+        secret <string>;
+};
+
+zone <string> <optional_class> {
+        type ( master | slave | stub | hint | forward );
+        allow-update { <address_match_element>; ... };
+        file <quoted_string>;
+        ixfr-base <quoted_string>; // obsolete
+        ixfr-tmp-file <quoted_string>; // obsolete
+        masters [ port <integer> ] { ( <ipv4_address> | <ipv6_address> ) [
+            port <integer> ] [ key <string> ]; ... };
+        pubkey <integer> <integer> <integer> <quoted_string>; // obsolete
+        update-policy { ( grant | deny ) <string> ( name | subdomain |
+            wildcard | self ) <string> <rrtypelist>; ... };
+        database <string>;
+        check-names <string>; // not implemented
+        allow-query { <address_match_element>; ... };
+        allow-transfer { <address_match_element>; ... };
+        allow-update-forwarding { <address_match_element>; ... };
+        allow-notify { <address_match_element>; ... };
+        notify <notifytype>;
+        notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
+        notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
+        also-notify [ port <integer> ] { ( <ipv4_address> | <ipv6_address>
+            ) [ port <integer> ]; ... };
+        dialup <dialuptype>;
+        forward ( first | only );
+        forwarders [ port <integer> ] { ( <ipv4_address> | <ipv6_address> )
+            [ port <integer> ]; ... };
+        maintain-ixfr-base <boolean>; // obsolete
+        max-ixfr-log-size <size>; // obsolete
+        transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
+        transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
+        max-transfer-time-in <integer>;
+        max-transfer-time-out <integer>;
+        max-transfer-idle-in <integer>;
+        max-transfer-idle-out <integer>;
+        max-retry-time <integer>;
+        min-retry-time <integer>;
+        max-refresh-time <integer>;
+        min-refresh-time <integer>;
+        sig-validity-interval <integer>;
+        zone-statistics <boolean>;
+};
+
+server {
+        bogus <boolean>;
+        provide-ixfr <boolean>;
+        request-ixfr <boolean>;
+        support-ixfr <boolean>; // obsolete
+        transfers <integer>;
+        transfer-format ( many-answers | one-answer );
+        keys <server_key>;
+        edns <boolean>;
+};
+
+trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... };
+
diff --git a/usr.sbin/bind/doc/misc/rfc-compliance b/usr.sbin/bind/doc/misc/rfc-compliance
new file mode 100644
index 00000000000..dbab7eb6019
--- /dev/null
+++ b/usr.sbin/bind/doc/misc/rfc-compliance
@@ -0,0 +1,61 @@
+Copyright (C) 2001  Internet Software Consortium.
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+$ISC: rfc-compliance,v 1.3 2001/04/10 21:51:09 bwelling Exp $
+
+BIND 9 is striving for strict compliance with IETF standards.  We
+believe this release of BIND 9 complies with the following RFCs, with
+the caveats and exceptions listed in the numbered notes below.  Note
+that a number of these RFCs do not have the status of Internet
+standards but are proposed or draft standards, experimental RFCs, 
+or Best Current Practice (BCP) documents.
+
+  RFC1034
+  RFC1035 [1] [2]
+  RFC1123
+  RFC1183
+  RFC1535
+  RFC1536
+  RFC1706
+  RFC1712
+  RFC1750
+  RFC1876
+  RFC1982
+  RFC1995
+  RFC1996
+  RFC2136
+  RFC2163
+  RFC2181
+  RFC2230
+  RFC2308
+  RFC2535 [3] [4]
+  RFC2536
+  RFC2537
+  RFC2538
+  RFC2539
+  RFC2671
+  RFC2672
+  RFC2673
+  RFC2782
+  RFC2915
+  RFC2930
+  RFC2931 [5]
+  RFC3007
+
+
+[1] Queries to zones that have failed to load return SERVFAIL rather
+than a non-authoritative response.  This is considered a feature.
+
+[2] CLASS ANY queries are not supported.  This is considered a feature.
+
+[3] Wildcard records are not supported in DNSSEC secure zones.
+
+[4] Servers authoritative for secure zones being resolved by BIND 9
+must support EDNS0 (RFC2671), and must return all relevant SIGs and
+NXTs in responses rather than relying on the resolving server to
+perform separate queries for missing SIGs and NXTs.
+
+[5] When receiving a query signed with a SIG(0), the server will only
+be able to verify the signature if it has the key in its local
+authoritative data; it will not do recursion or validation to
+retrieve unknown keys.
diff --git a/usr.sbin/bind/doc/misc/roadmap b/usr.sbin/bind/doc/misc/roadmap
new file mode 100644
index 00000000000..b9e7adcddaa
--- /dev/null
+++ b/usr.sbin/bind/doc/misc/roadmap
@@ -0,0 +1,46 @@
+Copyright (C) 2000, 2001  Internet Software Consortium.
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+$ISC: roadmap,v 1.1 2001/07/09 21:43:37 gson Exp $
+
+Road Map to the BIND 9 Source Tree
+
+bin/named		The name server.  This relies heavily on the
+			libraries in lib/isc and lib/dns.
+    client.c		Handling of incoming client requests
+    query.c		Query processing
+bin/rndc		The remote name daemon control program
+bin/dig			The "dig" program
+bin/dnssec		The DNSSEC signer and other DNSSEC tools
+bin/nsupdate		The "nsupdate" program
+bin/tests		Test suites and miscellaneous test programs
+bin/tests/system	System tests; see bin/tests/system/README
+lib/dns			The DNS library
+    resolver.c		The "full resolver" (performs recursive lookups)
+    validator.c		The DNSSEC validator
+    db.c		The database interface
+    sdb.c		The simple database interface
+    rbtdb.c		The red-black tree database
+lib/dns/rdata		Routines for handling the various RR types
+lib/dns/sec		Cryptographic libraries for DNSSEC
+lib/isc			The ISC library
+    task.c		Task library
+    unix/socket.c	Unix implementation of socket library
+lib/isccfg		Routines for reading and writing ISC-style
+			configuration files like named.conf and rndc.conf
+lib/isccc		The command channel library, used by rndc.
+lib/tests		Support code for the test suites.
+lib/lwres		The lightweight resolver library.
+doc/draft		Current internet-drafts pertaining to the DNS
+doc/rfc			RFCs pertaining to the DNS
+doc/misc		Miscellaneous documentation
+doc/arm			The BIND 9 Administrator Reference Manual
+doc/man			Man pages
+contrib			Contributed and other auxiliary code
+contrib/idn/mdnkit	The multilingual domain name evaluation kit
+contrib/sdb		Sample drivers for the simple database interface
+make			Makefile fragments, used by configure
+
+The library interfaces are mainly documented in the form of comments
+in the header files.  For example, the task subsystem is documented in
+lib/isc/include/isc/task.h
diff --git a/usr.sbin/bind/doc/misc/sdb b/usr.sbin/bind/doc/misc/sdb
new file mode 100644
index 00000000000..45d5c04a536
--- /dev/null
+++ b/usr.sbin/bind/doc/misc/sdb
@@ -0,0 +1,168 @@
+Copyright (C) 2000, 2001  Internet Software Consortium.
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+Using the BIND 9 Simplified Database Interface
+
+This document describes the care and feeding of the BIND 9 Simplified
+Database Interface, which allows you to extend BIND 9 with new ways
+of obtaining the data that is published as DNS zones.
+
+
+The Original BIND 9 Database Interface
+
+BIND 9 has a well-defined "back-end database interface" that makes it
+possible to replace the component of the name server responsible for
+the storage and retrieval of zone data, called the "database", on a
+per-zone basis.  The default database is an in-memory, red-black-tree
+data structure commonly referred to as "rbtdb", but it is possible to
+write drivers to support any number of alternative database
+technologies such as in-memory hash tables, application specific
+persistent on-disk databases, object databases, or relational
+databases.
+
+The original BIND 9 database interface defined in <dns/db.h> is
+designed to efficiently support the full set of database functionality
+needed by a name server that implements the complete DNS protocols,
+including features such as zone transfers, dynamic update, and DNSSEC.
+Each of these aspects of name server operations places its own set of
+demands on the data store, with the result that the database API is
+quite complex and contains operations that are highly specific to the
+DNS.  For example, data are stored in a binary format, the name space
+is tree structured, and sets of data records are conceptually
+associated with DNSSEC signature sets.  For these reasons, writing a
+driver using this interface is a highly nontrivial undertaking.
+
+
+The Simplified Database Interface
+
+Many BIND users wish to provide access to various data sources through
+the DNS, but are not necessarily interested in completely replacing
+the in-memory "rbt" database or in supporting features like dynamic
+update, DNSSEC, or even zone transfers.
+
+Often, all you want is limited, read-only DNS access to an existing
+system.  For example, you may have an existing relational database
+containing hostname/address mappings and wish to provide forvard and
+reverse DNS lookups based on this information.  Or perhaps you want to
+set up a simple DNS-based load balancing system where the name server
+answers queries about a single DNS name with a dynamically changing
+set of A records.
+
+BIND 9.1 introduced a new, simplified database interface, or "sdb",
+which greatly simplifies the writing of drivers for these kinds of
+applications.
+
+
+The sdb Driver
+
+An sdb driver is an object module, typically written in C, which is
+linked into the name server and registers itself with the sdb
+subsystem.  It provides a set of callback functions, which also serve
+to advertise its capabilities.  When the name server receives DNS
+queries, invokes the callback functions to obtain the data to respond
+with.
+
+Unlike the full database interface, the sdb interface represents all
+domain names and resource records as ASCII text.
+
+
+Writing an sdb Driver
+
+When a driver is registered, it specifies its name, a list of callback
+functions, and flags.
+
+The flags specify whether the driver wants to use relative domain
+names where possible.
+
+The callback functions are as follows.  The only one that must be
+defined is lookup().
+
+  - create(zone, argc, argv, driverdata, dbdata)
+	  Create a database object for "zone".
+
+  - destroy(zone, driverdata, dbdata)
+	  Destroy the database object for "zone".
+
+  - lookup(zone, name, dbdata, lookup)
+	  Return all the records at the domain name "name".
+
+  - authority(zone, dbdata, lookup)
+	  Return the SOA and NS records at the zone apex.
+
+  - allnodes(zone, dbdata, allnodes)
+	  Return all data in the zone, for zone transfers.
+
+For more detail about these functions and their parameters, see
+bind9/lib/dns/include/dns/sdb.h.  For example drivers, see
+bind9/contrib/sdb.
+
+
+Rebuilding the Server
+
+The driver module and header file must be copied to (or linked into)
+the bind9/bin/named and bind9/bin/named/include directories
+respectively, and must be added to the DBDRIVER_OBJS and DBDRIVER_SRCS
+lines in bin/named/Makefile.in (e.g. for the timedb sample sdb driver,
+add timedb.c to DBDRIVER_SRCS and timedb.@O@ to DBDRIVER_OBJS).  If
+the driver needs additional header files or libraries in nonstandard
+places, the DBDRIVER_INCLUDES and DBDRIVER_LIBS lines should also be
+updated.
+
+Calls to dns_sdb_register() and dns_sdb_unregister() (or wrappers,
+e.g. timedb_init() and timedb_clear() for the timedb sample sdb
+driver) must be inserted into the server, in bind9/bin/named/main.c.
+Registration should be in setup(), before the call to
+ns_server_create().  Unregistration should be in cleanup(),
+after the call to ns_server_destroy().  A #include should be added
+corresponding to the driver header file.
+
+You should try doing this with one or more of the sample drivers
+before attempting to write a driver of your own.
+
+
+Configuring the Server
+
+To make a zone use a new database driver, specify a "database" option
+in its "zone" statement in named.conf.  For example, if the driver
+registers itself under the name "acmedb", you might say
+
+   zone "foo.com" {
+	   database "acmedb";
+   };
+
+You can pass arbitrary arguments to the create() function of the
+driver by adding any number of whitespace-separated words after the
+driver name:
+
+   zone "foo.com" {
+	   database "acmedb -mode sql -connect 10.0.0.1";
+   };
+
+
+Hints for Driver Writers
+
+ - If a driver is generating data on the fly, it probably should
+   not implement the allnodes() function, since a zone transfer
+   will not be meaningful.  The allnodes() function is more relevant
+   with data from a database.
+
+ - The authority() function is necessary if and only if the lookup()
+   function will not add SOA and NS records at the zone apex.  If
+   SOA and NS records are provided by the lookup() function,
+   the authority() function should be NULL.
+
+ - When a driver is registered, an opaque object can be provided.  This
+   object is passed into the database create() and destroy() functions.
+
+ - When a database is created, an opaque object can be created that
+   is associated with that database.  This object is passed into the
+   lookup(), authority(), and allnodes() functions, and is
+   destroyed by the destroy() function.
+
+
+Future Directions
+
+A future release may support dynamic loading of sdb drivers.
+
+
+$ISC: sdb,v 1.5 2001/05/30 23:02:03 bwelling Exp $