Adding upstream version 1:9.11.5.P4+dfsg.upstream/1%9.11.5.P4+dfsgupstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

5 files changed, 1732 insertions, 0 deletions

diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
new file mode 100644
index 0000000..9eb0ce0
--- /dev/null
+++ b/bin/rndc/rndc.c
@@ -0,0 +1,984 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <inttypes.h>
+#include <stdbool.h>
+#include <stdlib.h>
+
+#include <isc/app.h>
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/file.h>
+#include <isc/log.h>
+#include <isc/net.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/random.h>
+#include <isc/socket.h>
+#include <isc/stdtime.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/thread.h>
+#include <isc/util.h>
+
+#include <pk11/site.h>
+
+#include <isccfg/namedconf.h>
+
+#include <isccc/alist.h>
+#include <isccc/base64.h>
+#include <isccc/cc.h>
+#include <isccc/ccmsg.h>
+#include <isccc/result.h>
+#include <isccc/sexpr.h>
+#include <isccc/types.h>
+#include <isccc/util.h>
+
+#include <dns/name.h>
+
+#include <bind9/getaddresses.h>
+
+#include "util.h"
+
+#define SERVERADDRS 10
+
+const char *progname;
+bool verbose;
+
+static const char *admin_conffile;
+static const char *admin_keyfile;
+static const char *version = VERSION;
+static const char *servername = NULL;
+static isc_sockaddr_t serveraddrs[SERVERADDRS];
+static isc_sockaddr_t local4, local6;
+static bool local4set = false, local6set = false;
+static int nserveraddrs;
+static int currentaddr = 0;
+static unsigned int remoteport = 0;
+static isc_socketmgr_t *socketmgr = NULL;
+static isc_buffer_t *databuf;
+static isccc_ccmsg_t ccmsg;
+static uint32_t algorithm;
+static isccc_region_t secret;
+static bool failed = false;
+static bool c_flag = false;
+static isc_mem_t *rndc_mctx;
+static int sends, recvs, connects;
+static char *command;
+static char *args;
+static char program[256];
+static isc_socket_t *sock = NULL;
+static uint32_t serial;
+static bool quiet = false;
+static bool showresult = false;
+
+static void rndc_startconnect(isc_sockaddr_t *addr, isc_task_t *task);
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(int status) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(int status) {
+	fprintf(stderr, "\
+Usage: %s [-b address] [-c config] [-s server] [-p port]\n\
+	[-k key-file ] [-y key] [-r] [-V] command\n\
+\n\
+command is one of the following:\n\
+\n\
+  addzone zone [class [view]] { zone-options }\n\
+		Add zone to given view. Requires allow-new-zones option.\n\
+  delzone [-clean] zone [class [view]]\n\
+		Removes zone from given view.\n\
+  dnstap -reopen\n\
+		Close, truncate and re-open the DNSTAP output file.\n\
+  dnstap -roll count\n\
+		Close, rename and re-open the DNSTAP output file(s).\n\
+  dumpdb [-all|-cache|-zones|-adb|-bad|-fail] [view ...]\n\
+		Dump cache(s) to the dump file (named_dump.db).\n\
+  flush 	Flushes all of the server's caches.\n\
+  flush [view]	Flushes the server's cache for a view.\n\
+  flushname name [view]\n\
+		Flush the given name from the server's cache(s)\n\
+  flushtree name [view]\n\
+		Flush all names under the given name from the server's cache(s)\n\
+  freeze	Suspend updates to all dynamic zones.\n\
+  freeze zone [class [view]]\n\
+		Suspend updates to a dynamic zone.\n\
+  halt		Stop the server without saving pending updates.\n\
+  halt -p	Stop the server without saving pending updates reporting\n\
+		process id.\n\
+  loadkeys zone [class [view]]\n\
+		Update keys without signing immediately.\n\
+  managed-keys refresh [class [view]]\n\
+		Check trust anchor for RFC 5011 key changes\n\
+  managed-keys status [class [view]]\n\
+		Display RFC 5011 managed keys information\n\
+  managed-keys sync [class [view]]\n\
+		Write RFC 5011 managed keys to disk\n\
+  modzone zone [class [view]] { zone-options }\n\
+		Modify a zone's configuration.\n\
+		Requires allow-new-zones option.\n\
+  notify zone [class [view]]\n\
+		Resend NOTIFY messages for the zone.\n\
+  notrace	Set debugging level to 0.\n\
+  nta -dump\n\
+		List all negative trust anchors.\n\
+  nta [-lifetime duration] [-force] domain [view]\n\
+		Set a negative trust anchor, disabling DNSSEC validation\n\
+		for the given domain.\n\
+		Using -lifetime specifies the duration of the NTA, up\n\
+		to one week.\n\
+		Using -force prevents the NTA from expiring before its\n\
+		full lifetime, even if the domain can validate sooner.\n\
+  nta -remove domain [view]\n\
+		Remove a negative trust anchor, re-enabling validation\n\
+		for the given domain.\n\
+  querylog [ on | off ]\n\
+		Enable / disable query logging.\n\
+  reconfig	Reload configuration file and new zones only.\n\
+  recursing	Dump the queries that are currently recursing (named.recursing)\n\
+  refresh zone [class [view]]\n\
+		Schedule immediate maintenance for a zone.\n\
+  reload	Reload configuration file and zones.\n\
+  reload zone [class [view]]\n\
+		Reload a single zone.\n\
+  retransfer zone [class [view]]\n\
+		Retransfer a single zone without checking serial number.\n\
+  scan		Scan available network interfaces for changes.\n\
+  secroots [view ...]\n\
+		Write security roots to the secroots file.\n\
+  showzone zone [class [view]]\n\
+		Print a zone's configuration.\n\
+  sign zone [class [view]]\n\
+		Update zone keys, and sign as needed.\n\
+  signing -clear all zone [class [view]]\n\
+		Remove the private records for all keys that have\n\
+		finished signing the given zone.\n\
+  signing -clear <keyid>/<algorithm> zone [class [view]]\n\
+		Remove the private record that indicating the given key\n\
+		has finished signing the given zone.\n\
+  signing -list zone [class [view]]\n\
+		List the private records showing the state of DNSSEC\n\
+		signing in the given zone.\n\
+  signing -nsec3param hash flags iterations salt zone [class [view]]\n\
+		Add NSEC3 chain to zone if already signed.\n\
+		Prime zone with NSEC3 chain if not yet signed.\n\
+  signing -nsec3param none zone [class [view]]\n\
+		Remove NSEC3 chains from zone.\n\
+  signing -serial <value> zone [class [view]]\n\
+		Set the zones's serial to <value>.\n\
+  stats		Write server statistics to the statistics file.\n\
+  status	Display status of the server.\n\
+  stop		Save pending updates to master files and stop the server.\n\
+  stop -p	Save pending updates to master files and stop the server\n\
+		reporting process id.\n\
+  sync [-clean]	Dump changes to all dynamic zones to disk, and optionally\n\
+		remove their journal files.\n\
+  sync [-clean] zone [class [view]]\n\
+		Dump a single zone's changes to disk, and optionally\n\
+		remove its journal file.\n\
+  thaw		Enable updates to all dynamic zones and reload them.\n\
+  thaw zone [class [view]]\n\
+		Enable updates to a frozen dynamic zone and reload it.\n\
+  trace		Increment debugging level by one.\n\
+  trace level	Change the debugging level.\n\
+  tsig-delete keyname [view]\n\
+		Delete a TKEY-negotiated TSIG key.\n\
+  tsig-list	List all currently active TSIG keys, including both statically\n\
+		configured and TKEY-negotiated keys.\n\
+  validation [ yes | no | status ] [view]\n\
+		Enable / disable DNSSEC validation.\n\
+  zonestatus zone [class [view]]\n\
+		Display the current status of a zone.\n\
+\n\
+Version: %s\n",
+		progname, version);
+
+	exit(status);
+}
+
+static void
+get_addresses(const char *host, in_port_t port) {
+	isc_result_t result;
+	int found = 0, count;
+
+	if (*host == '/') {
+		result = isc_sockaddr_frompath(&serveraddrs[nserveraddrs],
+					       host);
+		if (result == ISC_R_SUCCESS)
+			nserveraddrs++;
+	} else {
+		count = SERVERADDRS - nserveraddrs;
+		result = bind9_getaddresses(host, port,
+					    &serveraddrs[nserveraddrs],
+					    count, &found);
+		nserveraddrs += found;
+	}
+	if (result != ISC_R_SUCCESS)
+		fatal("couldn't get address for '%s': %s",
+		      host, isc_result_totext(result));
+	INSIST(nserveraddrs > 0);
+}
+
+static void
+rndc_senddone(isc_task_t *task, isc_event_t *event) {
+	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
+
+	UNUSED(task);
+
+	sends--;
+	if (sevent->result != ISC_R_SUCCESS)
+		fatal("send failed: %s", isc_result_totext(sevent->result));
+	isc_event_free(&event);
+	if (sends == 0 && recvs == 0) {
+		isc_socket_detach(&sock);
+		isc_task_shutdown(task);
+		RUNTIME_CHECK(isc_app_shutdown() == ISC_R_SUCCESS);
+	}
+}
+
+static void
+rndc_recvdone(isc_task_t *task, isc_event_t *event) {
+	isccc_sexpr_t *response = NULL;
+	isccc_sexpr_t *data;
+	isccc_region_t source;
+	char *errormsg = NULL;
+	char *textmsg = NULL;
+	isc_result_t result;
+
+	recvs--;
+
+	if (ccmsg.result == ISC_R_EOF)
+		fatal("connection to remote host closed\n"
+		      "This may indicate that\n"
+		      "* the remote server is using an older version of"
+		      " the command protocol,\n"
+		      "* this host is not authorized to connect,\n"
+		      "* the clocks are not synchronized, or\n"
+		      "* the key is invalid.");
+
+	if (ccmsg.result != ISC_R_SUCCESS)
+		fatal("recv failed: %s", isc_result_totext(ccmsg.result));
+
+	source.rstart = isc_buffer_base(&ccmsg.buffer);
+	source.rend = isc_buffer_used(&ccmsg.buffer);
+
+	DO("parse message",
+	   isccc_cc_fromwire(&source, &response, algorithm, &secret));
+
+	data = isccc_alist_lookup(response, "_data");
+	if (!isccc_alist_alistp(data))
+		fatal("bad or missing data section in response");
+	result = isccc_cc_lookupstring(data, "err", &errormsg);
+	if (result == ISC_R_SUCCESS) {
+		failed = true;
+		fprintf(stderr, "%s: '%s' failed: %s\n",
+			progname, command, errormsg);
+	}
+	else if (result != ISC_R_NOTFOUND)
+		fprintf(stderr, "%s: parsing response failed: %s\n",
+			progname, isc_result_totext(result));
+
+	result = isccc_cc_lookupstring(data, "text", &textmsg);
+	if (result == ISC_R_SUCCESS) {
+		if ((!quiet || failed) && strlen(textmsg) != 0U)
+			fprintf(failed ? stderr : stdout, "%s\n", textmsg);
+	} else if (result != ISC_R_NOTFOUND)
+		fprintf(stderr, "%s: parsing response failed: %s\n",
+			progname, isc_result_totext(result));
+
+	if (showresult) {
+		isc_result_t eresult;
+
+		result = isccc_cc_lookupuint32(data, "result", &eresult);
+		if (result == ISC_R_SUCCESS)
+			printf("%s %u\n", isc_result_toid(eresult), eresult);
+		else
+			printf("NONE -1\n");
+	}
+
+	isc_event_free(&event);
+	isccc_sexpr_free(&response);
+	if (sends == 0 && recvs == 0) {
+		isc_socket_detach(&sock);
+		isc_task_shutdown(task);
+		RUNTIME_CHECK(isc_app_shutdown() == ISC_R_SUCCESS);
+	}
+}
+
+static void
+rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
+	isccc_sexpr_t *response = NULL;
+	isccc_sexpr_t *_ctrl;
+	isccc_region_t source;
+	isc_result_t result;
+	uint32_t nonce;
+	isccc_sexpr_t *request = NULL;
+	isccc_time_t now;
+	isc_region_t r;
+	isccc_sexpr_t *data;
+	isc_buffer_t b;
+
+	recvs--;
+
+	if (ccmsg.result == ISC_R_EOF)
+		fatal("connection to remote host closed\n"
+		      "This may indicate that\n"
+		      "* the remote server is using an older version of"
+		      " the command protocol,\n"
+		      "* this host is not authorized to connect,\n"
+		      "* the clocks are not synchronized,\n"
+		      "* the key signing algorithm is incorrect, or\n"
+		      "* the key is invalid.");
+
+	if (ccmsg.result != ISC_R_SUCCESS)
+		fatal("recv failed: %s", isc_result_totext(ccmsg.result));
+
+	source.rstart = isc_buffer_base(&ccmsg.buffer);
+	source.rend = isc_buffer_used(&ccmsg.buffer);
+
+	DO("parse message",
+	   isccc_cc_fromwire(&source, &response, algorithm, &secret));
+
+	_ctrl = isccc_alist_lookup(response, "_ctrl");
+	if (!isccc_alist_alistp(_ctrl))
+		fatal("bad or missing ctrl section in response");
+	nonce = 0;
+	if (isccc_cc_lookupuint32(_ctrl, "_nonce", &nonce) != ISC_R_SUCCESS)
+		nonce = 0;
+
+	isc_stdtime_get(&now);
+
+	DO("create message", isccc_cc_createmessage(1, NULL, NULL, ++serial,
+						    now, now + 60, &request));
+	data = isccc_alist_lookup(request, "_data");
+	if (data == NULL)
+		fatal("_data section missing");
+	if (isccc_cc_definestring(data, "type", args) == NULL)
+		fatal("out of memory");
+	if (nonce != 0) {
+		_ctrl = isccc_alist_lookup(request, "_ctrl");
+		if (_ctrl == NULL)
+			fatal("_ctrl section missing");
+		if (isccc_cc_defineuint32(_ctrl, "_nonce", nonce) == NULL)
+			fatal("out of memory");
+	}
+
+	isc_buffer_clear(databuf);
+	/* Skip the length field (4 bytes) */
+	isc_buffer_add(databuf, 4);
+
+	DO("render message",
+	   isccc_cc_towire(request, &databuf, algorithm, &secret));
+
+	isc_buffer_init(&b, databuf->base, 4);
+	isc_buffer_putuint32(&b, databuf->used - 4);
+
+	r.base = databuf->base;
+	r.length = databuf->used;
+
+	isccc_ccmsg_cancelread(&ccmsg);
+	DO("schedule recv", isccc_ccmsg_readmessage(&ccmsg, task,
+						    rndc_recvdone, NULL));
+	recvs++;
+	DO("send message", isc_socket_send(sock, &r, task, rndc_senddone,
+					   NULL));
+	sends++;
+
+	isc_event_free(&event);
+	isccc_sexpr_free(&response);
+	isccc_sexpr_free(&request);
+	return;
+}
+
+static void
+rndc_connected(isc_task_t *task, isc_event_t *event) {
+	char socktext[ISC_SOCKADDR_FORMATSIZE];
+	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
+	isccc_sexpr_t *request = NULL;
+	isccc_sexpr_t *data;
+	isccc_time_t now;
+	isc_region_t r;
+	isc_buffer_t b;
+	isc_result_t result;
+
+	connects--;
+
+	if (sevent->result != ISC_R_SUCCESS) {
+		isc_sockaddr_format(&serveraddrs[currentaddr], socktext,
+				    sizeof(socktext));
+		if (sevent->result != ISC_R_CANCELED &&
+		    ++currentaddr < nserveraddrs)
+		{
+			notify("connection failed: %s: %s", socktext,
+			       isc_result_totext(sevent->result));
+			isc_socket_detach(&sock);
+			isc_event_free(&event);
+			rndc_startconnect(&serveraddrs[currentaddr], task);
+			return;
+		} else
+			fatal("connect failed: %s: %s", socktext,
+			      isc_result_totext(sevent->result));
+	}
+
+	isc_stdtime_get(&now);
+	DO("create message", isccc_cc_createmessage(1, NULL, NULL, ++serial,
+						    now, now + 60, &request));
+	data = isccc_alist_lookup(request, "_data");
+	if (data == NULL)
+		fatal("_data section missing");
+	if (isccc_cc_definestring(data, "type", "null") == NULL)
+		fatal("out of memory");
+
+	isc_buffer_clear(databuf);
+	/* Skip the length field (4 bytes) */
+	isc_buffer_add(databuf, 4);
+
+	DO("render message",
+	   isccc_cc_towire(request, &databuf, algorithm, &secret));
+
+	isc_buffer_init(&b, databuf->base, 4);
+	isc_buffer_putuint32(&b, databuf->used - 4);
+
+	r.base = databuf->base;
+	r.length = databuf->used;
+
+	isccc_ccmsg_init(rndc_mctx, sock, &ccmsg);
+	isccc_ccmsg_setmaxsize(&ccmsg, 1024 * 1024);
+
+	DO("schedule recv", isccc_ccmsg_readmessage(&ccmsg, task,
+						    rndc_recvnonce, NULL));
+	recvs++;
+	DO("send message", isc_socket_send(sock, &r, task, rndc_senddone,
+					   NULL));
+	sends++;
+	isc_event_free(&event);
+	isccc_sexpr_free(&request);
+}
+
+static void
+rndc_startconnect(isc_sockaddr_t *addr, isc_task_t *task) {
+	isc_result_t result;
+	int pf;
+	isc_sockettype_t type;
+
+	char socktext[ISC_SOCKADDR_FORMATSIZE];
+
+	isc_sockaddr_format(addr, socktext, sizeof(socktext));
+
+	notify("using server %s (%s)", servername, socktext);
+
+	pf = isc_sockaddr_pf(addr);
+	if (pf == AF_INET || pf == AF_INET6)
+		type = isc_sockettype_tcp;
+	else
+		type = isc_sockettype_unix;
+	DO("create socket", isc_socket_create(socketmgr, pf, type, &sock));
+	switch (isc_sockaddr_pf(addr)) {
+	case AF_INET:
+		DO("bind socket", isc_socket_bind(sock, &local4, 0));
+		break;
+	case AF_INET6:
+		DO("bind socket", isc_socket_bind(sock, &local6, 0));
+		break;
+	default:
+		break;
+	}
+	DO("connect", isc_socket_connect(sock, addr, task, rndc_connected,
+					 NULL));
+	connects++;
+}
+
+static void
+rndc_start(isc_task_t *task, isc_event_t *event) {
+	isc_event_free(&event);
+
+	currentaddr = 0;
+	rndc_startconnect(&serveraddrs[currentaddr], task);
+}
+
+static void
+parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
+	     cfg_parser_t **pctxp, cfg_obj_t **configp)
+{
+	isc_result_t result;
+	const char *conffile = admin_conffile;
+	const cfg_obj_t *addresses = NULL;
+	const cfg_obj_t *defkey = NULL;
+	const cfg_obj_t *options = NULL;
+	const cfg_obj_t *servers = NULL;
+	const cfg_obj_t *server = NULL;
+	const cfg_obj_t *keys = NULL;
+	const cfg_obj_t *key = NULL;
+	const cfg_obj_t *defport = NULL;
+	const cfg_obj_t *secretobj = NULL;
+	const cfg_obj_t *algorithmobj = NULL;
+	cfg_obj_t *config = NULL;
+	const cfg_obj_t *address = NULL;
+	const cfg_listelt_t *elt;
+	const char *secretstr;
+	const char *algorithmstr;
+	static char secretarray[1024];
+	const cfg_type_t *conftype = &cfg_type_rndcconf;
+	bool key_only = false;
+	const cfg_listelt_t *element;
+
+	if (! isc_file_exists(conffile)) {
+		conffile = admin_keyfile;
+		conftype = &cfg_type_rndckey;
+
+		if (c_flag)
+			fatal("%s does not exist", admin_conffile);
+
+		if (! isc_file_exists(conffile))
+			fatal("neither %s nor %s was found",
+			      admin_conffile, admin_keyfile);
+		key_only = true;
+	} else if (! c_flag && isc_file_exists(admin_keyfile)) {
+		fprintf(stderr, "WARNING: key file (%s) exists, but using "
+			"default configuration file (%s)\n",
+			admin_keyfile, admin_conffile);
+	}
+
+	DO("create parser", cfg_parser_create(mctx, log, pctxp));
+
+	/*
+	 * The parser will output its own errors, so DO() is not used.
+	 */
+	result = cfg_parse_file(*pctxp, conffile, conftype, &config);
+	if (result != ISC_R_SUCCESS)
+		fatal("could not load rndc configuration");
+
+	if (!key_only)
+		(void)cfg_map_get(config, "options", &options);
+
+	if (key_only && servername == NULL)
+		servername = "127.0.0.1";
+	else if (servername == NULL && options != NULL) {
+		const cfg_obj_t *defserverobj = NULL;
+		(void)cfg_map_get(options, "default-server", &defserverobj);
+		if (defserverobj != NULL)
+			servername = cfg_obj_asstring(defserverobj);
+	}
+
+	if (servername == NULL)
+		fatal("no server specified and no default");
+
+	if (!key_only) {
+		(void)cfg_map_get(config, "server", &servers);
+		if (servers != NULL) {
+			for (elt = cfg_list_first(servers);
+			     elt != NULL;
+			     elt = cfg_list_next(elt))
+			{
+				const char *name;
+				server = cfg_listelt_value(elt);
+				name = cfg_obj_asstring(cfg_map_getname(server));
+				if (strcasecmp(name, servername) == 0)
+					break;
+				server = NULL;
+			}
+		}
+	}
+
+	/*
+	 * Look for the name of the key to use.
+	 */
+	if (keyname != NULL)
+		;		/* Was set on command line, do nothing. */
+	else if (server != NULL) {
+		DO("get key for server", cfg_map_get(server, "key", &defkey));
+		keyname = cfg_obj_asstring(defkey);
+	} else if (options != NULL) {
+		DO("get default key", cfg_map_get(options, "default-key",
+						  &defkey));
+		keyname = cfg_obj_asstring(defkey);
+	} else if (!key_only)
+		fatal("no key for server and no default");
+
+	/*
+	 * Get the key's definition.
+	 */
+	if (key_only)
+		DO("get key", cfg_map_get(config, "key", &key));
+	else {
+		DO("get config key list", cfg_map_get(config, "key", &keys));
+		for (elt = cfg_list_first(keys);
+		     elt != NULL;
+		     elt = cfg_list_next(elt))
+		{
+			key = cfg_listelt_value(elt);
+			if (strcasecmp(cfg_obj_asstring(cfg_map_getname(key)),
+				       keyname) == 0)
+				break;
+		}
+		if (elt == NULL)
+			fatal("no key definition for name %s", keyname);
+	}
+	(void)cfg_map_get(key, "secret", &secretobj);
+	(void)cfg_map_get(key, "algorithm", &algorithmobj);
+	if (secretobj == NULL || algorithmobj == NULL)
+		fatal("key must have algorithm and secret");
+
+	secretstr = cfg_obj_asstring(secretobj);
+	algorithmstr = cfg_obj_asstring(algorithmobj);
+
+#ifndef PK11_MD5_DISABLE
+	if (strcasecmp(algorithmstr, "hmac-md5") == 0)
+		algorithm = ISCCC_ALG_HMACMD5;
+	else
+#endif
+	if (strcasecmp(algorithmstr, "hmac-sha1") == 0)
+		algorithm = ISCCC_ALG_HMACSHA1;
+	else if (strcasecmp(algorithmstr, "hmac-sha224") == 0)
+		algorithm = ISCCC_ALG_HMACSHA224;
+	else if (strcasecmp(algorithmstr, "hmac-sha256") == 0)
+		algorithm = ISCCC_ALG_HMACSHA256;
+	else if (strcasecmp(algorithmstr, "hmac-sha384") == 0)
+		algorithm = ISCCC_ALG_HMACSHA384;
+	else if (strcasecmp(algorithmstr, "hmac-sha512") == 0)
+		algorithm = ISCCC_ALG_HMACSHA512;
+	else
+		fatal("unsupported algorithm: %s", algorithmstr);
+
+	secret.rstart = (unsigned char *)secretarray;
+	secret.rend = (unsigned char *)secretarray + sizeof(secretarray);
+	DO("decode base64 secret", isccc_base64_decode(secretstr, &secret));
+	secret.rend = secret.rstart;
+	secret.rstart = (unsigned char *)secretarray;
+
+	/*
+	 * Find the port to connect to.
+	 */
+	if (remoteport != 0)
+		;		/* Was set on command line, do nothing. */
+	else {
+		if (server != NULL)
+			(void)cfg_map_get(server, "port", &defport);
+		if (defport == NULL && options != NULL)
+			(void)cfg_map_get(options, "default-port", &defport);
+	}
+	if (defport != NULL) {
+		remoteport = cfg_obj_asuint32(defport);
+		if (remoteport > 65535 || remoteport == 0)
+			fatal("port %u out of range", remoteport);
+	} else if (remoteport == 0)
+		remoteport = NS_CONTROL_PORT;
+
+	if (server != NULL)
+		result = cfg_map_get(server, "addresses", &addresses);
+	else
+		result = ISC_R_NOTFOUND;
+	if (result == ISC_R_SUCCESS) {
+		for (element = cfg_list_first(addresses);
+		     element != NULL;
+		     element = cfg_list_next(element))
+		{
+			isc_sockaddr_t sa;
+
+			address = cfg_listelt_value(element);
+			if (!cfg_obj_issockaddr(address)) {
+				unsigned int myport;
+				const char *name;
+				const cfg_obj_t *obj;
+
+				obj = cfg_tuple_get(address, "name");
+				name = cfg_obj_asstring(obj);
+				obj = cfg_tuple_get(address, "port");
+				if (cfg_obj_isuint32(obj)) {
+					myport = cfg_obj_asuint32(obj);
+					if (myport > UINT16_MAX ||
+					    myport == 0)
+						fatal("port %u out of range",
+						      myport);
+				} else
+					myport = remoteport;
+				if (nserveraddrs < SERVERADDRS)
+					get_addresses(name, (in_port_t) myport);
+				else
+					fprintf(stderr, "too many address: "
+						"%s: dropped\n", name);
+				continue;
+			}
+			sa = *cfg_obj_assockaddr(address);
+			if (isc_sockaddr_getport(&sa) == 0)
+				isc_sockaddr_setport(&sa, remoteport);
+			if (nserveraddrs < SERVERADDRS)
+				serveraddrs[nserveraddrs++] = sa;
+			else {
+				char socktext[ISC_SOCKADDR_FORMATSIZE];
+
+				isc_sockaddr_format(&sa, socktext,
+						    sizeof(socktext));
+				fprintf(stderr,
+					"too many address: %s: dropped\n",
+					socktext);
+			}
+		}
+	}
+
+	if (!local4set && server != NULL) {
+		address = NULL;
+		cfg_map_get(server, "source-address", &address);
+		if (address != NULL) {
+			local4 = *cfg_obj_assockaddr(address);
+			local4set = true;
+		}
+	}
+	if (!local4set && options != NULL) {
+		address = NULL;
+		cfg_map_get(options, "default-source-address", &address);
+		if (address != NULL) {
+			local4 = *cfg_obj_assockaddr(address);
+			local4set = true;
+		}
+	}
+
+	if (!local6set && server != NULL) {
+		address = NULL;
+		cfg_map_get(server, "source-address-v6", &address);
+		if (address != NULL) {
+			local6 = *cfg_obj_assockaddr(address);
+			local6set = true;
+		}
+	}
+	if (!local6set && options != NULL) {
+		address = NULL;
+		cfg_map_get(options, "default-source-address-v6", &address);
+		if (address != NULL) {
+			local6 = *cfg_obj_assockaddr(address);
+			local6set = true;
+		}
+	}
+
+	*configp = config;
+}
+
+int
+main(int argc, char **argv) {
+	isc_result_t result = ISC_R_SUCCESS;
+	bool show_final_mem = false;
+	isc_taskmgr_t *taskmgr = NULL;
+	isc_task_t *task = NULL;
+	isc_log_t *log = NULL;
+	isc_logconfig_t *logconfig = NULL;
+	isc_logdestination_t logdest;
+	cfg_parser_t *pctx = NULL;
+	cfg_obj_t *config = NULL;
+	const char *keyname = NULL;
+	struct in_addr in;
+	struct in6_addr in6;
+	char *p;
+	size_t argslen;
+	int ch;
+	int i;
+
+	result = isc_file_progname(*argv, program, sizeof(program));
+	if (result != ISC_R_SUCCESS)
+		memmove(program, "rndc", 5);
+	progname = program;
+
+	admin_conffile = RNDC_CONFFILE;
+	admin_keyfile = RNDC_KEYFILE;
+
+	isc_sockaddr_any(&local4);
+	isc_sockaddr_any6(&local6);
+
+	result = isc_app_start();
+	if (result != ISC_R_SUCCESS)
+		fatal("isc_app_start() failed: %s", isc_result_totext(result));
+
+	isc_commandline_errprint = false;
+
+	while ((ch = isc_commandline_parse(argc, argv, "b:c:hk:Mmp:qrs:Vy:"))
+	       != -1) {
+		switch (ch) {
+		case 'b':
+			if (inet_pton(AF_INET, isc_commandline_argument,
+				      &in) == 1) {
+				isc_sockaddr_fromin(&local4, &in, 0);
+				local4set = true;
+			} else if (inet_pton(AF_INET6, isc_commandline_argument,
+					     &in6) == 1) {
+				isc_sockaddr_fromin6(&local6, &in6, 0);
+				local6set = true;
+			}
+			break;
+
+		case 'c':
+			admin_conffile = isc_commandline_argument;
+			c_flag = true;
+			break;
+
+		case 'k':
+			admin_keyfile = isc_commandline_argument;
+			break;
+
+		case 'M':
+			isc_mem_debugging = ISC_MEM_DEBUGTRACE;
+			break;
+
+		case 'm':
+			show_final_mem = true;
+			break;
+
+		case 'p':
+			remoteport = atoi(isc_commandline_argument);
+			if (remoteport > 65535 || remoteport == 0)
+				fatal("port '%s' out of range",
+				      isc_commandline_argument);
+			break;
+
+		case 'q':
+			quiet = true;
+			break;
+
+		case 'r':
+			showresult = true;
+			break;
+
+		case 's':
+			servername = isc_commandline_argument;
+			break;
+
+		case 'V':
+			verbose = true;
+			break;
+
+		case 'y':
+			keyname = isc_commandline_argument;
+			break;
+
+		case '?':
+			if (isc_commandline_option != '?') {
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
+				usage(1);
+			}
+			/* FALLTHROUGH */
+		case 'h':
+			usage(0);
+			break;
+		default:
+			fprintf(stderr, "%s: unhandled option -%c\n",
+				program, isc_commandline_option);
+			exit(1);
+		}
+	}
+
+	argc -= isc_commandline_index;
+	argv += isc_commandline_index;
+
+	if (argc < 1)
+		usage(1);
+
+	isc_random_get(&serial);
+
+	DO("create memory context", isc_mem_create(0, 0, &rndc_mctx));
+	DO("create socket manager", isc_socketmgr_create(rndc_mctx, &socketmgr));
+	DO("create task manager", isc_taskmgr_create(rndc_mctx, 1, 0, &taskmgr));
+	DO("create task", isc_task_create(taskmgr, 0, &task));
+
+	DO("create logging context", isc_log_create(rndc_mctx, &log, &logconfig));
+	isc_log_setcontext(log);
+	DO("setting log tag", isc_log_settag(logconfig, progname));
+	logdest.file.stream = stderr;
+	logdest.file.name = NULL;
+	logdest.file.versions = ISC_LOG_ROLLNEVER;
+	logdest.file.maximum_size = 0;
+	DO("creating log channel",
+	   isc_log_createchannel(logconfig, "stderr",
+				 ISC_LOG_TOFILEDESC, ISC_LOG_INFO, &logdest,
+				 ISC_LOG_PRINTTAG|ISC_LOG_PRINTLEVEL));
+	DO("enabling log channel", isc_log_usechannel(logconfig, "stderr",
+						      NULL, NULL));
+
+	parse_config(rndc_mctx, log, keyname, &pctx, &config);
+
+	isccc_result_register();
+
+	command = *argv;
+
+	DO("allocate data buffer",
+	   isc_buffer_allocate(rndc_mctx, &databuf, 2048));
+
+	/*
+	 * Convert argc/argv into a space-delimited command string
+	 * similar to what the user might enter in interactive mode
+	 * (if that were implemented).
+	 */
+	argslen = 0;
+	for (i = 0; i < argc; i++)
+		argslen += strlen(argv[i]) + 1;
+
+	args = isc_mem_get(rndc_mctx, argslen);
+	if (args == NULL)
+		DO("isc_mem_get", ISC_R_NOMEMORY);
+
+	p = args;
+	for (i = 0; i < argc; i++) {
+		size_t len = strlen(argv[i]);
+		memmove(p, argv[i], len);
+		p += len;
+		*p++ = ' ';
+	}
+
+	p--;
+	*p++ = '\0';
+	INSIST(p == args + argslen);
+
+	notify("%s", command);
+
+	if (strcmp(command, "restart") == 0)
+		fatal("'%s' is not implemented", command);
+
+	if (nserveraddrs == 0)
+		get_addresses(servername, (in_port_t) remoteport);
+
+	DO("post event", isc_app_onrun(rndc_mctx, task, rndc_start, NULL));
+
+	result = isc_app_run();
+	if (result != ISC_R_SUCCESS)
+		fatal("isc_app_run() failed: %s", isc_result_totext(result));
+
+	if (connects > 0 || sends > 0 || recvs > 0)
+		isc_socket_cancel(sock, task, ISC_SOCKCANCEL_ALL);
+
+	isc_task_detach(&task);
+	isc_taskmgr_destroy(&taskmgr);
+	isc_socketmgr_destroy(&socketmgr);
+	isc_log_destroy(&log);
+	isc_log_setcontext(NULL);
+
+	cfg_obj_destroy(pctx, &config);
+	cfg_parser_destroy(&pctx);
+
+	isc_mem_put(rndc_mctx, args, argslen);
+	isccc_ccmsg_invalidate(&ccmsg);
+
+	dns_name_destroy();
+
+	isc_buffer_free(&databuf);
+
+	if (show_final_mem)
+		isc_mem_stats(rndc_mctx, stderr);
+
+	isc_mem_destroy(&rndc_mctx);
+
+	if (failed)
+		return (1);
+
+	return (0);
+}
diff --git a/bin/rndc/rndc.conf b/bin/rndc/rndc.conf
new file mode 100644
index 0000000..6800331
--- /dev/null
+++ b/bin/rndc/rndc.conf
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Sample rndc configuration file.
+ */
+
+options {
+	default-server  localhost;
+	default-key     "key";
+};
+
+server localhost {
+	key     "key";
+};
+
+key "cc64b3d1db63fc88d7cb5d2f9f57d258" {
+	algorithm hmac-sha256;
+	secret "34f88008d07deabbe65bd01f1d233d47";
+};
+
+server "test1" {
+	key "cc64b3d1db63fc88d7cb5d2f9f57d258";
+	port 5353;
+	addresses { 10.53.0.1; };
+};
+
+key "key" {
+	algorithm       hmac-sha256;
+	secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
+};
diff --git a/bin/rndc/rndc.conf.5 b/bin/rndc/rndc.conf.5
new file mode 100644
index 0000000..056ea6c
--- /dev/null
+++ b/bin/rndc/rndc.conf.5
@@ -0,0 +1,234 @@
+.\" Copyright (C) 2000, 2001, 2004, 2005, 2007, 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" This Source Code Form is subject to the terms of the Mozilla Public
+.\" License, v. 2.0. If a copy of the MPL was not distributed with this
+.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
+.\"
+.hy 0
+.ad l
+'\" t
+.\"     Title: rndc.conf
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\"      Date: 2013-03-14
+.\"    Manual: BIND9
+.\"    Source: ISC
+.\"  Language: English
+.\"
+.TH "RNDC\&.CONF" "5" "2013\-03\-14" "ISC" "BIND9"
+.\" -----------------------------------------------------------------
+.\" * Define some portability stuff
+.\" -----------------------------------------------------------------
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
+.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+.ie \n(.g .ds Aq \(aq
+.el       .ds Aq '
+.\" -----------------------------------------------------------------
+.\" * set default formatting
+.\" -----------------------------------------------------------------
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.\" -----------------------------------------------------------------
+.\" * MAIN CONTENT STARTS HERE *
+.\" -----------------------------------------------------------------
+.SH "NAME"
+rndc.conf \- rndc configuration file
+.SH "SYNOPSIS"
+.HP \w'\fBrndc\&.conf\fR\ 'u
+\fBrndc\&.conf\fR
+.SH "DESCRIPTION"
+.PP
+rndc\&.conf
+is the configuration file for
+\fBrndc\fR, the BIND 9 name server control utility\&. This file has a similar structure and syntax to
+named\&.conf\&. Statements are enclosed in braces and terminated with a semi\-colon\&. Clauses in the statements are also semi\-colon terminated\&. The usual comment styles are supported:
+.PP
+C style: /* */
+.PP
+C++ style: // to end of line
+.PP
+Unix style: # to end of line
+.PP
+rndc\&.conf
+is much simpler than
+named\&.conf\&. The file uses three statements: an options statement, a server statement and a key statement\&.
+.PP
+The
+\fBoptions\fR
+statement contains five clauses\&. The
+\fBdefault\-server\fR
+clause is followed by the name or address of a name server\&. This host will be used when no name server is given as an argument to
+\fBrndc\fR\&. The
+\fBdefault\-key\fR
+clause is followed by the name of a key which is identified by a
+\fBkey\fR
+statement\&. If no
+\fBkeyid\fR
+is provided on the rndc command line, and no
+\fBkey\fR
+clause is found in a matching
+\fBserver\fR
+statement, this default key will be used to authenticate the server\*(Aqs commands and responses\&. The
+\fBdefault\-port\fR
+clause is followed by the port to connect to on the remote name server\&. If no
+\fBport\fR
+option is provided on the rndc command line, and no
+\fBport\fR
+clause is found in a matching
+\fBserver\fR
+statement, this default port will be used to connect\&. The
+\fBdefault\-source\-address\fR
+and
+\fBdefault\-source\-address\-v6\fR
+clauses which can be used to set the IPv4 and IPv6 source addresses respectively\&.
+.PP
+After the
+\fBserver\fR
+keyword, the server statement includes a string which is the hostname or address for a name server\&. The statement has three possible clauses:
+\fBkey\fR,
+\fBport\fR
+and
+\fBaddresses\fR\&. The key name must match the name of a key statement in the file\&. The port number specifies the port to connect to\&. If an
+\fBaddresses\fR
+clause is supplied these addresses will be used instead of the server name\&. Each address can take an optional port\&. If an
+\fBsource\-address\fR
+or
+\fBsource\-address\-v6\fR
+of supplied then these will be used to specify the IPv4 and IPv6 source addresses respectively\&.
+.PP
+The
+\fBkey\fR
+statement begins with an identifying string, the name of the key\&. The statement has two clauses\&.
+\fBalgorithm\fR
+identifies the authentication algorithm for
+\fBrndc\fR
+to use; currently only HMAC\-MD5 (for compatibility), HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256 (default), HMAC\-SHA384 and HMAC\-SHA512 are supported\&. This is followed by a secret clause which contains the base\-64 encoding of the algorithm\*(Aqs authentication key\&. The base\-64 string is enclosed in double quotes\&.
+.PP
+There are two common ways to generate the base\-64 string for the secret\&. The BIND 9 program
+\fBrndc\-confgen\fR
+can be used to generate a random key, or the
+\fBmmencode\fR
+program, also known as
+\fBmimencode\fR, can be used to generate a base\-64 string from known input\&.
+\fBmmencode\fR
+does not ship with BIND 9 but is available on many systems\&. See the EXAMPLE section for sample command lines for each\&.
+.SH "EXAMPLE"
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
+      options {
+        default\-server  localhost;
+        default\-key     samplekey;
+      };
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
+      server localhost {
+        key             samplekey;
+      };
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
+      server testserver {
+        key		testkey;
+        addresses	{ localhost port 5353; };
+      };
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
+      key samplekey {
+        algorithm       hmac\-sha256;
+        secret          "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
+      };
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+.if n \{\
+.RS 4
+.\}
+.nf
+      key testkey {
+        algorithm	hmac\-sha256;
+        secret		"R3HI8P6BKw9ZwXwN3VZKuQ==";
+      };
+.fi
+.if n \{\
+.RE
+.\}
+.PP
+In the above example,
+\fBrndc\fR
+will by default use the server at localhost (127\&.0\&.0\&.1) and the key called samplekey\&. Commands to the localhost server will use the samplekey key, which must also be defined in the server\*(Aqs configuration file with the same name and secret\&. The key statement indicates that samplekey uses the HMAC\-SHA256 algorithm and its secret clause contains the base\-64 encoding of the HMAC\-SHA256 secret enclosed in double quotes\&.
+.PP
+If
+\fBrndc \-s testserver\fR
+is used then
+\fBrndc\fR
+will connect to server on localhost port 5353 using the key testkey\&.
+.PP
+To generate a random secret with
+\fBrndc\-confgen\fR:
+.PP
+\fBrndc\-confgen\fR
+.PP
+A complete
+rndc\&.conf
+file, including the randomly generated key, will be written to the standard output\&. Commented\-out
+\fBkey\fR
+and
+\fBcontrols\fR
+statements for
+named\&.conf
+are also printed\&.
+.PP
+To generate a base\-64 secret with
+\fBmmencode\fR:
+.PP
+\fBecho "known plaintext for a secret" | mmencode\fR
+.SH "NAME SERVER CONFIGURATION"
+.PP
+The name server must be configured to accept rndc connections and to recognize the key specified in the
+rndc\&.conf
+file, using the controls statement in
+named\&.conf\&. See the sections on the
+\fBcontrols\fR
+statement in the BIND 9 Administrator Reference Manual for details\&.
+.SH "SEE ALSO"
+.PP
+\fBrndc\fR(8),
+\fBrndc-confgen\fR(8),
+\fBmmencode\fR(1),
+BIND 9 Administrator Reference Manual\&.
+.SH "AUTHOR"
+.PP
+\fBInternet Systems Consortium, Inc\&.\fR
+.SH "COPYRIGHT"
+.br
+Copyright \(co 2000, 2001, 2004, 2005, 2007, 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/bin/rndc/rndc.conf.docbook b/bin/rndc/rndc.conf.docbook
new file mode 100644
index 0000000..a021526
--- /dev/null
+++ b/bin/rndc/rndc.conf.docbook
@@ -0,0 +1,241 @@
+<!--
+ - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ -
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ -
+ - See the COPYRIGHT file distributed with this work for additional
+ - information regarding copyright ownership.
+-->
+
+<!-- Converted by db4-upgrade version 1.0 -->
+<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.rndc.conf">
+  <info>
+    <date>2013-03-14</date>
+  </info>
+  <refentryinfo>
+    <corpname>ISC</corpname>
+    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><filename>rndc.conf</filename></refentrytitle>
+    <manvolnum>5</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><filename>rndc.conf</filename></refname>
+    <refpurpose>rndc configuration file</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2000</year>
+      <year>2001</year>
+      <year>2004</year>
+      <year>2005</year>
+      <year>2007</year>
+      <year>2013</year>
+      <year>2014</year>
+      <year>2015</year>
+      <year>2016</year>
+      <year>2018</year>
+      <year>2019</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis sepchar=" ">
+      <command>rndc.conf</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsection><info><title>DESCRIPTION</title></info>
+
+    <para><filename>rndc.conf</filename> is the configuration file
+      for <command>rndc</command>, the BIND 9 name server control
+      utility.  This file has a similar structure and syntax to
+      <filename>named.conf</filename>.  Statements are enclosed
+      in braces and terminated with a semi-colon.  Clauses in
+      the statements are also semi-colon terminated.  The usual
+      comment styles are supported:
+    </para>
+    <para>
+      C style: /* */
+    </para>
+    <para>
+      C++ style: // to end of line
+    </para>
+    <para>
+      Unix style: # to end of line
+    </para>
+    <para><filename>rndc.conf</filename> is much simpler than
+      <filename>named.conf</filename>.  The file uses three
+      statements: an options statement, a server statement
+      and a key statement.
+    </para>
+    <para>
+      The <option>options</option> statement contains five clauses.
+      The <option>default-server</option> clause is followed by the
+      name or address of a name server.  This host will be used when
+      no name server is given as an argument to
+      <command>rndc</command>.  The <option>default-key</option>
+      clause is followed by the name of a key which is identified by
+      a <option>key</option> statement.  If no
+      <option>keyid</option> is provided on the rndc command line,
+      and no <option>key</option> clause is found in a matching
+      <option>server</option> statement, this default key will be
+      used to authenticate the server's commands and responses.  The
+      <option>default-port</option> clause is followed by the port
+      to connect to on the remote name server.  If no
+      <option>port</option> option is provided on the rndc command
+      line, and no <option>port</option> clause is found in a
+      matching <option>server</option> statement, this default port
+      will be used to connect.
+      The <option>default-source-address</option> and
+      <option>default-source-address-v6</option> clauses which
+      can be used to set the IPv4 and IPv6 source addresses
+      respectively.
+    </para>
+    <para>
+      After the <option>server</option> keyword, the server
+      statement includes a string which is the hostname or address
+      for a name server.  The statement has three possible clauses:
+      <option>key</option>, <option>port</option> and
+      <option>addresses</option>. The key name must match the
+      name of a key statement in the file.  The port number
+      specifies the port to connect to.  If an <option>addresses</option>
+      clause is supplied these addresses will be used instead of
+      the server name.  Each address can take an optional port.
+      If an <option>source-address</option> or <option>source-address-v6</option>
+      of supplied then these will be used to specify the IPv4 and IPv6
+      source addresses respectively.
+    </para>
+    <para>
+      The <option>key</option> statement begins with an identifying
+      string, the name of the key.  The statement has two clauses.
+      <option>algorithm</option> identifies the authentication algorithm
+      for <command>rndc</command> to use; currently only HMAC-MD5
+      (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
+      (default), HMAC-SHA384 and HMAC-SHA512 are
+      supported.  This is followed by a secret clause which contains
+      the base-64 encoding of the algorithm's authentication key.  The
+      base-64 string is enclosed in double quotes.
+    </para>
+    <para>
+      There are two common ways to generate the base-64 string for the
+      secret.  The BIND 9 program <command>rndc-confgen</command>
+      can
+      be used to generate a random key, or the
+      <command>mmencode</command> program, also known as
+      <command>mimencode</command>, can be used to generate a
+      base-64
+      string from known input.  <command>mmencode</command> does
+      not
+      ship with BIND 9 but is available on many systems.  See the
+      EXAMPLE section for sample command lines for each.
+    </para>
+  </refsection>
+
+  <refsection><info><title>EXAMPLE</title></info>
+
+
+    <para><programlisting>
+      options {
+        default-server  localhost;
+        default-key     samplekey;
+      };
+</programlisting>
+    </para>
+    <para><programlisting>
+      server localhost {
+        key             samplekey;
+      };
+</programlisting>
+    </para>
+    <para><programlisting>
+      server testserver {
+        key		testkey;
+        addresses	{ localhost port 5353; };
+      };
+</programlisting>
+    </para>
+    <para><programlisting>
+      key samplekey {
+        algorithm       hmac-sha256;
+        secret          "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
+      };
+</programlisting>
+    </para>
+    <para><programlisting>
+      key testkey {
+        algorithm	hmac-sha256;
+        secret		"R3HI8P6BKw9ZwXwN3VZKuQ==";
+      };
+    </programlisting>
+    </para>
+
+    <para>
+      In the above example, <command>rndc</command> will by
+      default use
+      the server at localhost (127.0.0.1) and the key called samplekey.
+      Commands to the localhost server will use the samplekey key, which
+      must also be defined in the server's configuration file with the
+      same name and secret.  The key statement indicates that samplekey
+      uses the HMAC-SHA256 algorithm and its secret clause contains the
+      base-64 encoding of the HMAC-SHA256 secret enclosed in double quotes.
+    </para>
+    <para>
+      If <command>rndc -s testserver</command> is used then <command>rndc</command> will
+      connect to server on localhost port 5353 using the key testkey.
+    </para>
+    <para>
+      To generate a random secret with <command>rndc-confgen</command>:
+    </para>
+    <para><userinput>rndc-confgen</userinput>
+    </para>
+    <para>
+      A complete <filename>rndc.conf</filename> file, including
+      the
+      randomly generated key, will be written to the standard
+      output.  Commented-out <option>key</option> and
+      <option>controls</option> statements for
+      <filename>named.conf</filename> are also printed.
+    </para>
+    <para>
+      To generate a base-64 secret with <command>mmencode</command>:
+    </para>
+    <para><userinput>echo "known plaintext for a secret" | mmencode</userinput>
+    </para>
+  </refsection>
+
+  <refsection><info><title>NAME SERVER CONFIGURATION</title></info>
+
+    <para>
+      The name server must be configured to accept rndc connections and
+      to recognize the key specified in the <filename>rndc.conf</filename>
+      file, using the controls statement in <filename>named.conf</filename>.
+      See the sections on the <option>controls</option> statement in the
+      BIND 9 Administrator Reference Manual for details.
+    </para>
+  </refsection>
+
+  <refsection><info><title>SEE ALSO</title></info>
+
+    <para><citerefentry>
+        <refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>rndc-confgen</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>mmencode</refentrytitle><manvolnum>1</manvolnum>
+      </citerefentry>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+    </para>
+  </refsection>
+
+</refentry>
diff --git a/bin/rndc/rndc.conf.html b/bin/rndc/rndc.conf.html
new file mode 100644
index 0000000..c7ca53e
--- /dev/null
+++ b/bin/rndc/rndc.conf.html
@@ -0,0 +1,234 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<!--
+ - Copyright (C) 2000, 2001, 2004, 2005, 2007, 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - This Source Code Form is subject to the terms of the Mozilla Public
+ - License, v. 2.0. If a copy of the MPL was not distributed with this
+ - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+-->
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>rndc.conf</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
+<a name="man.rndc.conf"></a><div class="titlepage"></div>
+  
+  
+
+  
+
+  <div class="refnamediv">
+<h2>Name</h2>
+<p>
+    <code class="filename">rndc.conf</code>
+     &#8212; rndc configuration file
+  </p>
+</div>
+
+  
+
+  <div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+    <div class="cmdsynopsis"><p>
+      <code class="command">rndc.conf</code> 
+    </p></div>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.7"></a><h2>DESCRIPTION</h2>
+
+    <p><code class="filename">rndc.conf</code> is the configuration file
+      for <span class="command"><strong>rndc</strong></span>, the BIND 9 name server control
+      utility.  This file has a similar structure and syntax to
+      <code class="filename">named.conf</code>.  Statements are enclosed
+      in braces and terminated with a semi-colon.  Clauses in
+      the statements are also semi-colon terminated.  The usual
+      comment styles are supported:
+    </p>
+    <p>
+      C style: /* */
+    </p>
+    <p>
+      C++ style: // to end of line
+    </p>
+    <p>
+      Unix style: # to end of line
+    </p>
+    <p><code class="filename">rndc.conf</code> is much simpler than
+      <code class="filename">named.conf</code>.  The file uses three
+      statements: an options statement, a server statement
+      and a key statement.
+    </p>
+    <p>
+      The <code class="option">options</code> statement contains five clauses.
+      The <code class="option">default-server</code> clause is followed by the
+      name or address of a name server.  This host will be used when
+      no name server is given as an argument to
+      <span class="command"><strong>rndc</strong></span>.  The <code class="option">default-key</code>
+      clause is followed by the name of a key which is identified by
+      a <code class="option">key</code> statement.  If no
+      <code class="option">keyid</code> is provided on the rndc command line,
+      and no <code class="option">key</code> clause is found in a matching
+      <code class="option">server</code> statement, this default key will be
+      used to authenticate the server's commands and responses.  The
+      <code class="option">default-port</code> clause is followed by the port
+      to connect to on the remote name server.  If no
+      <code class="option">port</code> option is provided on the rndc command
+      line, and no <code class="option">port</code> clause is found in a
+      matching <code class="option">server</code> statement, this default port
+      will be used to connect.
+      The <code class="option">default-source-address</code> and
+      <code class="option">default-source-address-v6</code> clauses which
+      can be used to set the IPv4 and IPv6 source addresses
+      respectively.
+    </p>
+    <p>
+      After the <code class="option">server</code> keyword, the server
+      statement includes a string which is the hostname or address
+      for a name server.  The statement has three possible clauses:
+      <code class="option">key</code>, <code class="option">port</code> and
+      <code class="option">addresses</code>. The key name must match the
+      name of a key statement in the file.  The port number
+      specifies the port to connect to.  If an <code class="option">addresses</code>
+      clause is supplied these addresses will be used instead of
+      the server name.  Each address can take an optional port.
+      If an <code class="option">source-address</code> or <code class="option">source-address-v6</code>
+      of supplied then these will be used to specify the IPv4 and IPv6
+      source addresses respectively.
+    </p>
+    <p>
+      The <code class="option">key</code> statement begins with an identifying
+      string, the name of the key.  The statement has two clauses.
+      <code class="option">algorithm</code> identifies the authentication algorithm
+      for <span class="command"><strong>rndc</strong></span> to use; currently only HMAC-MD5
+      (for compatibility), HMAC-SHA1, HMAC-SHA224, HMAC-SHA256
+      (default), HMAC-SHA384 and HMAC-SHA512 are
+      supported.  This is followed by a secret clause which contains
+      the base-64 encoding of the algorithm's authentication key.  The
+      base-64 string is enclosed in double quotes.
+    </p>
+    <p>
+      There are two common ways to generate the base-64 string for the
+      secret.  The BIND 9 program <span class="command"><strong>rndc-confgen</strong></span>
+      can
+      be used to generate a random key, or the
+      <span class="command"><strong>mmencode</strong></span> program, also known as
+      <span class="command"><strong>mimencode</strong></span>, can be used to generate a
+      base-64
+      string from known input.  <span class="command"><strong>mmencode</strong></span> does
+      not
+      ship with BIND 9 but is available on many systems.  See the
+      EXAMPLE section for sample command lines for each.
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.8"></a><h2>EXAMPLE</h2>
+
+
+    <pre class="programlisting">
+      options {
+        default-server  localhost;
+        default-key     samplekey;
+      };
+</pre>
+<p>
+    </p>
+    <pre class="programlisting">
+      server localhost {
+        key             samplekey;
+      };
+</pre>
+<p>
+    </p>
+    <pre class="programlisting">
+      server testserver {
+        key		testkey;
+        addresses	{ localhost port 5353; };
+      };
+</pre>
+<p>
+    </p>
+    <pre class="programlisting">
+      key samplekey {
+        algorithm       hmac-sha256;
+        secret          "6FMfj43Osz4lyb24OIe2iGEz9lf1llJO+lz";
+      };
+</pre>
+<p>
+    </p>
+    <pre class="programlisting">
+      key testkey {
+        algorithm	hmac-sha256;
+        secret		"R3HI8P6BKw9ZwXwN3VZKuQ==";
+      };
+    </pre>
+<p>
+    </p>
+
+    <p>
+      In the above example, <span class="command"><strong>rndc</strong></span> will by
+      default use
+      the server at localhost (127.0.0.1) and the key called samplekey.
+      Commands to the localhost server will use the samplekey key, which
+      must also be defined in the server's configuration file with the
+      same name and secret.  The key statement indicates that samplekey
+      uses the HMAC-SHA256 algorithm and its secret clause contains the
+      base-64 encoding of the HMAC-SHA256 secret enclosed in double quotes.
+    </p>
+    <p>
+      If <span class="command"><strong>rndc -s testserver</strong></span> is used then <span class="command"><strong>rndc</strong></span> will
+      connect to server on localhost port 5353 using the key testkey.
+    </p>
+    <p>
+      To generate a random secret with <span class="command"><strong>rndc-confgen</strong></span>:
+    </p>
+    <p><strong class="userinput"><code>rndc-confgen</code></strong>
+    </p>
+    <p>
+      A complete <code class="filename">rndc.conf</code> file, including
+      the
+      randomly generated key, will be written to the standard
+      output.  Commented-out <code class="option">key</code> and
+      <code class="option">controls</code> statements for
+      <code class="filename">named.conf</code> are also printed.
+    </p>
+    <p>
+      To generate a base-64 secret with <span class="command"><strong>mmencode</strong></span>:
+    </p>
+    <p><strong class="userinput"><code>echo "known plaintext for a secret" | mmencode</code></strong>
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.9"></a><h2>NAME SERVER CONFIGURATION</h2>
+
+    <p>
+      The name server must be configured to accept rndc connections and
+      to recognize the key specified in the <code class="filename">rndc.conf</code>
+      file, using the controls statement in <code class="filename">named.conf</code>.
+      See the sections on the <code class="option">controls</code> statement in the
+      BIND 9 Administrator Reference Manual for details.
+    </p>
+  </div>
+
+  <div class="refsection">
+<a name="id-1.10"></a><h2>SEE ALSO</h2>
+
+    <p><span class="citerefentry">
+        <span class="refentrytitle">rndc</span>(8)
+      </span>,
+      <span class="citerefentry">
+        <span class="refentrytitle">rndc-confgen</span>(8)
+      </span>,
+      <span class="citerefentry">
+        <span class="refentrytitle">mmencode</span>(1)
+      </span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+    </p>
+  </div>
+
+</div></body>
+</html>